Re: Can I picks a PIX?
Dear "Cthulu, CCIE Candidate"" a) Correct me if I'm wrong: You can not make "conventional" router's to pick up DHCP address on the interface, though you can do this with DSL routers and latest flavours of IOS for this routers b) If it was possible - how are you going to configure interfaces if you erased nvram? In all ciscos I saw if you erase config and then reload a router, it comes up with all interfaces shutted down - so they can not pick up anything from the network. much better option is to save the config you want at start up in the flash as init.conf for example and copy it in to start-up and reload router every time you want go to the initial step. it is shame, they do not ask such things on the CCIE written, isn't it? :-)) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can I picks a PIX?
> Would you ever want a router interface to pick up an IP address via DHCP? > Why or why not? CR: On a real world, production network, no. However, in a lab setting, just for the heck and convenience of it, it would be cool to have the routers get an IP address always reserved for them from a local DHCP server. That way, when you erase and rebuild, that is one less thing to do. That is about the only time I would actually use DHCP with a router. > > A non-addressable firewall is 100% effective at blocking unauthorized > traffic, but 0% effective at allowing authorized traffic... CR: In other words, a paperweight! > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can I picks a PIX?
""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]... > > Anyways, I am going to learn it, adn learn it good. My question is: can I > set up any of the interfaces to dynamically acquire an IP address via DHCP? > I want ehternet 0 to acquire an IP address from our DHCP server. > > If the PIX supports it, I will put a DHCP server on it to service my laptop > on ethernet 1. if it doesn't I am going to statically assign an IP address > to teh laptop and to ethernet 1, and run NAT to translate between > inside/outside addresses. Would you ever want a router interface to pick up an IP address via DHCP? Why or why not? A non-addressable firewall is 100% effective at blocking unauthorized traffic, but 0% effective at allowing authorized traffic... **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can I picks a PIX?
If I were to reassign the IP address, I could take your site down. For some this could cost $$$. Anyway, the more you allow anything (including people) to interact with the outside world (outside of itself) the more verlnerable it becomes to subversion. A philosophy, not a hard fact. A paranoid point of view says I can count on no one, but myself. I trust no one, but myself. So in that way, is DHCP a security risk. Cisco Secure VPN Client is the software. ip local pool isn't involved in assigning the remote computer an ip address, but rather the ip stays local and a dynamic NAT translation is built in the PIX for the remote computer. Basically, the an IP from the pool becomes the tunnel end point. There's many reasons you want to do this, but the biggest is port conficts. If 10 remotes all have shared hard drives and appear as the inside IP address of the PIX, then how would you attach and mount one of them? all 10 machines would be using the same port number. Or, what if there were some protocols which travel down the tunnel and some that didn't, how would it be decided which traffic took which path?What if you had an HR policy that prohibited the viewing of pornography, the VNP client would force everything through the tunnel, where your Internet usage could be logged, monitored, or proxied. Responces from the porno sites would have to travel back to the PIX end then through the tunnel and couldn't come straight to you. etc. etc. etc. Rodgers Moore ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message 8qdk8l$ssv$[EMAIL PROTECTED]">news:8qdk8l$ssv$[EMAIL PROTECTED]... > Hey, Rodgers, > > Thanks! Hope you don't mind, you are the only one to respond directly, can > you answer these? > > Why would getting an IP address dynamically assigned to the PIX's outside > interface be a security risk? > > > Also, if the PIX can't act as a DHCP server, what the heck is this command > for: > > ip local pool > > "The ip local pool command lets you create a pool of local addresses to be > used for assigning dynamic > ip addresses to remote VPN clients. The address range of this pool of local > addresses must not overlap > with any command statement that lets you specify an IP address. To delete an > address pool, use the no > ip local pool command. Use the show ip local pool command to view usage > information about the pool > of local addresses." > > If I read that correctly, I can run some VPN software on my"remote" computer > and have it get an IP address from the PIX? (inside interface?) > > TIA, > > Charles > > > > ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message > 8qdh7m$94h$[EMAIL PROTECTED]">news:8qdh7m$94h$[EMAIL PROTECTED]... > > Nope. Besides that would be contrary to good security policy. > > > > Rodgers Moore > > > > ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message > > 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]... > > > Hi, all, > > > > > > Sorry for the cutesy subject header. I just got aholt of a Pix > firewall; > > t > > > was laying the office and I stumbled over it on my way to the vending > > > machine to pick up some Oreos. After I ate my Oreos (a little stale, > > thanks > > > for asking), I realized that this was a Pix firewall! I am 100% new to > > the > > > PIX, but that's irrelevant... > > > > > > I immediately put it on our network like this: > > > > > > My laptop <-> Ethernet 1 PIX Firewall Ethernet 0 > <--->Catalyst > > > 2900XL > > > > > > Anyways, I am going to learn it, adn learn it good. My question is: > can > > I > > > set up any of the interfaces to dynamically acquire an IP address via > > DHCP? > > > I want ehternet 0 to acquire an IP address from our DHCP server. > > > > > > If the PIX supports it, I will put a DHCP server on it to service my > > laptop > > > on ethernet 1. if it doesn't I am going to statically assign an IP > > address > > > to teh laptop and to ethernet 1, and run NAT to translate between > > > inside/outside addresses. > > > > > > What am I trying to accomplish? Nothing, just a learning experience for > > me. > > > Time to upgrade the image! > > > > > > > > > TIA, > > > > > > Charles > > > > > > > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > > http://www.groupstudy.com/list/Associates.html > > > _ > > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAI
Re: Can I picks a PIX?
PIX is a hardware firewall device, in simple terms, each interface is considered a seperate network, PIX does routing as well ( inside interface -> inside interface, inside interface -> outside interface & outside interface -> inside interface) you will need to create static and conduit statements, to go from low security to high security. (these are not dynamic) you will also need to use the global statement for high security to low security. 4.3(2) was barely VPN compatible (no ip local pool command), I believe in 4.3(2) which I worked with, could only do PIX <-> PIX VPN with the updated DES license. you can use NAT, and create a 10.0.0.0/8 network and you will have 16,000,000 some odd hosts for that network, no need for DHCP on the inside. IF you want to do PAT, you'll need more than one IP address and if you want dedicated web servers inside the PIX you'll need even more dedicated outside IP Addresses and set up a 1:1 relationship between outside and inside. I had a PIX 510 dropped in my lap, cause the company didn't want to spend the $20,000 - $40,000 the consultant wanted to install it. It's a fairly complex piece of hardware. If you wish to do Windows networking through the PIX, I wish you the best of luck. link on cisco web site for PIX v4.3(2) commands http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cmd.htm "Cthulu, CCIE Candidate" wrote: > > Hey, Rodgers, > > Thanks! Hope you don't mind, you are the only one to respond directly, can > you answer these? > > Why would getting an IP address dynamically assigned to the PIX's outside > interface be a security risk? > > Also, if the PIX can't act as a DHCP server, what the heck is this command > for: > > ip local pool > > "The ip local pool command lets you create a pool of local addresses to be > used for assigning dynamic > ip addresses to remote VPN clients. The address range of this pool of local > addresses must not overlap > with any command statement that lets you specify an IP address. To delete an > address pool, use the no > ip local pool command. Use the show ip local pool command to view usage > information about the pool > of local addresses." > > If I read that correctly, I can run some VPN software on my"remote" computer > and have it get an IP address from the PIX? (inside interface?) > > TIA, > > Charles > > ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message > 8qdh7m$94h$[EMAIL PROTECTED]">news:8qdh7m$94h$[EMAIL PROTECTED]... > > Nope. Besides that would be contrary to good security policy. > > > > Rodgers Moore > > > > ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message > > 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]... > > > Hi, all, > > > > > > Sorry for the cutesy subject header. I just got aholt of a Pix > firewall; > > t > > > was laying the office and I stumbled over it on my way to the vending > > > machine to pick up some Oreos. After I ate my Oreos (a little stale, > > thanks > > > for asking), I realized that this was a Pix firewall! I am 100% new to > > the > > > PIX, but that's irrelevant... > > > > > > I immediately put it on our network like this: > > > > > > My laptop <-> Ethernet 1 PIX Firewall Ethernet 0 > <--->Catalyst > > > 2900XL > > > > > > Anyways, I am going to learn it, adn learn it good. My question is: > can > > I > > > set up any of the interfaces to dynamically acquire an IP address via > > DHCP? > > > I want ehternet 0 to acquire an IP address from our DHCP server. > > > > > > If the PIX supports it, I will put a DHCP server on it to service my > > laptop > > > on ethernet 1. if it doesn't I am going to statically assign an IP > > address > > > to teh laptop and to ethernet 1, and run NAT to translate between > > > inside/outside addresses. > > > > > > What am I trying to accomplish? Nothing, just a learning experience for > > me. > > > Time to upgrade the image! > > > > > > > > > TIA, > > > > > > Charles > > > > > > > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > > http://www.groupstudy.com/list/Associates.html > > > _ > > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidel
Re: Can I picks a PIX?
Hey, Rodgers, Thanks! Hope you don't mind, you are the only one to respond directly, can you answer these? Why would getting an IP address dynamically assigned to the PIX's outside interface be a security risk? Also, if the PIX can't act as a DHCP server, what the heck is this command for: ip local pool "The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic ip addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. Use the show ip local pool command to view usage information about the pool of local addresses." If I read that correctly, I can run some VPN software on my"remote" computer and have it get an IP address from the PIX? (inside interface?) TIA, Charles ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message 8qdh7m$94h$[EMAIL PROTECTED]">news:8qdh7m$94h$[EMAIL PROTECTED]... > Nope. Besides that would be contrary to good security policy. > > Rodgers Moore > > ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message > 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]... > > Hi, all, > > > > Sorry for the cutesy subject header. I just got aholt of a Pix firewall; > t > > was laying the office and I stumbled over it on my way to the vending > > machine to pick up some Oreos. After I ate my Oreos (a little stale, > thanks > > for asking), I realized that this was a Pix firewall! I am 100% new to > the > > PIX, but that's irrelevant... > > > > I immediately put it on our network like this: > > > > My laptop <-> Ethernet 1 PIX Firewall Ethernet 0 <--->Catalyst > > 2900XL > > > > Anyways, I am going to learn it, adn learn it good. My question is: can > I > > set up any of the interfaces to dynamically acquire an IP address via > DHCP? > > I want ehternet 0 to acquire an IP address from our DHCP server. > > > > If the PIX supports it, I will put a DHCP server on it to service my > laptop > > on ethernet 1. if it doesn't I am going to statically assign an IP > address > > to teh laptop and to ethernet 1, and run NAT to translate between > > inside/outside addresses. > > > > What am I trying to accomplish? Nothing, just a learning experience for > me. > > Time to upgrade the image! > > > > > > TIA, > > > > Charles > > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can I picks a PIX?
Nope. Besides that would be contrary to good security policy. Rodgers Moore ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]... > Hi, all, > > Sorry for the cutesy subject header. I just got aholt of a Pix firewall; t > was laying the office and I stumbled over it on my way to the vending > machine to pick up some Oreos. After I ate my Oreos (a little stale, thanks > for asking), I realized that this was a Pix firewall! I am 100% new to the > PIX, but that's irrelevant... > > I immediately put it on our network like this: > > My laptop <-> Ethernet 1 PIX Firewall Ethernet 0 <--->Catalyst > 2900XL > > Anyways, I am going to learn it, adn learn it good. My question is: can I > set up any of the interfaces to dynamically acquire an IP address via DHCP? > I want ehternet 0 to acquire an IP address from our DHCP server. > > If the PIX supports it, I will put a DHCP server on it to service my laptop > on ethernet 1. if it doesn't I am going to statically assign an IP address > to teh laptop and to ethernet 1, and run NAT to translate between > inside/outside addresses. > > What am I trying to accomplish? Nothing, just a learning experience for me. > Time to upgrade the image! > > > TIA, > > Charles > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
