PIX in parallel with another appliance box
Hello, My PIX is sitting directly on the internet. The cat5 connection from ISP is connected to external (ethernet) inerface of PIX. The inside(ethernet) interface is conneted to switch. From this switch internal network is connected. I have another Firewall appliance with 2 ethernet inerface which needs to be connected in parallel to PIX. Can anybody give some hints as how these connections are to made? I am thinking just to connect ISP connection to an ordinary hub & from there take two connections to outside interface for both firewall. Connect inside interface of both firewall to same switch. Is this right way of doing it? My only concern is can both outside interface of firewall be connected on on same hub? In fact External IPs for both & default gateway fall in same subnet. OR is there a requirement of any kind of a router or switch? Both firewalls need to be in parallel. One can't sit behind other OR can't be in DMZ of other. Thanks a lot for any advices... __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX in parallel with another appliance box
Thanks everybody for reply. This helps me lot. --- Dave Swink <[EMAIL PROTECTED]> wrote: > Pat, > > You can use a seperate hub or switch outside the > PIX, or if the switch on > the inside has a lot of available ports you could > make another VLAN on it > and have the new VLAN active on three ports; one for > the ISP and one for > each switch. > > Dave Swink > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > > pat > > Sent: Sunday, January 28, 2001 1:42 AM > > To: [EMAIL PROTECTED] > > Subject: PIX in parallel with another appliance > box > > > > > > Hello, > > > >My PIX is sitting directly on the internet. The > > cat5 connection from ISP is connected to external > > (ethernet) inerface of PIX. The inside(ethernet) > > interface is conneted to switch. From this switch > > internal network is connected. I have another > Firewall > > appliance with 2 ethernet inerface which needs to > be > > connected in parallel to PIX. Can anybody give > some > > hints as how these connections are to made? I am > > thinking just to connect ISP connection to an > ordinary > > hub & from there take two connections to outside > > interface for both firewall. Connect inside > interface > > of both firewall to same switch. Is this right way > of > > doing it? My only concern is can both outside > > interface of firewall be connected on on same hub? > In > > fact External IPs for both & default gateway fall > in > > same subnet. OR is there a requirement of any kind > of > > a router or switch? > > > > Both firewalls need to be in parallel. One can't > sit > > behind other OR can't be in DMZ of other. > > > > Thanks a lot for any advices... > > > > __ > > Do You Yahoo!? > > Yahoo! Auctions - Buy the things you want at great > prices. > > http://auctions.yahoo.com/ > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: securemote through pix firewall
Well am too having the same problem. The issue seems to be due to address translation the PIX does. The actual address on the firewall interface(outside) is different & the secure remote client uses different IP (IP mapped by PIX) to establish the session. But I don't understand why authentication fails. In my case topology dowload goes through, but authentication fails. If i sit behind PIX everything is fine. PIX is trnslating Public IP to Private IP. Let me know if you get to know why this happens. thanks. --- [EMAIL PROTECTED] wrote: > > > > HEI > > I hope someone could help me with a big problem Ive > got. > My client needs to use securemot ipsec program > through a pix firewall to a > firewall1 at the remote sight. > theres no problem to get key exchange process, and I > am beeing prompted for > password and username. > after this the program says the authentication is > OK, but explorer comes up with > cannot find the page. > When I test the same procedure connected without the > pix everything functions > OK. > Could anyone please give me a tip to solve this > situation. > > Thank you > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: securemote through pix firewall
Friesnds, Did lot of work on this issue. It may not work. The reason: Secure remote first dowload topology info. Then it writes the info to user.c file on client machine. It writes the IP addr of fw1 interface rather than real public IP. For auth It trys to reach the interface IP on FW1 instead of public IP which is unreachable, hence the auth fails. HTH pat --- Allen May <[EMAIL PROTECTED]> wrote: > Did you remember to put the nat statement in for the > IP range that the > secureremote users are using and set up the > access-list permits for them as > well? > > Chapter 10 in the IPSec User Guide 5.3 covers this > pretty well. > > ----- Original Message - > From: "pat" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Tuesday, January 30, 2001 10:27 PM > Subject: Re: securemote through pix firewall > > > > Well am too having the same problem. The issue > seems > > to be due to address translation the PIX does. The > > actual address on the firewall interface(outside) > is > > different & the secure remote client uses > different IP > > (IP mapped by PIX) to establish the session. But I > > don't understand why authentication fails. > > > > In my case topology dowload goes through, but > > authentication fails. If i sit behind PIX > everything > > is fine. PIX is trnslating Public IP to Private > IP. > > Let me know if you get to know why this happens. > > > > thanks. > > > > > > --- [EMAIL PROTECTED] wrote: > > > > > > > > > > > > HEI > > > > > > I hope someone could help me with a big problem > Ive > > > got. > > > My client needs to use securemot ipsec program > > > through a pix firewall to a > > > firewall1 at the remote sight. > > > theres no problem to get key exchange process, > and I > > > am beeing prompted for > > > password and username. > > > after this the program says the authentication > is > > > OK, but explorer comes up with > > > cannot find the page. > > > When I test the same procedure connected without > the > > > pix everything functions > > > OK. > > > Could anyone please give me a tip to solve this > > > situation. > > > > > > Thank you > > > > > > > > > _ > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations > to > > [EMAIL PROTECTED] > > > > > > __ > > Get personalized email addresses from Yahoo! Mail > - only $35 > > a year! http://personal.mail.yahoo.com/ > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
simple BW question
Everryone: If I have a 56K modem does that mean I have 56k upstrem BW & 56 K down stream BW or I have total of 5k BW. The reason I am asking is I have 1MB BW from ISP. The ISP feed comes into Firewall. most of traffic is downstream that is traffic is going inside the company, as everybody uses internet & download mails. Now if I have remote VPN users who connect to their ISP & then establish VPN seession with the VPN server sitting behind firewall. They access internal windows network mostly to download files from shared folder. This traffic is mostly outbound. Does the VPN users get full 1MB BW for outgoing traffic OR is 1MB is shared by both internal & external users. Can somebody give some clarifications? thanks in advance. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Checkpoint & Cisco VPN 5000 Concentrator
HellO Everyone: Does this box works with Checkpoint to establish IPSec tunnels..? I am new to this VPN 5002 box, though I have good hands on on other VPN. Can anybody through some light on how this box works with the client software that comes with the box. I am not looking for configuration details at this stage. My concern is I have seen VPN client software where in you can configure IPSec details such as AH,ESP,des,3des,md5,sha. But in this client software (which can be installed on Win98/NT) I don't see any options to do this. Does it detect from VPN 5000 box automatically? I am planning to place this VPN box behind the checkpoint firewall. Is this correct way of doing it..? The box has only one ethernet interface.Does it suppose to be like this or it needs to have min of two interfaces..? If somebody can help me out with answers it will really be great. thanks. __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Checkpoint & Cisco VPN 5000 Concentrator
what was the product name Compatible Systems used for this Cisco VPN 5000 Concentrator box. --- "The.rock" <[EMAIL PROTECTED]> wrote: > I believe the level of IPSec is done at the client > level. We have one in > production and works very well. Ours is actually hot > on the internet and NOT > parallel. Supposedly it will work either way and be > just as secure. But to > answer your question. The DES encryption is > dependant upon the client. The > rest is configured on the vpn box itself. I haven't > touched it in a while so > don't know all the specifics right off. Behind > checkpoint firewall I'm not > sure. > > That 5002 box was originally owned by Compatible > systems. Check here for > more info: > http://www.compatible.com/tech_support/index.html > > "pat" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > HellO Everyone: > > > > Does this box works with Checkpoint to > establish > > IPSec tunnels..? > > I am new to this VPN 5002 box, though I have > good > > hands on on other VPN. Can anybody through some > light > > on how this box works with the client software > that > > comes with the box. I am not looking for > configuration > > details at this stage. My concern is I have seen > VPN > > client software where in you can configure IPSec > > details such as AH,ESP,des,3des,md5,sha. But in > this > > client software (which can be installed on > Win98/NT) > > I don't see any options to do this. Does it detect > > from VPN 5000 box automatically? > > I am planning to place this VPN box behind > the > > checkpoint firewall. Is this correct way of doing > > it..? The box has only one ethernet interface.Does > it > > suppose to be like this or it needs to have min of > two > > interfaces..? > > If somebody can help me out with answers it > will > > really be great. > > > > thanks. > > > > > > > > > > > > > > __ > > Do You Yahoo!? > > Yahoo! Photos - Share your holiday photos online! > > http://photos.yahoo.com/ > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MLPPP & T1 aggregation
Everyone: I have 7206 router with PA-MC-2T3+ card in it. This card support 28 T1 lines. I want to know if I can use MLPPP (multilink point to point protocol) to aggregate multiple T1s to same router at remote end. I plan to use 1750 or 2611 at the remote end. Want to have a bigger pipe going to remote office say about 3 mb or 6 mb. Is there any other way of doing this other than MLPPP. If I can use MLPPP, I was also curious about physical connection. can I use say about 3 T1 lines going to two different routers ( 2 lines to 2611 and 1 to 1750) as a part of same MLPPP link, or do they have to be on same router with multiple interfaces? If anybody can share this knowledge it will be of great help. Thanks in advance. pat. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP 1.0 [7:3733]
I have taken ACRC & CMTD exams. Now that these old exams are expired do I have to take all 4 new exams to be CCNP or can I just take two new exams & still be CCNP. I am CCNA 1.0 certified. Is it still valid or do I have to take new exam for CCNA also..? thanks, patterson __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3733&t=3733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BCRAN this week [7:6343]
Hello friends, Plan to take cisco BCRAN (RMTAC 640-505) exam this week end. I have studied Cisco press BCRAN book & worked a bit on the routers. Is this sufficient ? Any help & suggestions on this exam is greatly appreciated. Thanks, pat __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=6343&t=6343 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
traffic can't cross pix [7:6895]
I have this problem. I can't ping anything outside the pix from machines inside. Pix inside IP is the default gateway for all the machines & they can ping the gateway. I can also ping outside world from pix. What is causing this problem...? I have pasted pix configs below. this is new pix & it never worked before. I have seen identical pix configs working earlier. thanks_ PIX Version 5.2(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix-con fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list check permit tcp any host 212.19.133.231 eq www access-list check permit tcp any host 212.19.133.227 eq smtp access-list check permit tcp any host 212.19.133.228 eq pop3 access-list check permit icmp any any pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor logging buffered warnings no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 212.19.133.226 255.255.255.240 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) 212.19.133.227 192.168.0.2 netmask 255.255.255.255 0 0 static (inside,outside) 212.19.133.228 192.168.0.3 netmask 255.255.255.255 0 0 static (inside,outside) 212.19.133.231 192.168.0.4 netmask 255.255.255.255 0 0 access-group check in interface outside route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set standard esp-des esp-md5-hmac crypto map peer_map 10 ipsec-isakmp crypto map peer_map 10 match address 102 crypto map peer_map 10 set peer 212.46.19.194 crypto map peer_map 10 set transform-set standard isakmp enable outside isakmp key l9k834 address 212.46.19.194 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 telnet 192.168.0.0 255.255.255.0 inside telnet timeout 15 terminal width 80 __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ PIX Version 5.2(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix-con fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list check permit tcp any host 212.19.133.231 eq www access-list check permit tcp any host 212.19.133.227 eq smtp access-list check permit tcp any host 212.19.133.228 eq pop3 access-list check permit icmp any any pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor logging buffered warnings no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 212.19.133.226 255.255.255.240 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) 212.19.133.227 192.168.0.2 netmask 255.255.255.255 0 0 static (inside,outside) 212.19.133.228 192.168.0.3 netmask 255.255.255.255 0 0 static (inside,outside) 212.19.133.231 192.168.0.4 netmask 255.255.255.255 0 0 access-group check in interface outside route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permi
Re: traffic can't cross pix [7:6895]
Thanks a lot for everybody's help. I did clear xlate & changed following command as suggested by Rick & I think that fixed the problem. It is really strange...!!! I changed original command global (outside) 1 interface to new command global (outside) 1 212.19.133.230 --- Gareth Hinton wrote: > Hi Pat, > > Just so you don't think you're being ignored, I've > sifted through every > line, as much as anything to convert myself to the > newer commands for the > pix. > I'm stuck as well. Can't see anything wrong with the > config. > I take it you already did a clear xlate/reload. > What does show xlate give you. > > Let us know the outcome. > > Gaz > > > > ""pat"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >I have this problem. I can't ping anything > outside > > the pix from machines inside. Pix inside IP is the > > default gateway for all the machines & they can > ping > > the gateway. I can also ping outside world from > pix. > > What is causing this problem...? I have pasted pix > > configs below. this is new pix & it never worked > > before. I have seen identical pix configs working > > earlier. > > > > thanks_ > > > > > > > > > > PIX Version 5.2(3) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > hostname pix-con > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > names > > access-list 101 permit ip 192.168.0.0 > 255.255.255.0 > > 192.168.100.0 255.255.255.0 > > access-list 102 permit ip 192.168.0.0 > 255.255.255.0 > > 192.168.100.0 255.255.255.0 > > access-list check permit tcp any host > 212.19.133.231 > > eq www > > access-list check permit tcp any host > 212.19.133.227 > > eq smtp > > access-list check permit tcp any host > 212.19.133.228 > > eq pop3 > > access-list check permit icmp any any > > pager lines 24 > > logging on > > no logging timestamp > > no logging standby > > no logging console > > no logging monitor > > logging buffered warnings > > no logging trap > > no logging history > > logging facility 20 > > logging queue 512 > > interface ethernet0 auto > > interface ethernet1 auto > > mtu outside 1500 > > mtu inside 1500 > > ip address outside 212.19.133.226 255.255.255.240 > > ip address inside 192.168.0.1 255.255.255.0 > > ip audit info action alarm > > ip audit attack action alarm > > arp timeout 14400 > > global (outside) 1 interface > > nat (inside) 0 access-list 101 > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > > static (inside,outside) 212.19.133.227 192.168.0.2 > > netmask 255.255.255.255 0 0 > > static (inside,outside) 212.19.133.228 192.168.0.3 > > netmask 255.255.255.255 0 0 > > static (inside,outside) 212.19.133.231 192.168.0.4 > > netmask 255.255.255.255 0 0 > > access-group check in interface outside > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp > 0:02:00 > > rpc 0:10:00 h323 0:05:00 si > > p 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > sysopt connection permit-ipsec > > no sysopt route dnat > > crypto ipsec transform-set standard esp-des > > esp-md5-hmac > > crypto map peer_map 10 ipsec-isakmp > > crypto map peer_map 10 match address 102 > > crypto map peer_map 10 set peer 212.46.19.194 > > crypto map peer_map 10 set transform-set standard > > isakmp enable outside > > isakmp key l9k834 address 212.46.19.194 netmask > > 255.255.255.255 > > isakmp identity address > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption des > > isakmp policy 10 hash md5 > > isakmp policy 10 group 1 > > isakmp policy 10 lifetime 3600 > > telnet 192.168.0.0 255.255.255.0 inside > > telnet timeout 15 > > terminal width 80 > > > > > > > > > > __ > > Do You Yahoo!? > > Get personalized e
PIX alias command [7:9138]
Hello Everyone: Can anybody tell me how this "alias" command works in PIX. What is the use of it? I can't ping Inside host from inside machine with Public IP (mapped through PIX) but I can ping the same host with private IP. Private IP and public are mapped on PIX using PIX "static" command. Is this normal..? Can I make Inside host pingable from inside machine with Public IP using alias command..? Thanks in advance. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9138&t=9138 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX and token-ring [7:9188]
No, it is PIX515 5.2.3 --- Paul Holloway wrote: > Running PIX515R with ver 6.0.1 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Paul Holloway > Sent: Wednesday, June 20, 2001 10:23 AM > To: [EMAIL PROTECTED] > Subject: PIX and token-ring [7:9188] > > > Has anyone here run into the problem of a PIX not > passing token-ring(wrapped > in IP). Is there a specific permission or trick I'm > missing here? Installed > it last night and everything, web, mail, worked > fine. All static routes and > mappings are correct. Today when the customer opened > for business, a bank, > everything worked fine except for the token-ring > traffic, which could not be > tested for last night. Any suggestions would be > appreciated. [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9235&t=9188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
routing issue with ISDN backup [7:13045]
Hello everyone: I have some routing issue here. I have central office with a core router sitting behind the PIX. All branch office (remote) routers connect to central router using frame relay & ISDN as back up. Each branch office (having 1 Serial, 1 ISDN, 1 Eth Int) should be able get to any other branch office & to Internet through PIX. All IPs used will be private & PIX will be doing NAT. I am planning on having EIGRP to route between all routers over frame relay & floating static route to trigger ISDN if FR goes down. This floating static route will be something like ip route 0.0.0.0 0.0.0.0 10.0.0.1 200 (10.0.0.1 will be IP of central router) In each branch office router EIGRP will have Ethernet & serial networks in it. This will make all internal routing fine when the network is on FR. But how do I route Internet traffic to core router so that it can send to PIX? I am already using default static route to core router, which I want to be used only when FR is down. Is there any way in EIGRP to propagate default route through network from core router? Thanks a lot, pat __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13045&t=13045 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: routing issue with ISDN backup [7:13045]
why is redistribute command necessary..? should i redisribute static routes in each of EIGRP. thanks. --- Farhan Ahmed wrote: > use redistribute command.. > > > -Original Message----- > From: pat [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 20, 2001 6:51 AM > To: [EMAIL PROTECTED] > Subject: routing issue with ISDN backup [7:13045] > > > Hello everyone: > > > I have some routing issue here. > > I have central office with a core router sitting > behind the PIX. All branch office (remote) routers > connect to central router using frame relay & ISDN > as > back up. Each branch office (having 1 Serial, 1 > ISDN, > 1 Eth Int) should be able get to any other branch > office & to Internet through PIX. All IPs used will > be > private & PIX will be doing NAT. > I am planning on having EIGRP to route between > all > routers over frame relay & floating static route to > trigger ISDN if FR goes down. This floating static > route will be something like > > ip route 0.0.0.0 0.0.0.0 10.0.0.1 200 (10.0.0.1 > will > be IP of central router) > > In each branch office router EIGRP will have > Ethernet > & serial networks in it. This will make all internal > routing fine when the network is on FR. But how do I > route Internet traffic to core router so that it can > send to PIX? I am already using default static route > to core router, which I want to be used only when FR > is down. Is there any way in EIGRP to propagate > default route through network from core router? > > > Thanks a lot, > pat > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13090&t=13045 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: routing issue with ISDN backup [7:13045]
thanks everybody. i am planning on using redistribute command on central router. however I cannot yet test this as i am still wiating for FR circuits to come up. thank u all, pat. --- Farhan Ahmed wrote: > use redistribute command.. > > > -Original Message----- > From: pat [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 20, 2001 6:51 AM > To: [EMAIL PROTECTED] > Subject: routing issue with ISDN backup [7:13045] > > > Hello everyone: > > > I have some routing issue here. > > I have central office with a core router sitting > behind the PIX. All branch office (remote) routers > connect to central router using frame relay & ISDN > as > back up. Each branch office (having 1 Serial, 1 > ISDN, > 1 Eth Int) should be able get to any other branch > office & to Internet through PIX. All IPs used will > be > private & PIX will be doing NAT. > I am planning on having EIGRP to route between > all > routers over frame relay & floating static route to > trigger ISDN if FR goes down. This floating static > route will be something like > > ip route 0.0.0.0 0.0.0.0 10.0.0.1 200 (10.0.0.1 > will > be IP of central router) > > In each branch office router EIGRP will have > Ethernet > & serial networks in it. This will make all internal > routing fine when the network is on FR. But how do I > route Internet traffic to core router so that it can > send to PIX? I am already using default static route > to core router, which I want to be used only when FR > is down. Is there any way in EIGRP to propagate > default route through network from core router? > > > Thanks a lot, > pat > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13306&t=13045 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPX RIP [7:13696]
I had a some questions about IPX networking. There are two routers A & B connectted over frame relay on their serial interface. Novell servers sitting on the ethernet interface of both A & B routers. I want to enble IPX RIP so that Novell clients on both sides can access Novell servers on either side. I used "ipx routing" global configuration command to enable IPX RIP on both routers & used "ipx network " on interfaces to configure the networks to be advertised in RIP. Following are the IPX related configs on the router. router A ipx routing 23e4.2453.2348 interface ehthernet0 ipx network 100 interface serial0 ipx network 200 router B ipx routing 7304.f851.1540 interface ehthernet0 ipx network 110 interface serial0 ipx network 200 Now I have following doubts. 1) Are these all the IPX configs (minimum configs without considering fine tuning) needed to get IPX running so that clients on both sides can access servers on both sides? 2) The IPX network address of both networks is 100 & 110. Do I have to configure these address on the Novell server? Servers are already in place. Can I get these network address from server & put in the router? Are these address different from IPX internal network number? 3) Is it necessary to configure network 200 on serial interface of both routers? Thanks in advance. pat __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13696&t=13696 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Ethernet interface protocol down...!!! [7:15072]
Has anybody seen a problem wherein ethernet interface line protocol constantly goes down (interface up protocol down). Protocol comes up & after sometime goes down. The interface is connected to 2900 switch port. I am assuming this may be due to execive collision or autonegtiation problem (speed/duplex). Does anybody in the list seen issue like this ? __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15072&t=15072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Route issue [7:17242]
PIX can't route back on the same interface. Hence this does not work. So workaround will be to let router be gateway to your subnet & PIX be gateway to router. Router can route to remote subnet accross point to point link as well as to PIX. Hope this helps. --- Bob Nawrocki wrote: > We have a Pix firewall that is serving as a default > gateway to the Internet > as well as providing ipsec tunnel connectivity to > several remote offices for > serveral hosts on a subnet. On the same subnet we > have a 2600 providing a > point to point wan link. I added a route to the Pix > on the inside interface > to point to the 2600 for the wan route. I am still > not able to connect to > that subnet unless i add a specific route on the > hosts. When running debug > logging on the Pix I get the following output: > > 106011: Deny inbound (No xlate) icmp src > inside:10.111.1.55 dst > inside:10.112.3.3 (type 8, code 0) > > Any thoughts? > > Bob Nawrocki > CCNP CCDP [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17362&t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problem with crypto access list !!! [7:44598]
Thanks Alfredo. That helped. IT works now. Just needed to remove crypto map before access-list. --- Alfredo Pulido wrote: > You will solve this problem if you first remove the > "crypto map xxx" in the > interface where you attach this "crypto map xxx", > then you can remove > access-list or change configuration in the crypto > map,etc. When you finish > the reconfiguration, you put again the "crypto map" > in the correct > interface. > > > Hope this help. > > > > -- > -- > Alfredo Pulido [EMAIL PROTECTED] > CCDA > Dept. Sistemas, IdecNet S.A. > Juan XXIII 44 // E-35004 Las Palmas de Gran > Canaria, > Las Palmas // SPAIN > Tel: +34 828 111 000 Fax: +34 828 111 112 > http://www.idecnet.com/ > -- > ""Jim Gillen"" escribis en el mensaje > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Pat > > > > Some comments: > > > > 1. For IPSec to work the access list at the other > end for the crypto map > > priority that is matched in the SA must be the > mirror of yours ie. > > > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > > 10.55.1.0 0.0.0.255 > > > > 2. issue a "sh crypto ipsec sa" command with the > access list still active > and > > the with the access list deleted. The output of > this command will tell you > if > > any IPSec connections have been formed. > > > > 3. Try a "debug crypto isakmp" and "debug crypto > ipsec" and apply the > crypto > > map to the interface and watch the debug output. > Example outputs are on > the > > CCO... > > > > > > 3. Is this same access list applied to the > interface you telnet to the > other > > router in such a way that removing it leaves a > deny any any on that > interface > > ( I assume the access list 20 you refer to is > actually access list 120)? > > > > Hope this helps. > > > > > > > > > > > > Cheers > > > > Jim Gillen > > > > Snr Communications Engineer > > AUSTRAC > > > > Ph: 9950 0842 > > Fax: 9950 0074 > > > > > > > > >>> pat 21/05/02 14:00:38 >>> > > This message has been scanned by MAILSweeper. > > > > > > > I am trying to set up site to site tunnel between > > cisco routers. I am having problem with crypto > access > > list on remote outers. I am configrung access-list > 120 > > & crypto commands as follows > > > > > > crypto isakmp policy 10 > > authentication pre-share > > crypto isakmp key ** address XX.XX.XX.XX > > ! > > ! > > crypto ipsec transform-set test esp-3des > esp-md5-hmac > > ! > > crypto map test 20 ipsec-isakmp > > set peer XX.XX.XX.XX > > set transform-set test > > match address 120 > > > > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > > 10.54.1.0 0.0.0.255 > > > > > > I have acess to remote routers through telnet over > the > > internet. List 20 is in no way related to my > access. > > But when I try to remove access-list 20 i loose my > > telnet session & can't ping it either. This > happened > > on multiple remote routers. I am using > > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > > 12.2(3), RELEASE SOFTWARE (fc1) > > > > In ideas why this is happening ? > > > > Thank you all, > > Pat > > > > > > __ > > Do You Yahoo!? > > LAUNCH - Your Yahoo! Music Experience > > http://launch.yahoo.com > > > __ > > To unsubscribe from the SECURITY list, send a > message to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe SECURITY > > > > > > > ** > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the system manager. > > > > This footnote also confirms that this email > message has been swept by > > MIMEsweeper for the presence of computer viruses. > > > > www.mimesweeper.com > > > ** [EMAIL PROTECTED] __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44917&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problem with crypto access list !!! [7:44598]
Thanks Alfredo. That helped. IT works now. Just needed to remove crypto map before access-list. --- Alfredo Pulido wrote: > You will solve this problem if you first remove the > "crypto map xxx" in the > interface where you attach this "crypto map xxx", > then you can remove > access-list or change configuration in the crypto > map,etc. When you finish > the reconfiguration, you put again the "crypto map" > in the correct > interface. > > > Hope this help. > > > > -- > -- > Alfredo Pulido [EMAIL PROTECTED] > CCDA > Dept. Sistemas, IdecNet S.A. > Juan XXIII 44 // E-35004 Las Palmas de Gran > Canaria, > Las Palmas // SPAIN > Tel: +34 828 111 000 Fax: +34 828 111 112 > http://www.idecnet.com/ > -- > ""Jim Gillen"" escribis en el mensaje > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Pat > > > > Some comments: > > > > 1. For IPSec to work the access list at the other > end for the crypto map > > priority that is matched in the SA must be the > mirror of yours ie. > > > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > > 10.55.1.0 0.0.0.255 > > > > 2. issue a "sh crypto ipsec sa" command with the > access list still active > and > > the with the access list deleted. The output of > this command will tell you > if > > any IPSec connections have been formed. > > > > 3. Try a "debug crypto isakmp" and "debug crypto > ipsec" and apply the > crypto > > map to the interface and watch the debug output. > Example outputs are on > the > > CCO... > > > > > > 3. Is this same access list applied to the > interface you telnet to the > other > > router in such a way that removing it leaves a > deny any any on that > interface > > ( I assume the access list 20 you refer to is > actually access list 120)? > > > > Hope this helps. > > > > > > > > > > > > Cheers > > > > Jim Gillen > > > > Snr Communications Engineer > > AUSTRAC > > > > Ph: 9950 0842 > > Fax: 9950 0074 > > > > > > > > >>> pat 21/05/02 14:00:38 >>> > > This message has been scanned by MAILSweeper. > > > > > > > I am trying to set up site to site tunnel between > > cisco routers. I am having problem with crypto > access > > list on remote outers. I am configrung access-list > 120 > > & crypto commands as follows > > > > > > crypto isakmp policy 10 > > authentication pre-share > > crypto isakmp key ** address XX.XX.XX.XX > > ! > > ! > > crypto ipsec transform-set test esp-3des > esp-md5-hmac > > ! > > crypto map test 20 ipsec-isakmp > > set peer XX.XX.XX.XX > > set transform-set test > > match address 120 > > > > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > > 10.54.1.0 0.0.0.255 > > > > > > I have acess to remote routers through telnet over > the > > internet. List 20 is in no way related to my > access. > > But when I try to remove access-list 20 i loose my > > telnet session & can't ping it either. This > happened > > on multiple remote routers. I am using > > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > > 12.2(3), RELEASE SOFTWARE (fc1) > > > > In ideas why this is happening ? > > > > Thank you all, > > Pat > > > > > > __ > > Do You Yahoo!? > > LAUNCH - Your Yahoo! Music Experience > > http://launch.yahoo.com > > > __ > > To unsubscribe from the SECURITY list, send a > message to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe SECURITY > > > > > > > ** > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the system manager. > > > > This footnote also confirms that this email > message has been swept by > > MIMEsweeper for the presence of computer viruses. > > > > www.mimesweeper.com > > > ** [EMAIL PROTECTED] __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44917&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISP failover [7:20068]
Hello everyone: I have tricky situation here. There are two different frame relay OSPF networks connected in hub & spoke topology. Both hub routers sit behing PIX which are conncted to internet. Hub routers have this static routes pointing to PIX. I am using "redistibute static" command to advertise default static route to all spoke routers. The ISP provides failover such that if connection to one PIX fails the packets will be automatically routed to anotehr PIX from outside. My problem is I want connect these to networks from one of spoke router in Network 1 to another spoke router in Network 2 & provide secondary default route so that ISP failover is complete. I still want all nodes in each network access internet through their own PIX as long as internet is up, but when one internet is down they should be able to go through another PIX. How do make this secondary route become active only when internet is down. First of all, how does internal hub router which runs on private IP detect if internet is down. Does it have to trcak external PIX interface status OR ISP router status ? Any thoughts on this will be greatly helpful. Thanks, pat __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20068&t=20068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: POP3 & SMTP through Pix to Static NAT Address [7:19931]
Hello, This is common problem in PIX. when internal client gets Public IP from DNS, it tries to reach that IP. Since it is external IP PIX routes it outside & hence packets are lost. There is workaround provided by PIX for this kind of problem. YOu need to use "alia" command on PIX. Please ref to http://www.cisco.com/warp/public/110/alias.html or This document explains the use of the alias command on the Cisco Secure PIX Firewall. The alias command has two possible functions: It can be used to do "DNS Doctoring" of DNS replies from an external DNS server. In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name. This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address. It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address. In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address. This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies. For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX Hope this will help you pat --- atram wrote: > I have a situation which someone may be able to shed > some light on. > > The configuration that is in place is a PIX 515 6.01 > with a public IP on the > 'outside' interface and private IP on the 'inside' > interface as you would > normally see in a straight-forward config. > > We are using PAT to another external IP for all > internal users. Also there > are static NAT statements on this same external IP > (one used for PAT) that > translate to the appropriate internal IPs for the > respective services. > > Ex. > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > pop3 netmask x.x.x.x > (translating all pop3 queried traffic on x.x.x.x to > be forwarded to > 10.x.x.x) > > > One inbound access list is applied to the 'outside' > interface filtering for > the protocols we need allowed in and for the static > nats. > > > So this works fine for all external users and > querying the various > protocols. All locations are connected via private > frame WAN to the central > location, where the internet connection out is and > also this PIX. > > Here is the problem. There are travelling users > which bounce from site to > site and are configured to access email via POP3. > Unfortunately this will > not work from inside the PIX. What it looks like is > that basically the > client is querying a pop3 server which resolves to > the public IP address > which is in turn the same address assigned for the > static nat translation to > the actual internal pop3 box. I would change the > client to resolve pop3 to > the actual internal IP address but then they would > be unable to reach the > box from home or hotel etc. > > ie. client queries pop3 to 'popserver.domain.com' > > dns resolves this to > x.x.x.x from above static NAT. Query fails. > > Does anyone have any suggestions on what may be > happening and could shed > some light on whether this can be done first of all, > and what steps may need > to be taken on the PIX so that interal queries for > pop3 and smtp will be > able to go out through the PAT and come back in as > the static nat translates > them and still work. > > > Thanks VERY much for anyones input. [EMAIL PROTECTED] __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20123&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: POP3 & SMTP through Pix to Static NAT Address [7:19931]
Hello, This is common problem in PIX. when internal client gets Public IP from DNS, it tries to reach that IP. Since it is external IP PIX routes it outside & hence packets are lost. There is workaround provided by PIX for this kind of problem. YOu need to use "alia" command on PIX. Please ref to http://www.cisco.com/warp/public/110/alias.html or This document explains the use of the alias command on the Cisco Secure PIX Firewall. The alias command has two possible functions: It can be used to do "DNS Doctoring" of DNS replies from an external DNS server. In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name. This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address. It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address. In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address. This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies. For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX Hope this will help you --- atram wrote: > I have a situation which someone may be able to shed > some light on. > > The configuration that is in place is a PIX 515 6.01 > with a public IP on the > 'outside' interface and private IP on the 'inside' > interface as you would > normally see in a straight-forward config. > > We are using PAT to another external IP for all > internal users. Also there > are static NAT statements on this same external IP > (one used for PAT) that > translate to the appropriate internal IPs for the > respective services. > > Ex. > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > pop3 netmask x.x.x.x > (translating all pop3 queried traffic on x.x.x.x to > be forwarded to > 10.x.x.x) > > > One inbound access list is applied to the 'outside' > interface filtering for > the protocols we need allowed in and for the static > nats. > > > So this works fine for all external users and > querying the various > protocols. All locations are connected via private > frame WAN to the central > location, where the internet connection out is and > also this PIX. > > Here is the problem. There are travelling users > which bounce from site to > site and are configured to access email via POP3. > Unfortunately this will > not work from inside the PIX. What it looks like is > that basically the > client is querying a pop3 server which resolves to > the public IP address > which is in turn the same address assigned for the > static nat translation to > the actual internal pop3 box. I would change the > client to resolve pop3 to > the actual internal IP address but then they would > be unable to reach the > box from home or hotel etc. > > ie. client queries pop3 to 'popserver.domain.com' > > dns resolves this to > x.x.x.x from above static NAT. Query fails. > > Does anyone have any suggestions on what may be > happening and could shed > some light on whether this can be done first of all, > and what steps may need > to be taken on the PIX so that interal queries for > pop3 and smtp will be > able to go out through the PAT and come back in as > the static nat translates > them and still work. > > > Thanks VERY much for anyones input. [EMAIL PROTECTED] __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20122&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN experts [7:20340]
I did not understand how u can use dynamic IP address on router to create VPN tunnel with PIX pat --- MikeN wrote: > Based on your explanation, I can't tell what model > of router and WAN > connectivity you are using. Is the router connecting > to the PIX or do you > have a client behind the router connecting to the > PIX. Yes, your router is > vulnerable unless you are running ACL's and CBAC. > The VPN tunnel isn't > necessarily vulnerable as long as you are using > strong encryption. > > HTH > MikeN > > ""mindiani mindiani"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > HI > > I have a cisco router at a remote site that is > connected to the internet > > with a dynamic IP from ISP. I am using a vpn > tunnel with ipsec 3DES to > > connect to a Pix firewall at my central site. My > question is, am I > exposed > > to any security problems on my cisco router?. > > > > > > > > > _ > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp [EMAIL PROTECTED] __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20410&t=20340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
experiment with VPN [7:20482]
I have following VPN setup. R1 (E0=10.1.1.1/24 & S0=63.211.144.52/24) LAN1=10.1.1.0/24 R2 (E0=10.1.2.1/24 & S0=63.211.154.52/24) LAN2=10.1.2.0/24 R3 (E0=10.1.3.1/24 & S0=63.211.164.52/24) LAN3=10.1.3.0/24 R1 /\ / \ /\ / \ R2 R3 R1, R2, R3 connect to internet. Each have ip route 0.0.0.0 0.0.0.0 serial 0. LAN machines sitting on Ethernet of each router with 10. IPs connect to internet with router doing NAT. I am planning to setup site-site VPN between routers R1R2 & R1R3. Now LAN2 can talk to LAN1 & LAN3 can talk to LAN1. My question is, is it possible to make LAN2 talk to LAN3 without having tunnel between R2 & R3. I want to to this by routing through R1. Is it possible ? Has anybody done this ? If yes how ? Thanks, pat __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20482&t=20482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: experiment with VPN [7:20482]
Louie, I wonder how you can do this !!! IPSec requires mirror image of access-list on either side. But the way you are suggesting, we can't have mirror image of access-lists --- EA Louie wrote: > - Original Message - > From: "pat" > To: > Sent: Wednesday, September 19, 2001 7:35 PM > Subject: experiment with VPN [7:20482] > > > > I have following VPN setup. > > > > > > > > R1 (E0=10.1.1.1/24 & S0=63.211.144.52/24) > > LAN1=10.1.1.0/24 > > > > R2 (E0=10.1.2.1/24 & S0=63.211.154.52/24) > > LAN2=10.1.2.0/24 > > > > R3 (E0=10.1.3.1/24 & S0=63.211.164.52/24) > > LAN3=10.1.3.0/24 > > > > R1 > > /\ > > / \ > >/\ > > / \ > > R2 R3 > > > > > > > > R1, R2, R3 connect to internet. Each have ip route > > 0.0.0.0 0.0.0.0 serial 0. > > LAN machines sitting on Ethernet of each router > with > > 10. IPs connect to internet with router doing NAT. > > > > I am planning to setup site-site VPN between > routers > > R1R2 & R1R3. > > > > Now LAN2 can talk to LAN1 & LAN3 can talk to LAN1. > > > > My question is, is it possible to make LAN2 talk > to > > LAN3 without having > > tunnel between R2 & R3. > > > > I want to to this by routing through R1. Is it > > possible ? Has anybody done this ? If yes how ? > > > 1. yes, it's possible. > 2. yes, I've done it > 3. by >a. setting your crypto access list on R1 to > encrypt both LAN1 and LAN2 > traffic to R3, and LAN1 and LAN3 traffic to R2. >b. making sure that your routing is set up > properly so that LAN2 traffic > to LAN3 is routed via R1 and vice versa. > > also see > http://www.cisco.com/warp/public/707/ios_hub-spoke.html > > > Thanks, > > pat > > > > > > __ > > Terrorist Attacks on U.S. - How can you help? > > Donate cash, emergency relief information > > > http://dailynews.yahoo.com/fc/US/Emergency_Information/ > [EMAIL PROTECTED] > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at > http://mail.yahoo.com > __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20619&t=20482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BCRAN [7:24299]
hello everyone, I took ACRC & CLSC about Yr & half back. But discontinued CCNP exams after that. Again motivated to complete CCNP. I am taking BCRAN exam in next 1 week. Any suggestion before taking exam ? What is good book ? Thanks a lot pat __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24299&t=24299 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF across PIX [7:24608]
Does anybody has any ideas on how to run OSPF across firewall. What ports to be open & how to make router esablish nighbour relations across firewall. Any thought on this will be greatly appriciated. Thanks, patterson. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24608&t=24608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF across PIX [7:24608]
Thanks for your repply. When I try to specify outside router as neighbor using neighbor command I get "OSPF: Neighbor address does not map to an interface". How do I resolve this issue ? What do you mean by "If you are doing NAT then a global and nat combination need to represent the internal IP addresses to the outside network"...? Can you give can example? I am doing NAT on firewall. The Ip address are as follows Inside router Ethernet 10.10.2.1 Firewall inside 10.10.2.1 Firewall outside 138.12.48.2 Outside Router ethernet 138.12.48.1 Thanks a lot for everybody's response. --- "Engelhard M. Labiro" wrote: > Sorry, replying my own message. > The access-list below assumes that you are able to > use nat 0 command (no NAT translation will occur > for the internal IP addressess to be seen from > outside > network). If you are doing NAT then a global and > nat combination need to represent the internal IP > addresses > to the outside network, before applying the > access-list below. > > Hope you get the idea. > > > Since OSPF uses IP protocol 89, permit this > protocol between > > the two OSPF routers with access-list applied at > outside and inside > > PIX interfaces, something like this: > > access-list 101 permit 89 host 1.1.1.1 host > 2.2.2.2 > > access-list 102 permit 89 host 2.2.2.2 host > 1.1.1.1 > > access-group 101 interface inside > > access-group 102 interface outside > > > > At the OSPF routers, put neighbour command, so > they can speak > > each other directly without multicasting the hello > packets. > > > > Hope you get the idea. > > > > - Original Message - > > From: "pat" > > To: > > Sent: Tuesday, October 30, 2001 1:01 PM > > Subject: OSPF across PIX [7:24608] > > > > > > > Does anybody has any ideas on how to run OSPF > across > > > firewall. What ports to be open & how to make > router > > > esablish nighbour relations across firewall. > > > > > > Any thought on this will be greatly appriciated. > > > > > > Thanks, > > > patterson. > > > > > > > __ > > > Do You Yahoo!? > > > Make a great connection at Yahoo! Personals. > > > http://personals.yahoo.com [EMAIL PROTECTED] __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24714&t=24608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX activation key [7:34450]
You need to get it from your supplier and enter it when you install your software, see below, this is an upgrade I did (I didn't install it this time though), you get prompted to install after you stick the image on the pix .. Received 2174976 bytes Cisco Secure PIX Firewall admin loader (3.0) #0: Tue Jul 3 21:50:29 PDT 2001 System Flash=E28F128J3 @ 0xfff0 BIOS Flash=e28f400b5t @ 0xd8000 Flash version 6.1.0.101, Install version 5.3.2 Installing to flash Serial Number: # Activation Key: 4 Do you want to enter a new activation key? [n] #Select no for this PIX - Original Message - From: ""Radford Dion"" Newsgroups: groupstudy.cisco Sent: Tuesday, February 05, 2002 11:28 AM Subject: PIX activation key [7:34450] > I've just got a hold of a PIX 515UR and I want to upgrade to the lastest > software, but when I do a show ver there is no activation key. > > Is this normal, or do I have to obtain one from somewhere? > > Dion Radford > Mellon Site Services - Europe > 71 Queen Victoria Street, London, EC4V 4DR > +44 (0) 20 7653 2850 - Work > +44 (0) 20 7653 2227 - Fax > +44 (0) 794 092 8809 - Mobile > Email: [EMAIL PROTECTED] > > * > DISCLAIMER: The information contained in this e-mail may be confidential > and is intended solely for the use of the named addressee. Access, copying > or re-use of the e-mail or any information contained therein by any other > person is not authorized. If you are not the intended recipient please > notify us immediately by returning the e-mail to the originator. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34451&t=34450 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
100 Mbps on Cat3 or Cat4 [7:63310]
Are unintelligent 10 Mbps hubs better than unintelligent 10/100 Mbps switches when the network cables that connect the PCs to the hub or switch are Cat3 or Cat4? I provide network services to dozens of non-profits. Most of the sites have Cat3 or Cat4 cabling. I have a co-worker who says that 10 Mbps hubs should be used until the sites are upgraded to Cat5 (which won't be happening any time soon). His rational: If the PC NICs are set to auto detect speed and the unintelligent 10/100 switch is set to auto detect speed, that data will try to pass through the Cat3 or Cat4 wire at 100 Mbps. He says that while the data can pass thru the wire at those rates, it's the signaling that gets scrambled at that rate on a Cat3 or Cat4 wire. Consequently, to prevent signaling problems that may in turn cause data integrity problems, he's recommending to use 10 Mbps hubs. Is this a valid argument? Note: New, unintelligent 10 Mbps hubs appear to be becoming less available and more costly relative to unintelligent 10/100 Mbps switches as time goes on. Consequently, this issue is starting to have financial implications. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63310&t=63310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 100 Mbps on Cat3 or Cat4 [7:63310]
Thanks folks for your technical info as well as advice! Buying cheaper 10/100 switches and configuring NICs on the PCs to 10 Mbps, half duplex may be the way to go. Most sites have 10 - 20 PCs on average. Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63401&t=63310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Securing SNMP [7:44605]
Greetings, I would like to run SNMP on my router and would like some advice on how I could secure it. I would also like some input from you guys on whether you recommend SNMP at all as it seems like the only route that I can take in monitoring traffic on our internet access link. Regards LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44605&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Anti-spoofing [7:45217]
Greetings, Please help me, I am trying to configure anti-spoofing on a router: Interface eth 0 Ip address 192.168.1.1 255.255.255.0 Interface ser 0 ip address 10.0.0.1 255.255.255.0 access-list 10 deny 192.168.1.0 0.0.0.255 access-class 10 in Is my understanding of setting up anti-spoofing correct? Is there anything I need to change to get this working? How do I improve the security on this config? Regards LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45217&t=45217 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3600 10MB port duplex? [7:46250]
Shawn you're dead right, sorry 3620, can't touch the image I'm afraid as it's a managed router. I too have searched through the CCO and couldn't find anything that documents this, Cheers Pat -Original Message- From: Shawn Heisey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 5:18 PM To: Patrick Donlon Cc: [EMAIL PROTECTED] Subject: Re: 3600 10MB port duplex? [7:46250] Patrick, I'm thinking that you actually mean a 2610. I've never heard of a 3610. Yes, 10Mb ports on 2600 routers will do full duplex. 12.0(4)T minimum IOS is required. I had problems with it at 12.0(7)T ... recommended IOS would be 12.1 mainline or 12.2 mainline. If duplex is not configured, it will run at half. I haven't been able to locate a public page stating this, but I know from experience that it can do it. Thanks, Shawn Patrick Donlon wrote: > > Hi All > > I've a dead simple question for anyone with a 3610 at their disposal, > I'd like to know whether the built in 10MB ethernet port will run at > full duplex. Reason why is I don't have a 3610 with one of these I can > access and I've been told by AT&T that their router will only run at > half-duplex and 10MB _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46269&t=46250 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Question [7:61830]
I'm enrolled in Cisco's CCNP Network Academy program and just completed their "Multi-Layer Switching" curriculum last semester. In their online curriculum, they refer to two "flavors" of switches: "Set Based" and "IOS Based" In Cisco's Network Academy online curriculum universe, "Set Based" switches are switches which use set commands, e.g. 4000 & 6000 series switches. "IOS Based" switches don't use set commands, e.g. the 2900XL switches. However, if you look at Cisco's "CCNP Switching" book by Hucaby, et al., they make the following distinction: IOS-based commands (found on CAT 1900/2820, 2900XL, and 3500XL) are similar to many IOS commands used on Cisco routers. Set-based, command-line interface (CLI) commands (found in 2926G, 4000, 5000 and 6000) use set and clear commands to make changes to the configuration. Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61872&t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ACS 2.1 integration with RSA SecurID 5 [7:52726]
Greetings, Please help guys, I am trying to integrate Cisco Secure ACS 2.1 with RSA ACE/Server 5.0. I have created an external database and ACS went and count the required DLL on the system [both ACS & ACE are on the same machine, I did not have to install the ACE agent]. I then created a user with the same username on both systems. I also changed the ACS user to authenticated using the ACE database. When I log onto my NAS, it denies me access. When I look at the ACS logs I see: Tokencard server unreachable When I look at the RSA ACE logs I see nothing. Is the a step that I might have skipped? Please help. btw, upgrading to ACS 2.6 is not an option. Regards Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52726&t=52726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3500XL - duplicate IP and Windows NT/2000 server [7:73868]
Firesox wrote: > I have a bunch of 3500XL switches thruout my customer's lan. > They are having a problem with unknown mac keep appearing and disappearing > from the network. > > I can trace the mac-address of the unknown station by "show mac" from the > swtich CLI. > What's strange is that it appears at one switch, but a minute later it > appears in the different switch. > > what's even more strange is that all NT/2000 servers log shows there is an > IP conflict with this mac address. > Of course, the servers IP function stops due to this duplicate IP, but comes > back in a few minutes. > All the servers report the duplicate IP comes from the same mac address. > > Has anyone seen this problem? > > Thanks > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > I know that the NT team where I work had a batch of new HP netservers delivered last year with the built in NICs with all the same mac addresses. They had to perform a bios upgrade I think to fix the problem. You should probably try to find out where what port(s) the duplicate mac and IP appear. Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73873&t=73868 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX xlate question [7:74012]
Skarphedinsson Arni V. wrote: > why would I see the following when I do sh xlate on the pix, i.e. > one global address is beeing translated to the next in line global address ? > > and sugestions would be welcome > > > Global 213.213.128.143 Local 213.213.128.142 > Global 213.213.128.142 Local 213.213.128.141 > Global 213.213.128.137 Local 213.213.128.136 > Global 213.213.128.136 Local 213.213.128.135 > Global 213.213.128.139 Local 213.213.128.138 > Global 213.213.128.138 Local 213.213.128.137 > Global 213.213.128.133 Local 217.3.103.62 > Global 213.213.128.132 Local 213.213.128.131 > Global 213.213.128.135 Local 213.213.128.134 > Global 213.213.128.134 Local 213.213.128.133 > Global 213.213.128.129 Local 213.213.128.128 > Global 213.213.128.128 Local 213.213.128.127 > Global 213.213.128.131 Local 213.213.128.130 > Global 213.213.128.130 Local 213.213.128.129 > Global 213.213.128.189 Local 213.213.128.188 > Global 213.213.128.188 Local 213.213.128.187 > Global 213.213.128.191 Local 200.65.74.239 > Global 213.213.128.190 Local 213.213.128.189 > Global 213.213.128.185 Local 213.213.128.184 > Global 213.213.128.184 Local 213.213.128.183 > Global 213.213.128.187 Local 213.213.128.186 > Global 213.213.128.186 Local 213.213.128.185 > Global 213.213.128.181 Local 213.213.128.180 > Global 213.213.128.180 Local 213.213.128.179 > Global 213.213.128.183 Local 213.213.128.182 > Global 213.213.128.182 Local 213.213.128.181 > Global 213.213.128.177 Local 213.213.128.176 > Global 213.213.128.176 Local 213.213.128.175 > Global 213.213.128.179 Local 213.213.128.178 > Global 213.213.128.178 Local 213.213.128.177 > Global 213.213.128.173 Local 213.213.138.210 > Global 213.213.128.172 Local 10.200.20.124 > Global 213.213.128.175 Local 213.213.128.174 > Global 213.213.128.174 Local 213.213.128.173 > Global 213.213.128.169 Local 213.213.128.168 > Global 213.213.128.168 Local 213.213.128.167 > Global 213.213.128.171 Local 213.213.128.170 > Global 213.213.128.170 Local 213.213.128.169 > Global 213.213.128.165 Local 213.213.128.164 > Global 213.213.128.164 Local 213.213.128.163 > Global 213.213.128.167 Local 213.213.128.166 > Global 213.213.128.166 Local 213.213.128.165 > Global 213.213.128.161 Local 213.213.128.160 > Global 213.213.128.160 Local 213.213.128.159 > Global 213.213.128.163 Local 213.213.128.162 > Global 213.213.128.162 Local 213.213.128.161 > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > I haven't seen this before, how are you handling IP when they pass through the PIX? Can you post the config for NAT/pat/static? and or post a show xlate detail Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74016&t=74012 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Output queue drops [7:74709]
Hi All just wondered if anyone has any useful experience or links on troubleshooting output queue drops on interface. I've had a machine experience errors for a period of time the interface had some drops on the output queue, see below. I've read up on the cco and it looks like you have to employ some congestion management if they still occur, otherwise it's just congestion. cheers Pat http://www.cisco.com/warp/customer/63/queue_drops.html#topic4 #sh int f9/13 FastEthernet9/13 is up, line protocol is up (connected) Hardware is C6k 100Mb 802.3, address is 000b.46ba.739c (bia 000b.46ba.739c) Description: MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 66 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 82435625 packets input, 24355560325 bytes, 0 no buffer Received 1074 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 186436077 packets output, 153017594209 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74709&t=74709 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Output queue drops [7:74709]
I'm not really that worried but the rs machine reported a few errors when this occurred so it'll keep the sysadmin happy if I can prevent output drops. Ye the network's certainly running better now that windoze has been patched up (again) Cheers Pat MADMAN wrote: > > 66 drops out of 153 billion bytes and since the counters have never > been cleared this number could have wrapped. I think if your worried > about this your network is running quite well;) > > You can always make the queue a little larger but don't go overboard. > > Dave > > Pat Donlon wrote: > >> Hi All >> >> just wondered if anyone has any useful experience or links on >> troubleshooting output queue drops on interface. I've had a machine >> experience errors for a period of time the interface had some drops >> on the output queue, see below. I've read up on the cco and it looks >> like you have to employ some congestion management if they still >> occur, otherwise it's just congestion. >> >> cheers >> >> Pat >> >> >> http://www.cisco.com/warp/customer/63/queue_drops.html#topic4 >> >> #sh int f9/13 >> FastEthernet9/13 is up, line protocol is up (connected) >> Hardware is C6k 100Mb 802.3, address is 000b.46ba.739c (bia >> 000b.46ba.739c) >> Description: >> MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, >> reliability 255/255, txload 1/255, rxload 1/255 >> Encapsulation ARPA, loopback not set >> Full-duplex, 100Mb/s >> input flow-control is off, output flow-control is off >> ARP type: ARPA, ARP Timeout 04:00:00 >> Last input never, output never, output hang never >> Last clearing of "show interface" counters never >> Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output >> drops: 66 >> Queueing strategy: fifo >> Output queue :0/40 (size/max) >> 5 minute input rate 0 bits/sec, 0 packets/sec >> 5 minute output rate 0 bits/sec, 0 packets/sec >> 82435625 packets input, 24355560325 bytes, 0 no buffer >> Received 1074 broadcasts, 0 runts, 0 giants, 0 throttles >> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored >> 0 input packets with dribble condition detected >> 186436077 packets output, 153017594209 bytes, 0 underruns >> 0 output errors, 0 collisions, 2 interface resets >> 0 babbles, 0 late collision, 0 deferred >> 0 lost carrier, 0 no carrier >> 0 output buffer failures, 0 output buffers swapped out >> **Please support GroupStudy by purchasing from the GroupStudy Store: >> http://shop.groupstudy.com >> FAQ, list archives, and subscription info: >> http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74723&t=74709 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
