RE: PIX- DMZ [7:74422]

2003-09-04 Thread zak spaniol
Yes, I would like syntax.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74778&t=74422
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX- DMZ [7:74422]

2003-09-02 Thread Deepali S
Yeah! u need to put in the command sets on the PIX .

 First step you would like to put would be the nat and global commands.

 Second you would need to specify the routes for the dmz.

 Pls let me know if you owuld like to know the syntax of the command.

 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74634&t=74422
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX- DMZ [7:74422]

2003-08-26 Thread Ben W
Most likely, you need to check the access-list applied to your inbound DMZ
interface and permit tcp port 80.  You also need to verify your nat commands
and global commands are set for dmz network too, if you are nating them.

zak spaniol wrote:
> 
> I have a server on my DMZ that I want to browse internet with
> but can't. Is there any commands I need to put in or take out
> in order to browse internet?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74423&t=74422
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


PIX- DMZ [7:74422]

2003-08-26 Thread zak spaniol
I have a server on my DMZ that I want to browse internet with but can't. Is
there any commands I need to put in or take out in order to browse internet?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74422&t=74422
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX Firewall --- DMZ to Inside Access [7:69877]

2003-05-31 Thread Mark Smith
Try this:

pix(config)# access-list  permit tcp host 10.1.1.X host
192.168.20.10 eq 7000
pix(config)# access-group  in interface 

where you fill the correct value for "X" in the source IP addess that's
needing to access the inside, where  is whatever you want
to name your access list and  is the name you gave the DMZ
interface interface in the "nameif" command.
Note: Currently all traffic from the DMZ to the outside is allowed. The
moment you apply that access list to the DMZ interface all outbound traffic
(traffic INTO the DMZ interface and headed to parts anywhere to the outside)
will now be blocked. There is an implied "deny any any" at the end of the
access list. You will have to then open up ports to the outside that boxes
in your DMZ will need to use. If the same box needs WWW access to the
outside world you will need a statment like this:

pix(config)# access-list  permit tcp host 10.1.1.X any eq
80

The "any" is the destination IP address. If it only goes to a specific WWW
site you can add "host A.B.C.D" instead of "any". With the statement as
written above you've allowed the pix to access any web server anywhere,
assuming it's running on port 80. The same can be done with FTP, SMTP, DNS
(except if would be "permit udp" instead of "permit tcp") or any other
traffic originating from the DMZ. Any traffic already allowed via access
lists from the outside to the DMZ will not be affected, only traffic
originating in the DMZ. The official line from Cisco is that it's not a good
idea to mix static/conduits and access-list/access-groups on the same box.
If you're allowing traffic from the outside into your DMZ via static/conduit
pairs you may have intermittent troubles using both. I've not experienced it
personally. I just know what I've read in all of Cisco's doc's about it. You
may need to consider switching to access-list/access-group instead of
conduits. The static statements should remian the same.

If you were going from the inside to the DMZ you would need a "static"
statement defining the inside network to the DMZ but I don't believe you do
from a less secure interface to a more secure interface. The two statements
above should be all you need to put in your config.

Hope this helps (and it wasn't 10,000 times more info than you wanted).


Mark Smith




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, May 30, 2003 10:26 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall --- DMZ to Inside Access [7:69877]


Fellows -
I have a senario here,
I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ.
Machines on the Inside Interface can access Server on DMZ Zone, no problem,
I have to facilitate limited access from DMZ zone Servers to Host on Inside
Interface.
Let take an example,
I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from
this Server to a host on Inside zone whoes IP address is 192.168.20.10
I have a raw configuration in my mind since i dont a PIX with 3 Interfaces
in my LAB i can not test it. I know i have put an Access List / NAT to do
this.
Any config welcome.

thanks


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69892&t=69877
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


RE: PIX Firewall --- DMZ to Inside Access [7:69877]

2003-05-31 Thread Vijay Ramcharan
Define static(s) to translate inside host address(es) to DMZ address(es)
like so: 
static (inside,DMZ) 192.168.10.222 10.2.5.222 netmask 255.255.255.255 0
0 
static (inside,DMZ) 192.168.10.230 10.2.5.230 netmask 255.255.255.255 0
0 
 
Configure an access list to permit traffic to the tranlated inside
address(es) like so: 
access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq
143 
access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq
pop3 

Apply your access-list: 
access-group acl_dmz in interface DMZ

Vijay Ramcharan


-Original Message-
From: Curious [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 30, 2003 11:26 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall --- DMZ to Inside Access [7:69877]


Fellows -
I have a senario here,
I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ.
Machines on the Inside Interface can access Server on DMZ Zone, no
problem, I have to facilitate limited access from DMZ zone Servers to
Host on Inside Interface. Let take an example, I have a Server on DMZ
zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a
host on Inside zone whoes IP address is 192.168.20.10 I have a raw
configuration in my mind since i dont a PIX with 3 Interfaces in my LAB
i can not test it. I know i have put an Access List / NAT to do this.
Any config welcome.

thanks


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69885&t=69877
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


PIX Firewall --- DMZ to Inside Access [7:69877]

2003-05-31 Thread Curious
Fellows -
I have a senario here,
I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ.
Machines on the Inside Interface can access Server on DMZ Zone, no problem,
I have to facilitate limited access from DMZ zone Servers to Host on Inside
Interface.
Let take an example,
I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from
this Server to a host on Inside zone whoes IP address is 192.168.20.10
I have a raw configuration in my mind since i dont a PIX with 3 Interfaces
in my LAB i can not test it. I know i have put an Access List / NAT to do
this.
Any config welcome.

thanks


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69877&t=69877
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


RE: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69779]

2003-05-30 Thread Mark W. Odette II
Charles-
I could be wrong, but my interpretation of the doc's covering the Alias
command says that you can't have your cake and eat it too. :)

What I mean is, I don't believe you can DNS-Doctor and Destination-NAT
at the same time.  Like I said, I could be wrong.

>From what I understand, you need to do your translation with a static
command:

"Static (inside,dmz) 10.3.3.1 10.1.1.x netmask 255.255.255.255 0 0"

..and then set up your DNS-Doctor Alias.

"Alias (inside) 10.1.1.x 10.3.3.1 255.255.255.255"

Note:

Verify that the DNS server resolves your host/domain name to the global
IP address of the web server by issuing an nslookup command. The result
of the nslookup on the client PC should be the internal IP address of
the server (10.1.1.x), because the DNS reply gets doctored as it passes
through the PIX.

Also note that, for DNS fixup to work properly, proxy-arp has to be
disabled. If you are using the alias command for DNS fixup, disable
proxy-arp with the following command after the alias command has been
executed.

"sysopt noproxyarp internal_interface"

If you are also trying to maintain DNS integrity from the outside point
of view, I believe the 'DNS' keyword is all that is needed in the
following command (to allow the outside world to also reach the DMZ
host).

"Static (dmz,outside) 10.3.3.1 10.2.2.1 dns netmask 255.255.255.255"

Or, taking the concepts from the Alias Doc's, you could do this.

"Alias (outside) 10.2.2.1 10.3.3.1 255.255.255.255" ...but I think this
might be the older way of doing it.

Don't forget your ACL's so that DNS and whatever other services need to
be accessed on the DMZ host (one ACL for the Inside, one for the
Outside).

HTH's

-Mark

-Original Message-
From: Charles  Riley [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 7:22 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts
[7:69756]

Hi, all,

I have a problem that is making me scream and shout, gonna knock myself
out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only
reach
inside hosts and outside networks:  it can not reach any host on on the
DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;
the
10.2.2.1 is its outside address (as well as being its registed DNS
name).


If an inside networker DNS queries for SERVERA, the following commands
are
supposed to swap the outside address for the DMZ address.  IN other
words,
intercept the DNS repy and change it so that the inside network will
then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network
DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon
checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA,
the
PIX should intercept replies and change to a DMZ address (alias), and
NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know
why.
I beseech, oh, Group of Infinite Wisdom, for you assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a
mistake.
I have since downgraded it back to 6.2, and have checked and rechecked
the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69779&t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756]

2003-05-29 Thread Charles EEEE Riley
Hi, all,

I have a problem that is making me scream and shout, gonna knock myself out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only reach
inside hosts and outside networks:  it can not reach any host on on the DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;  the
10.2.2.1 is its outside address (as well as being its registed DNS name).


If an inside networker DNS queries for SERVERA, the following commands are
supposed to swap the outside address for the DMZ address.  IN other words,
intercept the DNS repy and change it so that the inside network will then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA, the
PIX should intercept replies and change to a DMZ address (alias), and NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know why.
I beseech, oh, Group of Infinite Wisdom, for you assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a mistake.
I have since downgraded it back to 6.2, and have checked and rechecked the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69756&t=69756
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


RE: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-16 Thread Jay Dunn

You can have multiple NAT statements. NAT 0 will stop nat for whatever
is defined in the access list. We have a 515 with a DMZ interface. Our
inside network is 10.50.0.0/16 and our dmz network is 172.16.1.0/24.
Here is an example from our PIX.

access-list 101 permit ip 10.50.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.50.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list 101 permit ip 172.16.1.0 255.255.255.0 10.50.0.0 255.255.0.0




ip address inside 10.50.1.2 255.255.0.0

ip address dmz 172.16.1.1 255.255.255.0 



ip local pool vpn-pool 10.50.8.1-10.50.8.50



global (outside) 1 x.x.x.196-x.x.x.248 netmask 255.255.255.x  
global (outside) 1 x.x.x.195 netmask 255.255.255.x



nat (inside) 0 access-list 101 
nat (dmz) 0 access-list 101 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0



Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Theodore Stout
Sent: Tuesday, October 15, 2002 4:28 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]

But doesn't NAT 0 stop nat for whatever is defined afterwards?

If I remember right, and I just might not, I used it when I wanted to 
avoid NAT on VPN traffic.  I would defined VPN traffic with an
access-list 
and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. 

Dude, I still can't figure out why Gurugrasad's config won't work.  Got
me 
totally bummed out.

Theo






"Jay Dunn" 
Sent by: [EMAIL PROTECTED]
10/15/2002 05:59 PM
Please respond to "Jay Dunn"

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: With PIX unable to reach DMZ from LAN
[7:55608]


Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.

Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]

Hi theo, and all,

I am giving the configuration.

 

global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224

global (perimeter) 1 192.168.23.10-192.168.23.20

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..

conduit permit tcp host 66.x.x.x eq x any

conduit permit icmp host 192.168.11.x any

conduit permit tcp host 66.x.x.x eq x any

conduit permit tcp host 66.x.x.x eq sqlnet any

route outside 0.0.0.0 0.0.0.0 66.x.x.x 1

I

 

What is that companion command ? Please help

 

 

Regards

Guruprasad

 

-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]

 

you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.

 

Can you access from the Outside?  Try it and see.

Can you print out the config without the real IPs?  You need to have a
companion command to the Static command and I would like to see if you
have it.

 

Cheers,

 

Theo


"Guruprasad Sanjeevi" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"

To: [EMAIL PROTECTED]
cc: 
bcc: 
Subject: With PIX unable to reach DMZ from LAN [7:55608]



Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of t

Re: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-15 Thread Juli Hato

HI here are some of the tips:

- From Higher ASA to Lower ASA --> You need NAT and Global
- From Lower ASA to Higher ASA --> You need Conduit/Access-List and Static

Best Regards,
HATO


>From: "mike greenberg" 
>Reply-To: "mike greenberg" 
>To: [EMAIL PROTECTED]
>Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
>Date: Tue, 15 Oct 2002 10:26:14 GMT
>
>This is a simple solution.  Do this:
>static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
>This will make the pix acts like a router with traffic from 192.168.11.0 to
>communicate with 192.168.23.0; however, you have to make access-list to 
>allow
>network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has
>lower
>security level than the inside interface.
>
>  Guruprasad Sanjeevi  wrote:Hi group,
>
>I am trying to configure PIX .It has 3 Ethernet Interface and three
>networks are used.
>
>LAN (inside) : 192.168.11.0
>DMZ (perimeter)) : 192.168.23.0
>Outside:66.x.x.x
>
>Problem : users from Inside and Perimeter network are able to browse, but
>the inside and Perimeter network cannot talk to each other. I have given 
>the
>static command like this
>
>Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
>
>What other command is required on the PIX to enable communication from
>INSIDE network to DMZ(perimeter) and vice-versa.
>
>Please help
>
>Thanks
>Guruprasad
>
>[GroupStudy.com removed an attachment of type application/ms-tnef which had
>a name of winmail.dat]
>Do you Yahoo!?
>Faith Hill - Exclusive Performances, Videos, & more
>faith.yahoo.com
_
Get a speedy connection with MSN Broadband.  Join now! 
http://resourcecenter.msn.com/access/plans/freeactivation.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55659&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-15 Thread mike greenberg

This is a simple solution.  Do this:
static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
This will make the pix acts like a router with traffic from 192.168.11.0 to 
communicate with 192.168.23.0; however, you have to make access-list to allow
network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has
lower
security level than the inside interface.
 
 Guruprasad Sanjeevi  wrote:Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse, but
the inside and Perimeter network cannot talk to each other. I have given the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos, & more
faith.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55624&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-15 Thread Theodore Stout

But doesn't NAT 0 stop nat for whatever is defined afterwards?

If I remember right, and I just might not, I used it when I wanted to 
avoid NAT on VPN traffic.  I would defined VPN traffic with an access-list 
and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. 

Dude, I still can't figure out why Gurugrasad's config won't work.  Got me 
totally bummed out.

Theo






"Jay Dunn" 
Sent by: [EMAIL PROTECTED]
10/15/2002 05:59 PM
Please respond to "Jay Dunn"

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: With PIX unable to reach DMZ from LAN [7:55608]


Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.

Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]

Hi theo, and all,

I am giving the configuration.

 

global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224

global (perimeter) 1 192.168.23.10-192.168.23.20

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..

conduit permit tcp host 66.x.x.x eq x any

conduit permit icmp host 192.168.11.x any

conduit permit tcp host 66.x.x.x eq x any

conduit permit tcp host 66.x.x.x eq sqlnet any

route outside 0.0.0.0 0.0.0.0 66.x.x.x 1

I

 

What is that companion command ? Please help

 

 

Regards

Guruprasad

 

-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]

 

you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.

 

Can you access from the Outside?  Try it and see.

Can you print out the config without the real IPs?  You need to have a
companion command to the Static command and I would like to see if you
have it.

 

Cheers,

 

Theo


"Guruprasad Sanjeevi" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"

To: [EMAIL PROTECTED]
cc: 
bcc: 
Subject: With PIX unable to reach DMZ from LAN [7:55608]



Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
&i=55608&t=55608
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55621&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-15 Thread Jay Dunn

Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.

Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]

Hi theo, and all,

I am giving the configuration.

 

global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224

global (perimeter) 1 192.168.23.10-192.168.23.20

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..

conduit permit tcp host 66.x.x.x eq x any

conduit permit icmp host 192.168.11.x any

conduit permit tcp host 66.x.x.x eq x any

conduit permit tcp host 66.x.x.x eq sqlnet any

route outside 0.0.0.0 0.0.0.0 66.x.x.x 1

I

 

What is that companion command ? Please help

 

 

Regards

Guruprasad

 

-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]

 

you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.

 

Can you access from the Outside?  Try it and see.

Can you print out the config without the real IPs?  You need to have a
companion command to the Static command and I would like to see if you
have it.

 

Cheers,

 

Theo


"Guruprasad Sanjeevi" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"

To: [EMAIL PROTECTED]
cc: 
bcc: 
Subject: With PIX unable to reach DMZ from LAN [7:55608]



Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
&i=55608&t=55608
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55620&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-14 Thread Theodore Stout

Well I will take it that you didn't include the "ip address x.x.x.x 
x.x.x.x" commands for convience.

I was looking for the NAT commands.  They look okay.  I can't identify one 
problem with this although I have to admit that last year I had the same 
problem. 
Your global perimeter and nat perimeter ip ranges are a bit strange.  Why 
do you give one a range yet the other no range and they might possibly 
overlap? 
Try eliminating the Conduit commands.  I assume that you are in a testing 
phase and are pinging from 192.168.11.x to  66.x.x.x.  Again, this 
shouldn't affect anything because you are able to browse and therefore you 
should be able to access the DMZ just the same way as the outside 
interface.

You don't have any thing here to permit traffic originating from the DMZ 
to access your Interal LAN. 

Keep on going, I got to go to Starbucks for a while.

Theo






"Guruprasad Sanjeevi" 
10/15/2002 02:34 PM

 
To: "'Theodore Stout'" 
cc:     
Subject:RE: With PIX unable to reach DMZ from LAN [7:55608]


Hi theo, and all,
I am giving the configuration.
 
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 
0 0 ? If I am not wrong , this command enables the communication between 
LAN and DMZ, but here it fails?.
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
 
What is that companion command ? Please help
 
 
Regards
Guruprasad
 
-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
 
you will need to explictedly grant permission for the DMZ to communicate 
to the Internal since lower security interfaces are automatically blocked 
Higher ones.
 
Can you access from the Outside?  Try it and see.
Can you print out the config without the real IPs?  You need to have a 
companion command to the Static command and I would like to see if you 
have it.
 
Cheers,
 
Theo

"Guruprasad Sanjeevi" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"

To: [EMAIL PROTECTED]
cc: 
bcc: 
Subject: With PIX unable to reach DMZ from LAN [7:55608]

Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse, but
the inside and Perimeter network cannot talk to each other. I have given 
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which 
had
a name of winmail.dat]
=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55615&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



FW: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-14 Thread Vitaliy Vishnevskiy

Nothing
Are you trying to test with ping?  The you need an acl applied to the
perimeter interface to allow the echo-replies.  If you have no acl
applied to inside and perimeter interfaces, tcp sessions should be
flowing - try to telnet from inside to the perimeter for instance 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Monday, October 14, 2002 11:30 PM
To: [EMAIL PROTECTED]
Subject: With PIX unable to reach DMZ from LAN [7:55608]

Hi group,

 I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55614&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: With PIX unable to reach DMZ from LAN [7:55608]

2002-10-14 Thread Guruprasad Sanjeevi

Hi theo, and all,

I am giving the configuration.

 

global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224

global (perimeter) 1 192.168.23.10-192.168.23.20

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0

static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..

conduit permit tcp host 66.x.x.x eq x any

conduit permit icmp host 192.168.11.x any

conduit permit tcp host 66.x.x.x eq x any

conduit permit tcp host 66.x.x.x eq sqlnet any

route outside 0.0.0.0 0.0.0.0 66.x.x.x 1

I

 

What is that companion command ? Please help

 

 

Regards

Guruprasad

 

-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]

 

you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.

 

Can you access from the Outside?  Try it and see.

Can you print out the config without the real IPs?  You need to have a
companion command to the Static command and I would like to see if you
have it.

 

Cheers,

 

Theo


"Guruprasad Sanjeevi" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"

To: [EMAIL PROTECTED]
cc: 
bcc: 
Subject: With PIX unable to reach DMZ from LAN [7:55608]



Hi group,

I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
&i=55608&t=55608
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55613&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



With PIX unable to reach DMZ from LAN [7:55608]

2002-10-14 Thread Guruprasad Sanjeevi

Hi group,

 I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.

LAN (inside)  : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x

Problem : users from Inside and Perimeter network are able to browse, but
the inside and Perimeter network cannot talk to each other. I have given the
static command like this

Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0

What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.

Please help

Thanks
Guruprasad

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55608&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: PIX .. Basic Inside to DMZ Question ... [7:55447]

2002-10-13 Thread samir shukri

you need another access list from inside to dmz to permit ip any any ( or
specific ports and addresses ) - make sure you have a global or static
between inside and dmz .


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55534&t=55447
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: PIX .. Basic Inside to DMZ Question ... [7:55447]

2002-10-12 Thread Paul

Thanks for your input guy's ...

I found a Switch in the DMZ that had an IP default-gateway, pointing to a
Novell box with an interface on both the Inside and DMZ LAN's  ...

As soon as I changed the IP def-gateway I could telnet around the DMZ
switches and routers ..

Regards

Paul ...
- Original Message -
From: "Paul" 
To: 
Sent: Saturday, October 12, 2002 1:14 PM
Subject: PIX .. Basic Inside to DMZ Question ... [7:55447]


> Hi,
>
> I have the DMZ as security 50, and the Inside as security 100. I have an
> access-list applied to the DMZ and the Inside for permit IP any any.
>
> My problem is that I cannot Telnet to any routers/switches on the DMZ from
> the
> Inside LAN. Ping and Traceroute work !!! (ICMP permit inside/dmz any).
>
> How can I get round this ???  Am I missing something real basic here ???
> I can't trash the PIX and start over as I have regular  VPN, NAT and
Global
> traffic
>
> Any input welcome ..
>
> Kind regards ..
>
> Paul ...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55449&t=55447
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



PIX .. Basic Inside to DMZ Question ... [7:55447]

2002-10-12 Thread Paul
Hi,

I have the DMZ as security 50, and the Inside as security 100. I have an
access-list applied to the DMZ and the Inside for permit IP any any.

My problem is that I cannot Telnet to any routers/switches on the DMZ from
the
Inside LAN. Ping and Traceroute work !!! (ICMP permit inside/dmz any).

How can I get round this ???  Am I missing something real basic here ???
I can't trash the PIX and start over as I have regular  VPN, NAT and Global
traffic

Any input welcome ..

Kind regards ..

Paul ...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55447&t=55447
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



PIX (DMZ) Nat0 Q. [7:53478]

2002-09-17 Thread Richard Tufaro

Hey guys, had a quick question on the PIX FW. 

When implementing a DMZ what would be the tangible benefit of using the
traditional:
NAT outside to DMZ inside, create ACLs. As opposed to making a NAT 0
statement in the firewall?

Either way you are going to be using ACL's on the firewall to permit/deny
traffic? Either way the server that you want "exposed" is going to be on a
different VLAN?

The only thing that I can think of is if you have say, a limited # of IP's
on the outside (I know we all do) but more in the range of 1 External IP and
you had 5 machines on the inside, running different services (FTP, WWW, SSH)
whatever, then you would need to do the traditional DMZ, and NAT back.

Does putting the NAT 0 statement disable the firewall from doing fix-ups to
the NAT0'ed address? I just don't see the need for the traditional way of
DMZ'ing if NAT 0 is going to accomplish the same thing without all the extra
configuration.

Comments? Just trying to get a grip on it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53478&t=53478
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: Exchange 5.5 in DMZ [7:52126]

2002-08-27 Thread Creighton Bill-BCREIGH1

More specifically:

OWA pages can be accessed through SSL channel (40-bit key, according to the
USA export laws for non-financial institutions). Communication between OWA
server and servers located in the intranet zone is restricted to: 

one BDC server 
TCP : 135,138 
UDP : 137 

Exchange servers 
TCP : 135, 4410, 4411 

ACE servers 
TCP : 5500 

ECHO

Bill Creighton CCNP
Senior System Engineer
Motorola
iDEN CNRC Packet Data

 

-Original Message-
From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, August 27, 2002 7:46 AM
To: [EMAIL PROTECTED]
Subject: Exchange 5.5 in DMZ [7:52126]

Dear All,

What is the correct way to set up exchange in the DMZ..
I know how to set it up in the inside interface but that is a security risk.
I would like to put IMC and OWA on the DMZ.
And keep the Mail Server on the inside

Thanks,

Kevin




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52138&t=52126
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: Exchange 5.5 in DMZ [7:52126]

2002-08-27 Thread Creighton Bill-BCREIGH1

We set up exactly what you're trying to do for a client in Chile for a
Mobile Office product we deployed, use the blueprint below for starters.
(watch out for word wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/exchange/exchange55/plan/ekmgem.asp


Bill Creighton CCNP
Senior System Engineer
Motorola
iDEN CNRC Packet Data


-Original Message-
From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, August 27, 2002 7:46 AM
To: [EMAIL PROTECTED]
Subject: Exchange 5.5 in DMZ [7:52126]

Dear All,

What is the correct way to set up exchange in the DMZ..
I know how to set it up in the inside interface but that is a security risk.
I would like to put IMC and OWA on the DMZ.
And keep the Mail Server on the inside

Thanks,

Kevin




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52137&t=52126
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Exchange 5.5 in DMZ [7:52126]

2002-08-27 Thread Kevin O'Gilvie

Dear All,

What is the correct way to set up exchange in the DMZ..
I know how to set it up in the inside interface but that is a security risk.
I would like to put IMC and OWA on the DMZ.
And keep the Mail Server on the inside

Thanks,

Kevin




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52126&t=52126
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: PIX DMZ IP address unload [7:37666]

2002-03-08 Thread Gaz

What response do you get from 'no ip address dmz'?

Can't think of anything else except a bit of a long winded way around it,
but copy the config, remove the 4 port card. Boot up the box.
Power it down and re-insert the card.

But...just out of interest - why are you bothered...or is it just out of
interest that you want to know?

Cheers,

Gaz


""Hartnell, George""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Typical problem.  Hopefully an easy answer. The manual says so, but
>
> I've configured interface 3 on a 6 port 515 for a dmz.  I needed to change
> that segment back to its original "127.0.0.1 255.255.255.255" ip address
> assignment.  Failover goes just ducky back to 0.0.0.0. I get the infamous
> "Sorry, not allowed to enter IP address on same network as interface n."
> n=3 in this case.
>
> The problem, as stated in the manual, goes like this.  "...you may not be
> permitted to enter subsequent IP addresses if another interface's address
is
> in the same range as the first. ... To fix this problem, reenter the first
> command specifying the correct network mask."
>
> Sure.  I've reentered every 'ip address (interfacename)' on the box, and I
> still get the "Sorry" story on that dmz.  The best I can get is the dmz
> interface (interface #2) to a '127.0.0.1 255.0.0.0' designation.
Interfaces
> 3 and 4 are unchanged at 127.0.0.1 255.255.255.255. Interface 5 is a
> failover 100Mb.  Fortunately, I won't need to heat up the dmz until next
> week, and performance is unaffected.
>
> Sooo, "show ip" looks similar to the below:
>
> ip address outside w.x.y.z 255.255.255.0
> ip address inside w.a.b.c 255.255.255.0
> ip address dmz 127.0.0.1 255.0.0.0   ip address intf3 127.0.0.1
255.255.255.255   ip address intf4 127.0.0.1 255.255.255.255
> ip address intf5 10.10.10.42 255.255.255.252
>
> Of course I want dmz to now look like intf3 and 4.  But no!  The
"Sorry"
> line continues.
>
> What's a poor administrator to do?  Yup, tried the TAC, yup, 'clear
xlate',
> too.  Yup, got rid of all the 'static's, 'routes' and access-groups
relating
> to the dmz.  Stumped.  So far.
>
> Any words of illumination?  I'm at rev. 5.3(1) at the moment.  Again, this
> interface is 'shutdown', and I anticipate no problems with a live
> reconfigure to another ip segment, but it is bothersome that I cannot get
it
> to return to its original loopback address.
>
> Best, G.
> VP OGC




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37677&t=37666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



PIX DMZ IP address unload [7:37666]

2002-03-08 Thread Hartnell, George

Typical problem.  Hopefully an easy answer. The manual says so, but

I've configured interface 3 on a 6 port 515 for a dmz.  I needed to change
that segment back to its original "127.0.0.1 255.255.255.255" ip address
assignment.  Failover goes just ducky back to 0.0.0.0. I get the infamous
"Sorry, not allowed to enter IP address on same network as interface n."
n=3 in this case.

The problem, as stated in the manual, goes like this.  "...you may not be
permitted to enter subsequent IP addresses if another interface's address is
in the same range as the first. ... To fix this problem, reenter the first
command specifying the correct network mask."

Sure.  I've reentered every 'ip address (interfacename)' on the box, and I
still get the "Sorry" story on that dmz.  The best I can get is the dmz
interface (interface #2) to a '127.0.0.1 255.0.0.0' designation.  Interfaces
3 and 4 are unchanged at 127.0.0.1 255.255.255.255. Interface 5 is a
failover 100Mb.  Fortunately, I won't need to heat up the dmz until next
week, and performance is unaffected.

Sooo, "show ip" looks similar to the below:

ip address outside w.x.y.z 255.255.255.0
ip address inside w.a.b.c 255.255.255.0
ip address dmz 127.0.0.1 255.0.0.0  <- bummer here
ip address intf3 127.0.0.1 255.255.255.255  <-- conflict here
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 10.10.10.42 255.255.255.252

Of course I want dmz to now look like intf3 and 4.  But no!  The "Sorry"
line continues.

What's a poor administrator to do?  Yup, tried the TAC, yup, 'clear xlate',
too.  Yup, got rid of all the 'static's, 'routes' and access-groups relating
to the dmz.  Stumped.  So far.

Any words of illumination?  I'm at rev. 5.3(1) at the moment.  Again, this
interface is 'shutdown', and I anticipate no problems with a live
reconfigure to another ip segment, but it is bothersome that I cannot get it
to return to its original loopback address.

Best, G.
VP OGC




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37666&t=37666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



PIX DMZ Issue [7:26419]

2001-11-15 Thread Ali, Abbas

I have a problem with DMZ configuration.

Here is the scenerio.

DMZ port has UNIX Sendmail Server. 
IP Address 206.2.34.1
Internal Port has Exchange Server.
IP Address 206.6.182.75

Here is what I did to make it work.
static (dmz,outside) 155.254.128.7 206.2.34.1 netmask 255.255.255.255 0 0

static (inside,dmz) 206.6.182.75 206.6.182.75 netmask 255.255.255.255 0 0

conduit permit tcp host 155.254.128.7 eq smtp any

conduit permit tcp host 206.6.182.75 eq smtp host 206.2.34.1.

This is the basic configuration, Customer has an NIS (UNIX) server which is
on Internal network at the address 206.6.181.1 and contains all the
databases for various applications including the Sendmail server on a dmz
port.

The sendmail server on dmz port can't come online until it contacts the NIS
server on Internal network, and because of the PIX it will not allow polling
to work from dmz port to the internal port unless some static mappings and
conduit permissions are allowed.  How do I reslove this issue with three
things.

First Sendmail server to contact NIS server at Internal port and then to
deliver emails to exchange box.

Regards,

Abbas Ali, AVVID, CCDP, CCNP, MCSE
Network Engineer II

Tel: 714.428.3367
Pager: 714.748.4817
Email: [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=26419&t=26419
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: Pix and DMZ [7:20333]

2001-09-18 Thread Tribavan Raina

Hi..


There is nothing big,Just remember one rule,

1)When traffic is allowed to flow from higher security interface to lower
you have to use global and nat.

2)When traffic is allowed to flow from lower to higher then you have to use
static and access-list.

In your case you have to allow access from high to low so add one more
global command with the address used for natting and also a nat command with
respect to that.

the command which you have to write is
 global(dmz) 1 172.22.100.1-172.22.100.10.
This should solve your problem.The range which I have givenin global is just
an example and these addresses would be used ny pix to nat internal hosts
when they would be accessing the dmz.You dont need to add nat as you have
already defined that.

Hope this helps.

Regds
Tribavan Raina
Network Consultant

TechTonics Group Limited
Level 31 Grand Plimmer Tower
2-6 Gilmer Terrace
PO Box 11 199
Wellington

Ph:   +64 4 385 2628
Fax: +64 4 385 2400

www.techtonics.co.nz




-Original Message-
From: Tai Ngo [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 18 September 2001 4:05 p.m.
To: [EMAIL PROTECTED]
Subject: Pix and DMZ [7:20333]


Hi All,

I am having a problem configuring the Pix's DMZ interface specifically
getting it to talk to the inside and also having the inside talking to
it.  Here's the scenario:

I have 3 interfaces on a Pix 520 running 6.0(1).   I have a inside
interface which is on the 192.168.1.0 network, dmz which is on
172.22.100.0 network, and outside which is 62.20.100.x Class C network.
I want inside boxes to be able to access a pc on the dmz called DMZPC
with ip address of  172.22.100.100.  I also want the DMZPC to be able to
access machines on the inside of the network.  All interfaces on the Pix
uses x.x.x.1 for their respective ip addresses.

Currently, my box on the DMZ can access the Internet and the Internet
can access it via a "static (dmz,outside) 62.20.100.131 172.22.100.131
netmask 255.255.255.255 0 0" command.

Here's the output from a show route on my Pix:

outside 0.0.0.0 0.0.0.0 62.20.99.2 1 OTHER static(that's the ip address
of the router on the outside that gets forwarded to our ISP)
outside 62.20.100.0 255.255.255.0 62.20.100.1 1 CONNECT static
dmz 172.22.100.0 255.255.255.0 172.22.100.1 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

Other commands in my configuration that might be important:

global (outside) 1 62.20.100.7 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0


I have read the Cisco Pix manual and tried the using the syntax in the
manual but I am now more confused than when I started.  Can someone
provide me the configuration lines I need to get it working?  Any help
or tips would be greatly appreciated.

Thanks!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20342&t=20333
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Pix and DMZ [7:20333]

2001-09-18 Thread Tai Ngo

Hi All,

I am having a problem configuring the Pix's DMZ interface specifically
getting it to talk to the inside and also having the inside talking to
it.  Here's the scenario:

I have 3 interfaces on a Pix 520 running 6.0(1).   I have a inside
interface which is on the 192.168.1.0 network, dmz which is on
172.22.100.0 network, and outside which is 62.20.100.x Class C network.
I want inside boxes to be able to access a pc on the dmz called DMZPC
with ip address of  172.22.100.100.  I also want the DMZPC to be able to
access machines on the inside of the network.  All interfaces on the Pix
uses x.x.x.1 for their respective ip addresses.

Currently, my box on the DMZ can access the Internet and the Internet
can access it via a "static (dmz,outside) 62.20.100.131 172.22.100.131
netmask 255.255.255.255 0 0" command.

Here's the output from a show route on my Pix:

outside 0.0.0.0 0.0.0.0 62.20.99.2 1 OTHER static(that's the ip address
of the router on the outside that gets forwarded to our ISP)
outside 62.20.100.0 255.255.255.0 62.20.100.1 1 CONNECT static
dmz 172.22.100.0 255.255.255.0 172.22.100.1 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

Other commands in my configuration that might be important:

global (outside) 1 62.20.100.7 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0


I have read the Cisco Pix manual and tried the using the syntax in the
manual but I am now more confused than when I started.  Can someone
provide me the configuration lines I need to get it working?  Any help
or tips would be greatly appreciated.

Thanks!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20333&t=20333
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: inside, outside and dmz [7:17627]

2001-08-30 Thread Kent Hundley

It's just a terminology issue.

A few years back, it was common to place world accessible servers between
the screening router (typically the router with the upstream ISP connection)
and the firewall.  This was mostly due to a lack of non-proxy firewalls.
With a true proxy or Application Layer Gateway (ALG) firewall, its difficult
to allow inbound services.  (this was before the days of NAT/PAT and
stateful inspection)

More recent designs use 3-legged firewalls and place world accessible
servers on the 3rd interface or "protected DMZ" interface of the firewall.
This allows for firewall filtering of traffic to the P-DMZ and also for
filtering of traffic from the P-DMZ to the internal network.  This helps
prevent compromise of the server to begin with, and in the event of a
compromise of the server it prevents the server from attacking the internal
network. (hopefully)

Since this is how most designs are done, the terminology "protected DMZ" has
fallen out of use and most people simply use the term DMZ when they mean
"protected DMZ".  I don't see many designs that call for placing servers on
a truly unprotected segment outside a firewall.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Farhan Ahmed
Sent: Tuesday, August 28, 2001 10:38 PM
To: [EMAIL PROTECTED]
Subject: inside, outside and dmz [7:17627]


comments below,

isnt it better to keep mailservers and other servers inside and allowing
only the ports that are required from outside , instead of putting them into
dmz and allow more ports ,in the case of microsoft exchange servers web
servers with database connection etc...
what is the real benefit?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17945&t=17627
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



inside, outside and dmz [7:17627]

2001-08-28 Thread Farhan Ahmed

comments below,

isnt it better to keep mailservers and other servers inside and allowing
only the ports that are required from outside , instead of putting them into
dmz and allow more ports ,in the case of microsoft exchange servers web
servers with database connection etc...
what is the real benefit?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17627&t=17627
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ relocation [7:15597]

2001-08-10 Thread Raul De La Garza

I believe one could also use policy-based routing.  See Building Scalable 
Cisco Networks, Cisco Press.


Original Message Follows
From: "Aki Anttila" 
Reply-To: "Aki Anttila" 
To: [EMAIL PROTECTED]
Subject: Re: DMZ relocation [7:15597]
Date: Fri, 10 Aug 2001 08:14:12 -0400

At 07:59 10.8.2001 -0400, you wrote:
 >Is this possible, without bringing up a test network?  Can one IP address 
be
 >routed differently then the routes currently in my EIGRP route table, that
 >are being advertised through-out the network?  Any documentation on this
 >would be greatly appreciated.

I am not 100% sure I understood your question but how about making a static
host route pointing to LAN interface and redistrbuting this to EIGRP 
process?

Aki
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15599&t=15597
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ relocation [7:15597]

2001-08-10 Thread Aki Anttila

At 07:59 10.8.2001 -0400, you wrote:
>Is this possible, without bringing up a test network?  Can one IP address be
>routed differently then the routes currently in my EIGRP route table, that
>are being advertised through-out the network?  Any documentation on this
>would be greatly appreciated.

I am not 100% sure I understood your question but how about making a static 
host route pointing to LAN interface and redistrbuting this to EIGRP process?

Aki




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15598&t=15597
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



DMZ relocation [7:15597]

2001-08-10 Thread Steve Donohue

Good Morning Group,

I am in the process of relocating our DMZ to our new facility.  For
connectivity to the various WAN connections I have the routes returning
through the old building.  I would ideally like to re-direct a single
machine from our LAN, which is running EIGRP, through our new DMZ to the
various locations, without redirecting the entire group until stability is
verified.  

Is this possible, without bringing up a test network?  Can one IP address be
routed differently then the routes currently in my EIGRP route table, that
are being advertised through-out the network?  Any documentation on this
would be greatly appreciated.

Thanks in advance for your assistance.

Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15597&t=15597
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ Basics [7:10970]

2001-07-11 Thread Scott Lokey

Funny you should ask that, I just got through looking at an article in
Network Computing on DMZ's. Check it out at 

http://www.networkcomputing.com/1214/1214ws1.html

Also just a few opinions. First you really won't need the proxy/firewall if
you get the PIX. Second you will see a big speed increase if traffic doesn't
have to got through the proxy/firewall. Third VPN traffic can terminate on
the PIX or pass through to a VPN concentrator (probably over kill). Just my
2 cents worth.
Scott

On Wed, 4 Jul 2001 06:49:59 -0400, Sammi wrote:

>  Hello all,
>  
>  I'd like to setup a DMZ in the near future and am still pondering
>  purchase of a PIX box.
>  Our interface to the outside world is through a Cisco 1600.
>  
>  So the DMZ would go:
>  
>  1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall)
>  
>  I know I don't want the PIX talking directly to the ISA, but not too
>  clear what I'm going to put in between, and why (functionality). Our
>  webpages are hosted off site by a third party, I would want to keep my
>  mail server inside right? I would like to set up VPN in the future,
>  should it go through the box between the firewalls?
>  The DMZ doesn't simply double the challenge does it? As in "ok, you
>  got through one firewall, now try the next".
>  
>  Any enlightenment greatly appreciated.
___
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12036&t=10970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ Basics [7:10970]

2001-07-08 Thread Sammi

On 8 Jul 2001 09:19:45 -0400, [EMAIL PROTECTED] ("shella kevin")
wrote:

>Can you help  me understand what is DMZ ... any good documentation

I printed off some links from here:

http://www.google.com/search?q=dmz+basics&hl=en&safe=off




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11384&t=10970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ Basics [7:10970]

2001-07-08 Thread shella kevin

Can you help  me understand what is DMZ ... any good documentation
?>From:
"Sammi" >Reply-To: "Sammi" >To: [EMAIL PROTECTED] >Subject: DMZ Basics
[7:10970] >Date: Wed, 4 Jul 2001 06:49:59 -0400 > >Hello all, > >I'd like
to setup a DMZ in the near future and am still pondering >purchase of a
PIX box. >Our interface to the outside world is through a Cisco 1600. >
>So the DMZ would go: > >1600 -> PIX -> ? -> ISA box (microsoft
proxy/firewall) > >I know I don't want the PIX talking directly to the
ISA, but not too >clear what I'm going to put in between, and why
(functionality). Our >webpages are hosted off site by a third party, I
would want to keep my >mail server inside right? I would like to set up
VPN in the future, >should it go through the box between the firewalls?
>The DMZ doesn't simply double the challenge does it? As in "ok, you >got
through one firewall, now try the next". > >Any enlightenment greatly
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11320&t=10970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ Basics [7:10970]

2001-07-04 Thread Keith Townsend

The PIX is extremely versatile.

1. E-Mail Server
You can put your mail server on the inside but I would suggest putting a
smtp gateway on the DMZ.  Have you MX record pointing to that device.

2. 1600 - PIX - ? - ISA
I'm not sure why you would want to put something between the PIX and the
Proxy server.  You can do NAT at the PIX or the Proxy.  You can set the
Proxy for Authentication or set up a Radius or TACAS+ server to let the PIX
do it.  I would leave you configuration as it is with clients pointing to
the Proxy for Internet Access and the Proxy go through the PIX.  By default
the PIX lets all trafic out.  You can put an access list on the PIX and only
allow traffic out from the Proxy Server and possibly you mail server.

""Sammi""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello all,
>
> I'd like to setup a DMZ in the near future and am still pondering
> purchase of a PIX box.
> Our interface to the outside world is through a Cisco 1600.
>
> So the DMZ would go:
>
> 1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall)
>
> I know I don't want the PIX talking directly to the ISA, but not too
> clear what I'm going to put in between, and why (functionality). Our
> webpages are hosted off site by a third party, I would want to keep my
> mail server inside right? I would like to set up VPN in the future,
> should it go through the box between the firewalls?
> The DMZ doesn't simply double the challenge does it? As in "ok, you
> got through one firewall, now try the next".
>
> Any enlightenment greatly appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11009&t=10970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



DMZ Basics [7:10970]

2001-07-04 Thread Sammi

Hello all,

I'd like to setup a DMZ in the near future and am still pondering
purchase of a PIX box.
Our interface to the outside world is through a Cisco 1600.

So the DMZ would go:

1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall)

I know I don't want the PIX talking directly to the ISA, but not too
clear what I'm going to put in between, and why (functionality). Our
webpages are hosted off site by a third party, I would want to keep my
mail server inside right? I would like to set up VPN in the future,
should it go through the box between the firewalls?
The DMZ doesn't simply double the challenge does it? As in "ok, you
got through one firewall, now try the next".

Any enlightenment greatly appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10970&t=10970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: 2600 help , dmz, [7:256]

2001-04-13 Thread EA Louie

your basic configuration looks like it will work just fine, Mo, except for a
few details that you'll want to implement - you have default pointed to
s1/0:0, and the DMZ is behind fast0/0 somewhere.

to avoid asymmetrical routing, you'll want anything that comes in via s1/1:0
to go back out s1/1:0 - therefore, find a solution to re-route traffic
properly - possibly a route-map that sends the x.x.252.0 0.0.0.255 outbound
traffic to the s1/1:0 interface.

You also want to add an access list to the s1/0:0 interface that reflects
the security policy of the customer - minimally restricting ICMP and only
allowing the services that are required into the Corporate network, a
pre-firewall firewall.

-e-
- Original Message -
From: Moahzam Durrani 
To: 
Sent: Wednesday, April 11, 2001 12:49 PM
Subject: 2600 help , dmz, [7:256]


> we have a 2620 with two built in dsu/csu. At the moment we are using 1 T1
> from an ISP for internet access. We have another T1 available from a
> differnt ISP. We want to hang some servers on our DMZ so that the any one
> outside could access a web server. I am using RIP as a protocol. My
concern
> is that I hope users inside will not experience problem browsing the
> internet. Ie there wont bew a confusion for routing between the two ISP .
> Corporate users should not browse the net through serial 1/1 . Oh yeah the
> ip adress configured for the DMZ has a network adress of  x.x.252.0
> 255.255.255.0 below is a config, is something missing ? . If any one could
> suggest anything ps let me know, id appreciate it .
>
>
>
>
> ontroller T1 1/0
>  framing esf
>  linecode b8zs
>  channel-group 0 timeslots 1-24 speed 64
>  description T1 TO CONCENTRIC
> !
> controller T1 1/1
>  framing esf
>  linecode b8zs
>  channel-group 0 timeslots 1-24 speed 64
>  description T1 to FIRST INTERNET ALLIANCE
> !
> !
> interface FastEthernet0/0 (corporate)
>  ip address x.x .245.1 255.255.255.0
>  no ip directed-broadcast
>  no ip mroute-cache
>  speed 100
>  full-duplex
> !
> interface Serial1/0:0
>  description concentric
>  ip z.z.z.56 255.255.255.0
>  no ip directed-broadcast
>  encapsulation ppp
>  no fair-queue
> !
> interface Serial1/1:0 (to be used for DMZ servers only)
>  description FIRST INTERNET ALLIANCE
>  ip address a.a.a.26 255.255.255.252
>  no ip directed-broadcast
>  encapsulation ppp
>  no shutdown
> !
> router rip
>  network x.x.0.0( corporate network)
>  network y.y.y.0 (another network )
>  network z.z.z.0 ( the concentric isp network)
>  network a.a.a.0 (new ISP Network for DMZ servers)
> !
> no ip classless
> ip route 0.0.0.0 0.0.0.0 Serial1/0:0
> ip route x.x.0.0 255.255.0.0 x.x.245.10
> Mo Durrani
> IS&T
> WYSE\EDS
> phone:408-473 1246
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=470&t=256
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



2600 help , dmz, [7:256]

2001-04-11 Thread Moahzam Durrani

we have a 2620 with two built in dsu/csu. At the moment we are using 1 T1
from an ISP for internet access. We have another T1 available from a
differnt ISP. We want to hang some servers on our DMZ so that the any one
outside could access a web server. I am using RIP as a protocol. My concern
is that I hope users inside will not experience problem browsing the
internet. Ie there wont bew a confusion for routing between the two ISP .
Corporate users should not browse the net through serial 1/1 . Oh yeah the
ip adress configured for the DMZ has a network adress of  x.x.252.0
255.255.255.0 below is a config, is something missing ? . If any one could
suggest anything ps let me know, id appreciate it . 




ontroller T1 1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
 description T1 TO CONCENTRIC
!
controller T1 1/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
 description T1 to FIRST INTERNET ALLIANCE
!
!
interface FastEthernet0/0 (corporate)
 ip address x.x .245.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial1/0:0
 description concentric
 ip z.z.z.56 255.255.255.0
 no ip directed-broadcast
 encapsulation ppp
 no fair-queue
!
interface Serial1/1:0 (to be used for DMZ servers only) 
 description FIRST INTERNET ALLIANCE
 ip address a.a.a.26 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 no shutdown
!
router rip
 network x.x.0.0( corporate network)
 network y.y.y.0 (another network )
 network z.z.z.0 ( the concentric isp network)
 network a.a.a.0 (new ISP Network for DMZ servers)
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0:0 
ip route x.x.0.0 255.255.0.0 x.x.245.10 
Mo Durrani
IS&T 
WYSE\EDS
phone:408-473 1246
[EMAIL PROTECTED]
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=256&t=256
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ

2001-03-28 Thread hal9001

Quite simply its an area between the router and say a firewall that is
protecting the inner network.  Alot of companies will place mail and
internet servers there.  They get less protection than those hosts behind
the firewall but are available resources to both the internet side and the
protected networks.  Anyone improve on this please!

Karl
- Original Message -
From: "Adekola, Dennis D" <[EMAIL PROTECTED]>
To: "CISCO" <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 8:16 PM
Subject: DMZ


> Hi all
>
> I frequently hear the term DMZ (Demilitarized Zone) being thrown around me
>
> Can anyone please enlighten me
>
> Cheers
>
> Dennis
>
> --
---
> 21st century air travel http://www.britishairways.com
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ

2001-03-28 Thread Z

Another rough answer: Ok, the DMZ deals with a 3 part firewall. Basically,
there is a LAN that hangs off of your firewall that contains your servers
like the e-comm. and mail. Then you have your internal LAN where your users
are. In order for your users to get out to the net they have to go through
the servers on your DMZ right? Well if somebody out on the net was watching
and waiting for you to come out, if they traced you and somehow got past the
external FW, they would only reach your servers and not make it into your
users LAN because to them the info originated from the servers. That's why
it's called the Demilitarized zone...somebody can give a more detailed
explanation...this was just Layman's terms...hope I helped.

*
This has been an Eyez Only streaming e-mail broadcast...We are watching.

NetEyez - CCNP, CCDA

- Original Message -
From: "Adekola, Dennis D" <[EMAIL PROTECTED]>
To: "CISCO" <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 2:16 PM
Subject: DMZ


> Hi all
>
> I frequently hear the term DMZ (Demilitarized Zone) being thrown around me
>
> Can anyone please enlighten me
>
> Cheers
>
> Dennis
>
> --
---
> 21st century air travel http://www.britishairways.com
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ

2001-03-28 Thread John Neiberger

The DMZ is an area of your network that the outside world has access to
but is separated by security devices from the rest of your internal
network.  For example:

InsideNetwork <---> Firewall <---> DMZ <->  Firewall/Router
<-------> Internet

The DMZ would hold your file servers and web servers, for instance.  A
setup like this allows you to be more specific in your access control.

HTH,
John

>>> "Adekola, Dennis D" <[EMAIL PROTECTED]> 3/28/01
12:16:50 PM >>>
Hi all

I frequently hear the term DMZ (Demilitarized Zone) being thrown around
me

Can anyone please enlighten me

Cheers

Dennis

-
21st century air travel http://www.britishairways.com 

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



DMZ

2001-03-28 Thread Adekola, Dennis D

Hi all

I frequently hear the term DMZ (Demilitarized Zone) being thrown around me

Can anyone please enlighten me

Cheers

Dennis

-
21st century air travel http://www.britishairways.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ

2001-02-02 Thread Mason Eike


DMZ stands for Demilitarized Zone and is also called a Permiter
network.  A DMZ adds another layer of security between an external and
internal network.  The purpose of the DMZ is that if someone is able
to break into your network like the WAN router or other device they
won't be able to see the traffic passed between hosts on your Internal
network, because the intruded upon device is on an external network on
a completely different segment than your LAN traffic.  Some companies
place their mail servers and webservers on a separate segment from
their Internal LAN.  If the web, mail, or DNS server is compromised,
your Internal LAN traffic is still protected from the intruder since
the hosts/devices in the DMZ aren't seeing indirect LAN traffic
because of the internal router.

Sample diagram:

{   Internet}
   |
   |
 ( + ) External router 
   |__ 
   |__|  |  Server on DMZ segment
|   
|
  ( + ) Internal router
|
 --
   |  |
 [  ]   [  ]
| __|  Host A|__]   Host B



On 2 Feb 2001 12:32:36 -0500, [EMAIL PROTECTED] ("Snyder, LeRoy F")
wrote:

>Could anyone explian the DMZ process in a little
>more detial? 
>
>-Original Message-
>From: John Chang [mailto:[EMAIL PROTECTED]]
>Sent: Sunday, January 28, 2001 4:25 PM
>To: [EMAIL PROTECTED]
>Subject: DMZ
>
>
>Does anyone know a good book or article on the web that explains DMZ in 
>great detail?  Thank you.
>
>_
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_
>FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: DMZ

2001-02-02 Thread Snyder, LeRoy F

Could anyone explian the DMZ process in a little
more detial? 

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 28, 2001 4:25 PM
To: [EMAIL PROTECTED]
Subject: DMZ


Does anyone know a good book or article on the web that explains DMZ in 
great detail?  Thank you.

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ

2001-01-28 Thread Larry Osei-Kwaku

Donload the pdf file from
http://support.intel.com/support/express/routers/9500/dmz.htm

Also look at Building Internet Firewalls
by Elizabeth D. Zwicky and Brent Chapman, O'Reilly &
Associates; ISBN: 1565928717  

Larry Osei-Kwaku

<[EMAIL PROTECTED]> wrote: > Does anyone know a good
book or article on the web
> that explains DMZ in 
> great detail?  Thank you.
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> 
> 
> 


=
"Wear a smile and have friends; wear a scowl and  have wrinkles."
  - George Eliot

"the greatest glory is not in never falling, but rising up each time we fall."

"The greatest man is not he who does not fall but he who falls and rises again to win"

__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: DMZ

2001-01-28 Thread Dave Swink

John,

http://www.pcwebopedia.com/  will give you a brief description.

It is not really too complex.  A DMZ is an area of intermediate security
between the Internet and the internal network.  The idea is to allow access
to some resources (Web servers, mail servers, etc) for users coming from the
Internet without allowing them full access into your internal network.

This link discusses setting up a PIX firewall with a DMZ:
http://www.cisco.com/warp/public/110/9.html

Dave Swink

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> John Chang
> Sent: Sunday, January 28, 2001 3:25 PM
> To: [EMAIL PROTECTED]
> Subject: DMZ
>
>
> Does anyone know a good book or article on the web that explains DMZ in
> great detail?  Thank you.
>
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



DMZ

2001-01-28 Thread John Chang

Does anyone know a good book or article on the web that explains DMZ in 
great detail?  Thank you.

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: Pass-thru DMZ?

2000-09-20 Thread WKelly

A demilitarized zone (DMZ) is to protect your publicly reachable servers behind
the firewall. The difference between the more common scenario with two
interfaces and the DMZ, where you use three interfaces, is that the third
interface is a separate segment to which you connect your publicly reachable
servers. This includes for example your web server, mail server, dns and
others.

You can set up light filtering to your DMZ interface in addition to a more
rigorous filtering to the private interface. A DMZ will typically have -

- a public interface, which connects to an ISP
- a private interface, which connects to your Internal LAN
- a DMZ interface, which connects to a separate segment where your publicly
reachable servers are.

Regards
William Kelly


Kedar Deshpande wrote:

> Hi,
>
> I think Thats not true..!!DMZ is a region which is which a seperate
> network.In our secured network we need that some servers like web servres r
> to be accessed from outside .So we keep them in seperate network..normally
> connected on seperate interface on FW.but that zone is also very well
> proteected by firewall..but less secured than internal interface..
>
> regards,
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jason Centrella
> Sent: Tuesday, September 19, 2000 2:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Pass-thru DMZ?
>
> DMZ stands for demilitarized zone.  It usually means that you are can put a
> machine or server outside of your firewall.  This means that this particular
> machine will not be protected by the firewall.
>
>  -Jay
>
> Dave Malik wrote:
>
> > I wanted to find out what would be the correct setup/definition of a
> > "pass-thru DMZ". I think the PIX experts would probably know this.
> >
> > Any comments are appreciated.
> >
> > Regards,
> > Dave
> >
> > _
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> > Share information about yourself, create your own public profile at
> > http://profiles.msn.com.
> >
> > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > http://www.groupstudy.com/list/Associates.html
> > _
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



RE: Pass-thru DMZ?

2000-09-19 Thread Kedar Deshpande

Hi,

I think Thats not true..!!DMZ is a region which is which a seperate
network.In our secured network we need that some servers like web servres r
to be accessed from outside .So we keep them in seperate network..normally
connected on seperate interface on FW.but that zone is also very well
proteected by firewall..but less secured than internal interface..

regards,




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jason Centrella
Sent: Tuesday, September 19, 2000 2:38 PM
To: [EMAIL PROTECTED]
Subject: Re: Pass-thru DMZ?


DMZ stands for demilitarized zone.  It usually means that you are can put a
machine or server outside of your firewall.  This means that this particular
machine will not be protected by the firewall.

 -Jay

Dave Malik wrote:

> I wanted to find out what would be the correct setup/definition of a
> "pass-thru DMZ". I think the PIX experts would probably know this.
>
> Any comments are appreciated.
>
> Regards,
> Dave
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: Pass-thru DMZ?

2000-09-19 Thread Jason Centrella

DMZ stands for demilitarized zone.  It usually means that you are can put a
machine or server outside of your firewall.  This means that this particular
machine will not be protected by the firewall.

 -Jay

Dave Malik wrote:

> I wanted to find out what would be the correct setup/definition of a
> "pass-thru DMZ". I think the PIX experts would probably know this.
>
> Any comments are appreciated.
>
> Regards,
> Dave
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Pass-thru DMZ?

2000-09-19 Thread Dave Malik

I wanted to find out what would be the correct setup/definition of a 
"pass-thru DMZ". I think the PIX experts would probably know this.

Any comments are appreciated.

Regards,
Dave

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Re: DMZ using DSL

2000-08-08 Thread Donald B Johnson Jr

Linksys sell a real cheap DSL router that connects to your dsl modem
Duck
- Original Message -
From: Frank Wells <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 08, 2000 8:54 AM
Subject: DMZ using DSL


> Hey folks,
> If I wanted to setup a DMZ using DSL as my Internet connection, what kind
of
> router(s) would you use to give me the three ethernet connections I would
> need?
>
> --
> LAN-  --DSL
> --
>|
>|
>   DMZ
>
> Cheers
> 
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
> ___
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



DMZ using DSL

2000-08-08 Thread Frank Wells

Hey folks,
If I wanted to setup a DMZ using DSL as my Internet connection, what kind of 
router(s) would you use to give me the three ethernet connections I would 
need?

--
LAN-  --DSL
--
   |
   |
  DMZ

Cheers

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]