RE: Farm Site [7:66090]

[Troy Leliard]

Look ok to me, just a pity that there isnt a CIP card for the 6509 chassis
:)

[EMAIL PROTECTED] wrote:
 
 This is a network requirement:
 
 It is a Farm Site, with Channel interfaces, connection to
 Mainframe (OSA
 FETCH and OSA ATM),
 215 other server (Windows 2000 and Unix) and 31 serial
 interfaces.
 
 There will be one 10 Mbps ATM PVCs to each big site (5 PVCs
 total) and
 1Mbps serial links to small sites (31 sites).
 
 The idea was using a 6509 with FlexWan and ATM interfaces to
 provide high
 access to the most high speed requirement corporate sites.  The
 6509 would
 also provide 215 FaEthernet interfaces to the servers.  For
 small office,
 routers 7507 would be used. The 7507 would also provide
 interfaces to the
 Channels and to the OSA interfaces of a Mainframe.
 
 
   Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM
 ---215
   FastEthernet interfaces
   ||
   ||
   |
 7507 15 serial
   interfaces
   |   | 
 |_channel
   CX-CIP2-ECAP1
   |  
 |__to OSA
   FETCH
   |
   |
   
 7507---16 serial
   interfaces
   |  
 |_channel
   CX-CIP2-ECAP1
  
 |__to OSA ATM
 
 Redundancy is not a concernment. Its is a mirror site and will
 be used
 during the recovery time of the main Farm site
 
 Any Thought ?
 
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66124t=66090
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Farm Site [7:66068]

[[EMAIL PROTECTED]]

Any Comments for the following network requirement?

It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA
FETCH and OSA ATM),
215 other server (Windows 2000 and Unix) and 31 serial interfaces.

There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and
1Mbps serial links to small sites (31 sites).

The idea was using a 6509 with FlexWan and ATM interfaces to provide high
access to the most high speed requirement corporate sites.  The 6509 would
also provide 215 FaEthernet interfaces to the servers.  For small office,
routers 7507 would be used. The 7507 would also provide interfaces to the
Channels and to the OSA interfaces of a Mainframe.


  Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215
  FastEthernet interfaces
  ||
  ||
  | 7507 15 serial
  interfaces
  |   |  |_channel
  CX-CIP2-ECAP1
  |   |__to OSA
  FETCH
  |
  |
   7507---16 serial
  interfaces
  |   |_channel
  CX-CIP2-ECAP1
  |__to OSA ATM

Redundancy is not a concernment. Its is a mirror site and will be used
during the recovery time of the main Farm site




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66068t=66068
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Farm Site [7:66090]

[[EMAIL PROTECTED]]

This is a network requirement:

It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA
FETCH and OSA ATM),
215 other server (Windows 2000 and Unix) and 31 serial interfaces.

There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and
1Mbps serial links to small sites (31 sites).

The idea was using a 6509 with FlexWan and ATM interfaces to provide high
access to the most high speed requirement corporate sites.  The 6509 would
also provide 215 FaEthernet interfaces to the servers.  For small office,
routers 7507 would be used. The 7507 would also provide interfaces to the
Channels and to the OSA interfaces of a Mainframe.


  Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215
  FastEthernet interfaces
  ||
  ||
  | 7507 15 serial
  interfaces
  |   |  |_channel
  CX-CIP2-ECAP1
  |   |__to OSA
  FETCH
  |
  |
   7507---16 serial
  interfaces
  |   |_channel
  CX-CIP2-ECAP1
  |__to OSA ATM

Redundancy is not a concernment. Its is a mirror site and will be used
during the recovery time of the main Farm site

Any Thought ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66090t=66090
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site to Site VPN on VPN Concentrator 3005 [7:65596]

[Curious]

Guys-
I have setup VPN (Site to Site  Cisco VPN Client) on PIX, now we are moving
in off from the PIX and buying a Cisco VPN concentrator 3005.
I have heard that Cisco VPN concentrator is not a good choice for Site to
Site VPN connection.
Please tell me is it true and why a dedecated VPN device is not suitable for
Site to Site VPN.

thanks,

--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65596t=65596
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Backup Site - 152Mbps [7:63866]

[[EMAIL PROTECTED]]

To build a backup server farm site (22 servers), with maximum requirement
of 152Mbps (peak):

Economic approach:

3640 with ATM module
3550-48-SMI
3 ATM PVCs, to the major points of the backbone (LS1010 switches and
6509-FlexWan ATM card); each PVC 5 Mbps SCR.

Robust and Scalable approach:

6006 with ATM module


The peak is considering the maximum rate if all servers were accessed at
the same time (based on MRTG daily statistics).

Any thoughts?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63866t=63866
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Backup Site - 152Mbps [7:63866]

[The Long and Winding Road]

wrote in message
news:[EMAIL PROTECTED]
 To build a backup server farm site (22 servers), with maximum requirement
 of 152Mbps (peak):

 Economic approach:

 3640 with ATM module
 3550-48-SMI
 3 ATM PVCs, to the major points of the backbone (LS1010 switches and
 6509-FlexWan ATM card); each PVC 5 Mbps SCR.

 Robust and Scalable approach:

 6006 with ATM module


 The peak is considering the maximum rate if all servers were accessed at
 the same time (based on MRTG daily statistics).

 Any thoughts?


based on my experience, the 3640 may not give you the performance you
require. especially if you are using any access-lists, route-maps, QoS.

Also, with your peaks at well over 100 meg, you might want to consider a gig
interface on the LAN side.

a thought - use a dual ethernet router like a 3745 ( twice the performance
of the 3640 ) in combination with the switch ( which can easily handle the
load ) put your servers into two subnets / vlans and do quasi-load-sharing
across those two ethernet interfaces. depends on your traffic requirements.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63873t=63866
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Backup Site - 152Mbps [7:63866]

[Troy Leliard]

I'm never a big fan of having backup sites that lie active | standby!  You
may want to look at getting a CSS and doing GSLB (Global Server Load
Balancing!)

Anyway, back to your question ...How much of the traffic is local ?  You say
that you have a peak of 152MB's, but you will only have 3 x 5MB PVC's coming
into the server farm?  Do you have a lot of traffic between the servers
??  If not a 3620 would even be sufficient, with ATM interface and FE
interface.  It also depends on how much reslience you would like in this
backup site? .

I have a similar scenario, where I make use of a 3620, with 100FX, and 100TX
interfaces, going to a 3548G-L3, and fom there into server / user vlans etc!

Cheers
Troy


The Long and Winding Road wrote:
 
  wrote in message
 news:[EMAIL PROTECTED]
  To build a backup server farm site (22 servers), with maximum
 requirement
  of 152Mbps (peak):
 
  Economic approach:
 
  3640 with ATM module
  3550-48-SMI
  3 ATM PVCs, to the major points of the backbone (LS1010
 switches and
  6509-FlexWan ATM card); each PVC 5 Mbps SCR.
 
  Robust and Scalable approach:
 
  6006 with ATM module
 
 
  The peak is considering the maximum rate if all servers were
 accessed at
  the same time (based on MRTG daily statistics).
 
  Any thoughts?
 
 
 based on my experience, the 3640 may not give you the
 performance you
 require. especially if you are using any access-lists,
 route-maps, QoS.
 
 Also, with your peaks at well over 100 meg, you might want to
 consider a gig
 interface on the LAN side.
 
 a thought - use a dual ethernet router like a 3745 ( twice the
 performance
 of the 3640 ) in combination with the switch ( which can easily
 handle the
 load ) put your servers into two subnets / vlans and do
 quasi-load-sharing
 across those two ethernet interfaces. depends on your traffic
 requirements.
 
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63878t=63866
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ISDN BRI- 3-site, Full Mesh - DDR w/Dialer Profile [7:63570]

[Joshua Franklin]

Each of the three routers had the same exact config. except for details such
as username/password for CHAP, IP's, phone #'s, etc...  The config'd items
were the same.

1 BRI int
2 Dialer Ints (dialer profile for each of the other 2 sites)
1 dialer pool

This was in a lab at school and is disconnected now.

However, this issue was I could get the first connection up fine.  For
example SJ-1 to London and the pings were good.  Then, with the 1st
connection up I couldn't get the 2nd.

DEBUG showed:

It couldn't dial b/c 2 calls were going on and 2 was the max.  
BUT
sh dialer showed the 1st B-channel connected
and the 2nd idle.

The debug output was from the dialer

I got it to work by using the min parameter in the dialer-pool member
command.  (Set it to 2).

I want to know why this worked.  What am I not understanding?

I have read a lot of the DDR and ISDN BRI documentation I could find on
Cisco's site and I have re-read the Networking Academy chapter on DDR and
ISDN BRI.

I still don't understand why that command made it work.

It seems to me the problem was that the dialer profile did not see any
available physical int's to use so, it failed.
(BTW, it started the fast-idle timer right away which makes sense)

Maybe, if I hear/see it explained a couple of different ways it'll sink in.

Thanks in Advance!!

Joshua 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63570t=63570
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FTP site needed for MPLS for 2500 files [7:63056]

[Christ A. Saputra]

Thank's Aidan  Dennis.
I've got them. How about the flash  DRAM requirement to run those IOSs ?

Rgrds,
Chris

- Original Message -
From: Aidan Marks 
To: 
Sent: Friday, February 14, 2003 12:36 PM
Subject: Re: FTP site needed for MPLS for 2500 files [7:63056]


 The 2500 mpls images are available here:

 ftp://ftp-eng.cisco.com/rraszuk/specials/

 They have been there for a while. What more do you need?

 Aidan

 At 07:09 AM 15/02/2003, Dennis Laganiere wrote:

 A few months ago I put together a free document for loading an
experimental
 version of IOS that allows you to run MPLS on cheap 2500 series routers.
I
 didn't create the software, I just gave instructions for installing it
and
 then pointed out where the files were, for anybody who wanted to play
with
 it.
 
 Since then the ftp site where the files were posted keeps deleting them
(not
 surprising, since I didn't ask permission)...  Is anyone running an FTP
 server where the files can be posted for anybody who wants to play with
MPLS
 to be able to pull them down?  Think of it as contributing to the common
 good of the group (or rather, groupstudy)...
 
 Let me know.  Thanks...
 
 --- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63141t=63056
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site-to-Site and Remote Access VPN on PIX? [7:63100]

[Kim Seng]

Greetings,

Can I configure the PIX to do both site-to-site and
Remote access VPN at the same time?

I think it is impossible since I can only apply only
one crypto map to the outside interface.

Can someone confirm?

Kim.

__
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63100t=63100
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]

[Mark W. Odette II]

Look into Dynamic map configuration. It's an extension of the Crypto
Map, as you can only apply one crypto map to the interface (outside).

See CCO website for more details (search Google for dynmap and PIX,
and you should find several examples).  On CCO's site, do a search on
Technical Tips on PIX

HTH's
-Mark

-Original Message-
From: Kim Seng [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, February 15, 2003 11:26 AM
To: [EMAIL PROTECTED]
Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100]

Greetings,

Can I configure the PIX to do both site-to-site and
Remote access VPN at the same time?

I think it is impossible since I can only apply only
one crypto map to the outside interface.

Can someone confirm?

Kim.

__
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63102t=63100
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FTP site needed for MPLS for 2500 files [7:63070]

[Morton Thiokol]

Dennis,

I tried to pull the images but identification (username,password) was asked
from me.

Dennis Laganiere wrote:

 As long as it's available to everybody, that's good enough for me.

 Thanks...

 --- Dennis

 -Original Message-
 From: Aidan Marks [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 14, 2003 12:34 PM
 To: Dennis Laganiere
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: FTP site needed for MPLS for 2500 files

 The 2500 mpls images are available here:

 ftp://ftp-eng.cisco.com/rraszuk/specials/

 They have been there for a while. What more do you need?

 Aidan

 At 07:09 AM 15/02/2003, Dennis Laganiere wrote:

 A few months ago I put together a free document for loading an
experimental
 version of IOS that allows you to run MPLS on cheap 2500 series routers. I
 didn't create the software, I just gave instructions for installing it and
 then pointed out where the files were, for anybody who wanted to play with
 it.
 
 Since then the ftp site where the files were posted keeps deleting them
 (not
 surprising, since I didn't ask permission)...  Is anyone running an FTP
 server where the files can be posted for anybody who wants to play with
 MPLS
 to be able to pull them down?  Think of it as contributing to the common
 good of the group (or rather, groupstudy)...
 
 Let me know.  Thanks...
 
 --- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63114t=63070
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]

[Albert Lu]

Kim,

It will work, I've done it before. It is true that you can only have 1
crypto map per interface, but you can have multiple ISAKMP/IPSEC policies
for different tunnels in that crypto map. However, for dynamic crypto map
used for remote access VPN, what happens is that the dynamic crypto map is
just like the normal crypto map in the way it's defined, but you hook up the
dynamic crypto map to the crypto map which is applied to the interface.

Check out the link below.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config
/ipsecint.htm

One limitation I encountered with client VPN on a PIX is that you won't be
able to use local authentication, since PIX doesn't support local
usernames/password like the IOS. So you just login with groupname and
password. Although you can hook it up to a ACS server to do your extended
authentication to specify different users.


Regards,

Albert
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kim Seng
Sent: Sunday, February 16, 2003 4:26 AM
To: [EMAIL PROTECTED]
Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100]


Greetings,

Can I configure the PIX to do both site-to-site and
Remote access VPN at the same time?

I think it is impossible since I can only apply only
one crypto map to the outside interface.

Can someone confirm?

Kim.

__
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63119t=63100
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FTP site needed for MPLS for 2500 files [7:63054]

[Dennis Laganiere]

A few months ago I put together a free document for loading an experimental
version of IOS that allows you to run MPLS on cheap 2500 series routers. I
didn't create the software, I just gave instructions for installing it and
then pointed out where the files were, for anybody who wanted to play with
it.  

Since then the ftp site where the files were posted keeps deleting them (not
surprising, since I didn't ask permission)...  Is anyone running an FTP
server where the files can be posted for anybody who wants to play with MPLS
to be able to pull them down?  Think of it as contributing to the common
good of the group (or rather, groupstudy)...

Let me know.  Thanks...

--- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63054t=63054
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FTP site needed for MPLS for 2500 files [7:63056]

[Aidan Marks]

The 2500 mpls images are available here:

ftp://ftp-eng.cisco.com/rraszuk/specials/

They have been there for a while. What more do you need?

Aidan

At 07:09 AM 15/02/2003, Dennis Laganiere wrote:

A few months ago I put together a free document for loading an experimental
version of IOS that allows you to run MPLS on cheap 2500 series routers. I
didn't create the software, I just gave instructions for installing it and
then pointed out where the files were, for anybody who wanted to play with
it.

Since then the ftp site where the files were posted keeps deleting them (not
surprising, since I didn't ask permission)...  Is anyone running an FTP
server where the files can be posted for anybody who wants to play with MPLS
to be able to pull them down?  Think of it as contributing to the common
good of the group (or rather, groupstudy)...

Let me know.  Thanks...

--- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63056t=63056
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FTP site needed for MPLS for 2500 files [7:63070]

[Dennis Laganiere]

As long as it's available to everybody, that's good enough for me.

Thanks...

--- Dennis  

-Original Message-
From: Aidan Marks [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 12:34 PM
To: Dennis Laganiere
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: FTP site needed for MPLS for 2500 files

The 2500 mpls images are available here:

ftp://ftp-eng.cisco.com/rraszuk/specials/

They have been there for a while. What more do you need?

Aidan

At 07:09 AM 15/02/2003, Dennis Laganiere wrote:

A few months ago I put together a free document for loading an experimental
version of IOS that allows you to run MPLS on cheap 2500 series routers. I
didn't create the software, I just gave instructions for installing it and
then pointed out where the files were, for anybody who wanted to play with
it.

Since then the ftp site where the files were posted keeps deleting them
(not
surprising, since I didn't ask permission)...  Is anyone running an FTP
server where the files can be posted for anybody who wants to play with
MPLS
to be able to pull them down?  Think of it as contributing to the common
good of the group (or rather, groupstudy)...

Let me know.  Thanks...

--- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63070t=63070
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

translating network from VPN site [7:62919]

[Milan Jovancic]

Hello,
I have some interesting scenario for all.

Well,
I have two location connected over ISP thru VPN tunnel:

Central office side: I have router and PIX 515E with 3 interface. 

'remote office' network: 192.168.2.0/24
'main office' network : 192.0/24  

VPN tunnel is over frame-relay dlci and only one subinterface on central
office router can access to global network:
 
IPsec Tunnel: (outside port PIX)  (router on remote office some Alaied
Tellesyn)

The hint:
I can access from remote office to main office, but I CAN'T do static map IP
address from remote office to exit to internet with public IP address,
because a can't nat ip address from outside interface back to outside
interface again with public IP, or I can!?

The one solution is probably to configure another interface for VPN
tunnelling with remote office and than do NAT for that interface thru
outside, but I don't have another interface only for intf2/DMZ.

Please is there any good advice for this scenario?

Best regards,
Milan Jovancic 



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62919t=62919
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site-to-Site and Remote Access VPN on PIX? [7:62937]

[Kim Seng]

Greetings,

Can I configure a Cisco PIX firewall to do both
site-to-site and remote access vpn preshares key in
one box?

The reason I asked because after configuring
site-to-site vpn, my remote access vpn stops working.

Kim.

__
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62937t=62937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Site to Site VPN Monitering on PIX [7:62676]

[Steven A. Ridder]

CiscoWorks VMS 2.1

--

RFC 1149 Compliant.



Curious  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have setup Site to Site VPN between our corporate PIX 515 and our
 developers PIX 501, i want to moniter the VPN traffic of these Site to
Site
 VPN connections.
 Please tell me what tools are available to accomplish this.

 thanks,


 --
 Curious

 MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62693t=62676
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Site to Site VPN Monitering on PIX [7:62676]

[mjans001]

You want to use PDM. That is easy.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Verzonden: vrijdag 7 februari 2003 23:46
Aan: [EMAIL PROTECTED]
Onderwerp: Site to Site VPN Monitering on PIX [7:62676]


I have setup Site to Site VPN between our corporate PIX 515 and our
developers PIX 501, i want to moniter the VPN traffic of these Site to
Site VPN connections. Please tell me what tools are available to
accomplish this.

thanks,


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62709t=62676
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site to Site VPN Monitering on PIX [7:62676]

[Curious]

I have setup Site to Site VPN between our corporate PIX 515 and our
developers PIX 501, i want to moniter the VPN traffic of these Site to Site
VPN connections.
Please tell me what tools are available to accomplish this.

thanks,


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62676t=62676
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Site to Site VPN Monitering on PIX [7:62676]

[Elijah Savage III]

What kind of info are you looking for we are actually use mrtg to graph
how many users we have logged in to our 3030's that are load balanced.


-Original Message-
From: Curious [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 07, 2003 5:46 PM
To: [EMAIL PROTECTED]
Subject: Site to Site VPN Monitering on PIX [7:62676]

I have setup Site to Site VPN between our corporate PIX 515 and our
developers PIX 501, i want to moniter the VPN traffic of these Site to
Site
VPN connections.
Please tell me what tools are available to accomplish this.

thanks,


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62685t=62676
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN Management and Reporting for Cisco Site-to-site VPN [7:62418]

[Thomas N.]

Hi All,

I am deploying Site-to-site VPN using Cisco IOS routers.  I am wondering
what software package offering the management, connectivity monitoring of
tunnels, and content reporting available?  How much it costs?  Thanks!

Thomas




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62418t=62418
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Management and Reporting for Cisco Site-to-site VPN [7:62426]

[dre]

Thomas N.  wrote in message ...
 I am deploying Site-to-site VPN using Cisco IOS routers.  I am
 wondering what software package offering the management, connectivity
 monitoring of tunnels, and content reporting available?  How much
 it costs?  Thanks!

Most people roll-their-own (i.e. use a home-grown solution).

They often use the following base programming languages to do so: C,
C++, Java, Perl, Python, Tcl, Expect, Ruby, Unix Shell, and similar,
less-powerful Microsoft or IBM languages (NT Shell, Visual Basic,
VBScript, C#, REXX, JCL, COBOL, etc).  Sometimes applications are
written in assembly (x86, m68k, mips), but this is less often the case.

Sometimes the use of libraries, or modules, are used (net-snmp,
libgd, the ANSI/ISO C libraries, C++ STL templates, CPAN Perl
modules) other times, horrific sub-languages are created instead
(Microsoft Foundation Classes) and munged -- but possibly made useful.

Sometimes these are packaged together in the form of commercial
(read: over-priced) or open-source software (e.g. MRTG), but often
these packages do not meet any specific needs, only generic
requirements that often involve complex customization anyways.

However, functionality that meets your criteria is available as a
$20k or thereabouts software package from Cisco, simply search on
their website under Network Management and find a VPN-specific
solution that appears to meet your needs.  In reality, this sort
of package requires more than just customization, it requires
more time and money in the form of software application babysitting,
and late-night calls to Cisco for tech support calls that are
followed-up the next day and night by more calls, ad nauseum.
For some reason, other commercial products and even the least
hardened (or worst coded) open-source software packages do
not seem to suffer this babysitting complex, while CiscoWorks
does.  I do not have room in this email to further explain this
phenonmenon.

You may find that the easiest route is to collect some Cisco IOS
SNMP MIB OID's (enough acronyms for you there?) and graph
them, while also either using an external application to create
thresholds on the OID values (counter or gauge integer types),
or an internal polling mechanim such as SAA or RMON alarms
and events (and have the thresholds sent to your pager or email
or syslog file or operations center monitor).

This is often very easily accomplished with NET-SNMP or MRTG,
which are open-source and free to download.  Others find it is
best to have it centrally located in some type of overlord system
such as IRCd, or $100M/year software-supported applications made
by the likes of the network management triumvirate - HP, CA, and
IBM/Tivoli.

It is also recommended that you choose one platform/package and
not, for example, 3 (especially when you end up spending $300M per
year).  Often what you hear of as best-of-breed is normally just
another way of adding additional complexity, under-utilization, and
exponential interoperability issues between platforms/packages.

-dre




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62426t=62426
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - More Bitching about Cisco's New Web Site [7:60438]

[John Neiberger]

Chuck, 

I hate to say Me, too! but that's the case.  I still hate the new
site with a passion.  They swear that it's supposed to be easier to use
but it certainly is not, at least not yet.  I'm sure we'll all get used
to it and they'll eventually fix all the links, but as it stands right
now I tried to avoid their site whenever possible.

John

 The Long and Winding Road 
1/4/03 11:37:15 AM 
Is it just me? More broken links? Harder to find the everyday tools?
lower  - a LOT slower - navigating around?

Seems like just about every day I'm filling out one of those feedback
forms
to report a problem. assuming I've found the basic page I'm looking
for
anyway.

For example - check out the links on this page.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r

/iprprt2/index.htm
watch the wrap

and whatever happened to the tool index? It was no fun searching for
the
Software Advisor and the IOS Upgrade Planner this morning.

grumble grumble grumble



--
TANSTAAFL
there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60438t=60438
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Off Topic - More Bitching about Cisco's New Web Site [7:60443]

[Bernard]

I do not know any of my colleagues who like the new format.
I always choose the previous format by clicking Access Former Website
on the right column of the new home page. 
Or go to http://  www  .  cisco.  com/cco.shtml for the old good
familiar format.

-Bernard



 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
 John Neiberger
 Sent: Monday, January 06, 2003 8:56 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Off Topic - More Bitching about Cisco's New Web Site
 [7:60438]
 
 Chuck,
 
 I hate to say Me, too! but that's the case.  I still hate the new
 site with a passion.  They swear that it's supposed to be easier to
use
 but it certainly is not, at least not yet.  I'm sure we'll all get
used
 to it and they'll eventually fix all the links, but as it stands right
 now I tried to avoid their site whenever possible.
 
 John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60443t=60443
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - More Bitching about Cisco's New Web Site [7:60468]

[not enough time to study]

I dont like the new format either.  Sent them feedback which included a
request for the ability to personalize my own version of CCO start page like
you can with Yahoo ala My Yahoo.  They say that's in the works.  maybe
something to look forward to


Bernard  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I do not know any of my colleagues who like the new format.
 I always choose the previous format by clicking Access Former Website
 on the right column of the new home page.
 Or go to http://  www  .  cisco.  com/cco.shtml for the old good
 familiar format.

 -Bernard





  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
 Of
  John Neiberger
  Sent: Monday, January 06, 2003 8:56 AM
  To: [EMAIL PROTECTED]
  Subject: Re: Off Topic - More Bitching about Cisco's New Web Site
  [7:60438]
 
  Chuck,
 
  I hate to say Me, too! but that's the case.  I still hate the new
  site with a passion.  They swear that it's supposed to be easier to
 use
  but it certainly is not, at least not yet.  I'm sure we'll all get
 used
  to it and they'll eventually fix all the links, but as it stands right
  now I tried to avoid their site whenever possible.
 
  John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60468t=60468
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Off Topic - More Bitching about Cisco's New Web Site [7:60299]

[The Long and Winding Road]

Is it just me? More broken links? Harder to find the everyday tools?
lower  - a LOT slower - navigating around?

Seems like just about every day I'm filling out one of those feedback forms
to report a problem. assuming I've found the basic page I'm looking for
anyway.

For example - check out the links on this page.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r
/iprprt2/index.htm
watch the wrap

and whatever happened to the tool index? It was no fun searching for the
Software Advisor and the IOS Upgrade Planner this morning.

grumble grumble grumble



--
TANSTAAFL
there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60299t=60299
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - More Bitching about Cisco's New Web Site [7:60308]

[Marc Thach Xuan Ky]

Well I thought the site was very slow - until I realised I'd stuck a
clock rate 64000 on my frameswitch router so that I could see some
queueing :-) I now go straight for the search button, but there are some
horrors in there.  There seem to be more pdfs as well which is good, but
then sometimes there is only a pdf.  Theres a bit under technologies
where I burrowed down through QoS, congestion management, through
queuing and then to WFQ to find a short paragraph telling me what it
was.  I'd really wanted a white paper detailing algorithms!
I'm sure I'll crack it sometime.
rgds
Marc

The Long and Winding Road wrote:
 
 Is it just me? More broken links? Harder to find the everyday tools?
 lower  - a LOT slower - navigating around?
 
 Seems like just about every day I'm filling out one of those feedback forms
 to report a problem. assuming I've found the basic page I'm looking for
 anyway.
 
 For example - check out the links on this page.
 

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r
 /iprprt2/index.htm
 watch the wrap
 
 and whatever happened to the tool index? It was no fun searching for the
 Software Advisor and the IOS Upgrade Planner this morning.
 
 grumble grumble grumble
 
 --
 TANSTAAFL
 there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60308t=60308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site to Site VPN b/w PIX 515 and PIX 501 by using Dynamic Map [7:59084]

[Curious]

Guys
I am having a issue Site To Site VPN between PIX 515 and PIX 501. PIX 501 is
at our develper location, and he has DHCP Internet IP address from his ISP,
i am using Dynamic Map on PIX 515 for Site To Site VPN.
Develoer is complaing that his VPN connection goes down (although he sees a
vpn light on PIX 501 but can not access any thing in our office network) on
PIX 501 I see the Crypto map, and access list counter increase on 501 but on
PIX 515 side i dont see his PIX 501 in crypto map.
I thought of timeout or in activity time out issue. Please Advice.

thanks,


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59084t=59084
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Host your site for just 20$/year [7:57900]

[[EMAIL PROTECTED]]

[TABLE NOT SHOWN]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57900t=57900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Priscilla Oppenheimer]

Edward Sohn wrote:
 
 Perfect...
 
 very interesting, indeed.  I have long wondered about this
 scenario, and
 have wondered how companies are implementing their site-to-site
 VPN's
 over the internet.  so you're saying (regarding your own roll
 out), that
 your ISP assigned you two address spaces and routed your /27
 towards
 your perimeter router, right?  in any case, your scenario
 explains the
 answer to that particular example...however, new questions
 arise:
 
 (1) if i DIDN'T decide to set up a GRE over the internet, then
 what
 other options do i have?  would a simple NAT on the perimeter
 routers
 suffice?  this would introduce dual-NAT, and i have heard that
 dual-NATing is less-than-desired in production due to
 performance
 issues.

Double NATing doesn't sound like a good idea and shouldn't be necessary.

 
 (2) if i wanted to use public addressing on the outsides of the
 PIX's,

Public addressing on the outsides of the PIXes seems to be the recommended
approach.

 then would i have to have two address spaces, as described in
 your own scenario?  

You can make your own two address spacees. Perhaps you realize that, but I'm
wondering if maybe you haven't considered it?

You can do whatever you want with the /29 the provider gave you.
Unfortunately, it's not a very big address space, but it can still be
subdivided into two networks, one for the outside interface on the router
and one for the PIX(outside)(inside)Router LAN.

As an example, let's say the provider provided 55.55.55.0/29.

You have the following addresses:

First subnet:
55.55.55.1 (binary of last octet is  0001)
55.55.55.2 (binary of last octet is  0010)
55.55.55.3 (binary of last octet is  0011)

Second subnet:
55.55.55.4 (binary of last octet is  0100)
55.55.55.5 (binary of last octet is  0101)
55.55.55.6 (binary of last octet is  0110)

So do see that with a subnet mask of 255.255.255.252 (/30), you have two
networks? Here's the addressing you can use:

PIX(outside) = 55.55.55.1 (also used by PAT)

Router (inside) = 55.55.55.2

Possible address for something else on that LAN = 55.55.55.3


Router (outside) = 55.55.55.6

Unfortunately, some addresses get wasted on that subnet.

PIX's default route points to 55.55.55.2

Router's default route points to router at ISP.

ISP points everything that matches 55.55.55.0/29 to you. 

If for some reason this wouldn't work in your particular scenario or I
over-simplified to the point of not being helpful, I apologize! Hey, it's
free consulting and you get what you pay for. :-) Keep us posted so we can
all learn. Thanks.

Priscilla

 can anyone think of any other options on the
 perimeter
 router?  like i said, bridging or unnumbered or something of
 the like?
 
 thanks,
 
 ed
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
 Behalf Of
 Mark W. Odette II
 Sent: Monday, November 18, 2002 9:19 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 The only way that you could put private addresses on the OUTSIDE
 interface of the PIX (Site A), and still successfully set up a
 Tunnel to
 another PIX across the internet that is behind an edge router
 of your
 own control (Site B), is to build a GRE Tunnel between the Edge
 Routers.
 
 EX: Public Addresses
 PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
   Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses
 
 If you tried to set up NAT on the two Edge Routers to Static
 Translate
 for the PIX Hosts on their outside interfaces, the Tunnel would
 never
 establish.  Even though you would define the Crypto Peer as a
 public
 address, when the packet arrives at the far side, it would have
 the
 private address headers, and thus the tunnel would never come
 up, and is
 why you would need a GRE Tunnel between the two routers to use
 private
 addresses between the two PIXen end-points.
 
 
 I have set up the scenario you speak of in production, but the
 ISP
 assigned a /30 for the routers connecting to the ISP, AND they
 assigned
 /27's for the customer's own use.  So, with this, I configured
 the S0
 interfaces of each router as part of the /30's, and configured
 the Fa0
 interfaces of the Routers and the Pix Outside interfaces as
 hosts in the
 /27 blocks that were assigned to each site, while creating a
 PAT pool
 and NAT statics for appropriate hosts behind the PIX.  The
 Inside/DMZ
 side of the PIXen were configured with RFC1918 addresses.  Site
 to Site
 VPN's were established using the Public IP addresses on the
 Outside
 interface of each PIX.
 
 HTH's
 Mark
 
 -Original Message-
 From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, November 18, 2002 10:13 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 thanks for your help, elijah...however, i think are still
 missing the
 full point of my question...i am looking for a complete

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

That is basically what I was saying in my email that he had 6 addresses
to use so I am confused why there even needs to be another solution.
Making it a lot harder than what it has to be.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 19, 2002 8:10 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Edward Sohn wrote:
 
 Perfect...
 
 very interesting, indeed.  I have long wondered about this scenario, 
 and have wondered how companies are implementing their site-to-site
 VPN's
 over the internet.  so you're saying (regarding your own roll
 out), that
 your ISP assigned you two address spaces and routed your /27
 towards
 your perimeter router, right?  in any case, your scenario
 explains the
 answer to that particular example...however, new questions
 arise:
 
 (1) if i DIDN'T decide to set up a GRE over the internet, then what
 other options do i have?  would a simple NAT on the perimeter
 routers
 suffice?  this would introduce dual-NAT, and i have heard that
 dual-NATing is less-than-desired in production due to
 performance
 issues.

Double NATing doesn't sound like a good idea and shouldn't be necessary.

 
 (2) if i wanted to use public addressing on the outsides of the PIX's,

Public addressing on the outsides of the PIXes seems to be the
recommended approach.

 then would i have to have two address spaces, as described in your own

 scenario?

You can make your own two address spacees. Perhaps you realize that, but
I'm wondering if maybe you haven't considered it?

You can do whatever you want with the /29 the provider gave you.
Unfortunately, it's not a very big address space, but it can still be
subdivided into two networks, one for the outside interface on the
router and one for the PIX(outside)(inside)Router LAN.

As an example, let's say the provider provided 55.55.55.0/29.

You have the following addresses:

First subnet:
55.55.55.1 (binary of last octet is  0001)
55.55.55.2 (binary of last octet is  0010)
55.55.55.3 (binary of last octet is  0011)

Second subnet:
55.55.55.4 (binary of last octet is  0100)
55.55.55.5 (binary of last octet is  0101)
55.55.55.6 (binary of last octet is  0110)

So do see that with a subnet mask of 255.255.255.252 (/30), you have two
networks? Here's the addressing you can use:

PIX(outside) = 55.55.55.1 (also used by PAT)

Router (inside) = 55.55.55.2

Possible address for something else on that LAN = 55.55.55.3


Router (outside) = 55.55.55.6

Unfortunately, some addresses get wasted on that subnet.

PIX's default route points to 55.55.55.2

Router's default route points to router at ISP.

ISP points everything that matches 55.55.55.0/29 to you. 

If for some reason this wouldn't work in your particular scenario or I
over-simplified to the point of not being helpful, I apologize! Hey,
it's free consulting and you get what you pay for. :-) Keep us posted so
we can all learn. Thanks.

Priscilla

 can anyone think of any other options on the
 perimeter
 router?  like i said, bridging or unnumbered or something of the like?
 
 thanks,
 
 ed
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
 Of Mark W. Odette II
 Sent: Monday, November 18, 2002 9:19 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 The only way that you could put private addresses on the OUTSIDE 
 interface of the PIX (Site A), and still successfully set up a Tunnel 
 to another PIX across the internet that is behind an edge router
 of your
 own control (Site B), is to build a GRE Tunnel between the Edge
 Routers.
 
 EX: Public Addresses

PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
   Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses
 
 If you tried to set up NAT on the two Edge Routers to Static Translate
 for the PIX Hosts on their outside interfaces, the Tunnel would
 never
 establish.  Even though you would define the Crypto Peer as a
 public
 address, when the packet arrives at the far side, it would have
 the
 private address headers, and thus the tunnel would never come
 up, and is
 why you would need a GRE Tunnel between the two routers to use
 private
 addresses between the two PIXen end-points.
 
 
 I have set up the scenario you speak of in production, but the ISP
 assigned a /30 for the routers connecting to the ISP, AND they
 assigned
 /27's for the customer's own use.  So, with this, I configured
 the S0
 interfaces of each router as part of the /30's, and configured
 the Fa0
 interfaces of the Routers and the Pix Outside interfaces as
 hosts in the
 /27 blocks that were assigned to each site, while creating a
 PAT pool
 and NAT statics for appropriate hosts behind the PIX.  The
 Inside/DMZ
 side of the PIXen were configured with RFC1918 addresses.  Site
 to Site
 VPN's were established using the Public IP addresses

RE: PIX site-to-site VPN question... [7:57648]

[Priscilla Oppenheimer]

Elijah Savage III wrote:
 
 That is basically what I was saying in my email that he had 6
 addresses
 to use so I am confused why there even needs to be another
 solution.

You didn't say how he would use the 6 addresses. I thought it needed
spelling out.

 Making it a lot harder than what it has to be.

It's not hard, which may be your point. It's very simple if what I'm
suggesting actually works. But maybe there are some gotchas I don't know
about.

The point that was missing in our discussion before was that there are
multiple networks using the public addresses. I don't think anyone
understood why he was aking about bridging. He will need bridging if he
doesn't subdivide his address space. I simply told him how to subdivide it.

I didn't mean to step on your toes or imply your answers were wrong.

Priscilla

 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
 Sent: Tuesday, November 19, 2002 8:10 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 Edward Sohn wrote:
  
  Perfect...
  
  very interesting, indeed.  I have long wondered about this
 scenario,
  and have wondered how companies are implementing their
 site-to-site
  VPN's
  over the internet.  so you're saying (regarding your own roll
  out), that
  your ISP assigned you two address spaces and routed your /27
  towards
  your perimeter router, right?  in any case, your scenario
  explains the
  answer to that particular example...however, new questions
  arise:
  
  (1) if i DIDN'T decide to set up a GRE over the internet,
 then what
  other options do i have?  would a simple NAT on the perimeter
  routers
  suffice?  this would introduce dual-NAT, and i have heard that
  dual-NATing is less-than-desired in production due to
  performance
  issues.
 
 Double NATing doesn't sound like a good idea and shouldn't be
 necessary.
 
  
  (2) if i wanted to use public addressing on the outsides of
 the PIX's,
 
 Public addressing on the outsides of the PIXes seems to be the
 recommended approach.
 
  then would i have to have two address spaces, as described in
 your own
 
  scenario?
 
 You can make your own two address spacees. Perhaps you realize
 that, but
 I'm wondering if maybe you haven't considered it?
 
 You can do whatever you want with the /29 the provider gave you.
 Unfortunately, it's not a very big address space, but it can
 still be
 subdivided into two networks, one for the outside interface on
 the
 router and one for the PIX(outside)(inside)Router LAN.
 
 As an example, let's say the provider provided 55.55.55.0/29.
 
 You have the following addresses:
 
 First subnet:
 55.55.55.1 (binary of last octet is  0001)
 55.55.55.2 (binary of last octet is  0010)
 55.55.55.3 (binary of last octet is  0011)
 
 Second subnet:
 55.55.55.4 (binary of last octet is  0100)
 55.55.55.5 (binary of last octet is  0101)
 55.55.55.6 (binary of last octet is  0110)
 
 So do see that with a subnet mask of 255.255.255.252 (/30), you
 have two
 networks? Here's the addressing you can use:
 
 PIX(outside) = 55.55.55.1 (also used by PAT)
 
 Router (inside) = 55.55.55.2
 
 Possible address for something else on that LAN = 55.55.55.3
 
 
 Router (outside) = 55.55.55.6
 
 Unfortunately, some addresses get wasted on that subnet.
 
 PIX's default route points to 55.55.55.2
 
 Router's default route points to router at ISP.
 
 ISP points everything that matches 55.55.55.0/29 to you. 
 
 If for some reason this wouldn't work in your particular
 scenario or I
 over-simplified to the point of not being helpful, I apologize!
 Hey,
 it's free consulting and you get what you pay for. :-) Keep us
 posted so
 we can all learn. Thanks.
 
 Priscilla
 
  can anyone think of any other options on the
  perimeter
  router?  like i said, bridging or unnumbered or something of
 the like?
  
  thanks,
  
  ed
  
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
 Behalf
  Of Mark W. Odette II
  Sent: Monday, November 18, 2002 9:19 PM
  To: [EMAIL PROTECTED]
  Subject: RE: PIX site-to-site VPN question... [7:57648]
  
  
  The only way that you could put private addresses on the
 OUTSIDE
  interface of the PIX (Site A), and still successfully set up
 a Tunnel
  to another PIX across the internet that is behind an edge
 router
  of your
  own control (Site B), is to build a GRE Tunnel between the
 Edge
  Routers.
  
  EX: Public Addresses
 
 PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
  Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses
  
  If you tried to set up NAT on the two Edge Routers to Static
 Translate
  for the PIX Hosts on their outside interfaces, the Tunnel
 would
  never
  establish.  Even though you would define the Crypto Peer as a
  public
  address, when the packet arrives at the far side, it would
 have
  the
  private address headers, and thus the tunnel would

PIX site-to-site VPN question... [7:57648]

[Edward Sohn]

Would someone mind explaining to me how addressing works on the outside
interface of a PIX in a site-to-site VPN configuration with edge routers
connected to the internet?

PIX1(outside)(e0)R1(e1)INTERNET--(e1)R2(e0)(outside)
PIX2

If I'm provided a /29 address by my ISP for PIX1's site, then how does
the PIX1's outside and R1's ethernet addresses get provisioned (same
question for PIX2's site)?

Is it a simple /30 private network between the PIX and routers, or do
they get public addressing?  In all the VPN examples I've seen on TAC,
they've used public addressing here.  If so, then how do the routers use
IP addresses?  Are they bridged or unnumbered in some way?  How do the
PIX's use private addresses as for their crypto peer statements?  What
are the best practices here?  Sorry for the barrage...

Thanks,

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57648t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Brunner Joseph]

You should use private addressing behind the pix and use static's from the
/29 to map to Servers, etc. behind the pix.

Why would you ever want to put public ip's behind a pix ? especially for a
vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918
addresses.

Answering your original qwestion - 

If I'm provided a /29 address by my ISP for PIX1's site, then how does the
PIX1's outside and R1's ethernet addresses get provisioned (same question
for PIX2's site)?

If you insist on using public's behind your pix, you get a /29 for behind,
and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.

The routers also should NEVER use UNNUMBERED !  How do you remote manage the
router if the Ethernet line proto is down ? Loopback ?
You wont have a public IP if your ISP skimps on Addresses.. I have seem some
whack configs where s0/0 is unnumbered, and the only
routed block is on e0/0. Its not worth saving the /30 for added
aggrevation.

Are they bridged or unnumbered in some way? the routers know nothing of
your Site to Site VPN. They just route.. nuff said on that.


How do the 
PIX's use private addresses as for their crypto peer statements?

They can't. Not unless you use outside nat on the rtr's something I don't
think you can or want to do.. Just use Publics all around for your crypto
peer statements.. I dont think you can do it anyother way.. one creative way
to do it, maybe, run a

GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private
class C's for in between router and pix on each side.

Just route everthing (which is also encrypted) thru the tunnel. 
have NO NAT on your pixes for internal stuff to go out of router on S0/0
(instead of VPN traffic which goes out TUNNEL0). this should make your
PIX's harder to attack, and if you want you can run nat on the router for
hosts, or have another nat proxy behind pix (either way, pix wont do nat,
with this low-profile config trick.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57654t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Priscilla Oppenheimer]

Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use
 static's from the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ?
 especially for a vpn ? Not cool. It makes it an easier target
 to spoof, as apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the PIX.
What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to the
Internet. I don't think it was a typo. In the case that came up last week,
this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice? This
question came up last week too and the person never got a good answer. I
would answer it myself but I'm PIX and VPN challenged (but learning! ;-)

Priscilla


 
 Answering your original qwestion - 
 
 If I'm provided a /29 address by my ISP for PIX1's site, then
 how does the PIX1's outside and R1's ethernet addresses get
 provisioned (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29
 for behind, and 2 /30's. One for Pix to RTR and one for RTR to
 ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you
 remote manage the router if the Ethernet line proto is down ?
 Loopback ?
 You wont have a public IP if your ISP skimps on Addresses.. I
 have seem some whack configs where s0/0 is unnumbered, and the
 only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know
 nothing of your Site to Site VPN. They just route.. nuff said
 on that.
 
 
 How do the 
 PIX's use private addresses as for their crypto peer
 statements?
 
 They can't. Not unless you use outside nat on the rtr's
 something I don't think you can or want to do.. Just use
 Publics all around for your crypto peer statements.. I dont
 think you can do it anyother way.. one creative way to do it,
 maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more
 /24 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel. 
 have NO NAT on your pixes for internal stuff to go out of
 router on S0/0 (instead of VPN traffic which goes out
 TUNNEL0). this should make your PIX's harder to attack, and if
 you want you can run nat on the router for hosts, or have
 another nat proxy behind pix (either way, pix wont do nat, with
 this low-profile config trick.
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57656t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

Well I am a little confused by the question call me stupid :) But he can
use public or private on that link if he uses private just nat on the
pix. VPN to VPN will still work with nat in place.


-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially 
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how 
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for 
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote 
 manage the router if the Ethernet line proto is down ? Loopback ?
 You wont have a public IP if your ISP skimps on Addresses.. I
 have seem some whack configs where s0/0 is unnumbered, and the
 only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto peer
 statements?
 
 They can't. Not unless you use outside nat on the rtr's something I 
 don't think you can or want to do.. Just use Publics all around for 
 your crypto peer statements.. I dont think you can do it anyother 
 way.. one creative way to do it, maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 
 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel.
 have NO NAT on your pixes for internal stuff to go out of
 router on S0/0 (instead of VPN traffic which goes out
 TUNNEL0). this should make your PIX's harder to attack, and if
 you want you can run nat on the router for hosts, or have
 another nat proxy behind pix (either way, pix wont do nat, with
 this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57662t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially 
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how 
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for 
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote 
 manage the router if the Ethernet line proto is down ? Loopback ?
 You wont have a public IP if your ISP skimps on Addresses.. I
 have seem some whack configs where s0/0 is unnumbered, and the
 only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto peer
 statements?
 
 They can't. Not unless you use outside nat on the rtr's something I 
 don't think you can or want to do.. Just use Publics all around for 
 your crypto peer statements.. I dont think you can do it anyother 
 way.. one creative way to do it, maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 
 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel.
 have NO NAT on your pixes for internal stuff to go out of
 router on S0/0 (instead of VPN traffic which goes out
 TUNNEL0). this should make your PIX's harder to attack, and if
 you want you can run nat on the router for hosts, or have
 another nat proxy behind pix (either way, pix wont do nat, with
 this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57663t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Priscilla Oppenheimer]

Elijah Savage III wrote:
 
 Oh yeah with the limited address space the correct term I meant
 to use
 is PAT not to confuse anyone. The outside interface on the pix
 has 1
 public and everyone gets NAT's to that one global address.

So, use public addressing on the PIX(outside)-router link. In the previous
message you said he could use either, but it will make things easier if he
uses public on that link and private on the

---(inside)PIX link, eh?

Sorry, if I'm being dim-witted. :-)

Priscilla


 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, November 18, 2002 9:27 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 Brunner Joseph wrote:
  
  You should use private addressing behind the pix and use
 static's from
 
  the /29 to map to Servers, etc. behind the pix.
  
  Why would you ever want to put public ip's behind a pix ?
 especially
  for a vpn ? Not cool. It makes it an easier target to spoof,
 as
  apposed to RFC1918 addresses.
 
 I don't think he was suggesting using public IP addresses
 behind the
 PIX. What addressing would you recommend for the LAN between
 the outside
 interface of the PIX and the router, per this part of his
 drawing:
 
 PIX1(outside)(e0)R1(e1)INTERNET
 
 
 By the way, he really did show R1 having an Ethernet interface
 out to
 the Internet. I don't think it was a typo. In the case that
 came up last
 week, this Ethernet than went to a wireless WAN of some sort.
 
 Could you take another look at the question and give us some
 advice?
 This question came up last week too and the person never got a
 good
 answer. I would answer it myself but I'm PIX and VPN challenged
 (but
 learning! ;-)
 
 Priscilla
 
 
  
  Answering your original qwestion -
  
  If I'm provided a /29 address by my ISP for PIX1's site,
 then how
  does the PIX1's outside and R1's ethernet addresses get
 provisioned
  (same question for PIX2's site)?
  
  If you insist on using public's behind your pix, you get a
 /29 for
  behind, and 2 /30's. One for Pix to RTR and one for RTR to
 ISP EDGE.
  
  The routers also should NEVER use UNNUMBERED !  How do you
 remote
  manage the router if the Ethernet line proto is down ?
 Loopback ?
  You wont have a public IP if your ISP skimps on Addresses.. I
  have seem some whack configs where s0/0 is unnumbered, and the
  only
  routed block is on e0/0. Its not worth saving the /30 for
 added
  aggrevation.
  
  Are they bridged or unnumbered in some way? the routers
 know nothing
 
  of your Site to Site VPN. They just route.. nuff said on that.
  
  
  How do the
  PIX's use private addresses as for their crypto peer
  statements?
  
  They can't. Not unless you use outside nat on the rtr's
 something I
  don't think you can or want to do.. Just use Publics all
 around for
  your crypto peer statements.. I dont think you can do it
 anyother
  way.. one creative way to do it, maybe, run a
  
  GRE tunnel from router to router (say 10.0.1.0/24). Use 2
 more /24
  private class C's for in between router and pix on each side.
  
  Just route everthing (which is also encrypted) thru the
 tunnel.
  have NO NAT on your pixes for internal stuff to go out of
  router on S0/0 (instead of VPN traffic which goes out
  TUNNEL0). this should make your PIX's harder to attack, and if
  you want you can run nat on the router for hosts, or have
  another nat proxy behind pix (either way, pix wont do nat,
 with
  this low-profile config trick.
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57664t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

Yes,

He should use public on the outside link and then private on the inside
the setup would be much easier that way. NAT or PAT on a pix is so easy.

And I had a slight brain fart he can't use private on the outside. The
reason being because of the peer addressing that has to go on the pix
for the vpn tunnel. So of course if he used private there is no way site
A can talk to site B across the internet.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Elijah Savage III wrote:
 
 Oh yeah with the limited address space the correct term I meant to use
 is PAT not to confuse anyone. The outside interface on the pix
 has 1
 public and everyone gets NAT's to that one global address.

So, use public addressing on the PIX(outside)-router link. In the
previous message you said he could use either, but it will make things
easier if he uses public on that link and private on the

---(inside)PIX link, eh?

Sorry, if I'm being dim-witted. :-)

Priscilla


 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
 Sent: Monday, November 18, 2002 9:27 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 Brunner Joseph wrote:
  
  You should use private addressing behind the pix and use
 static's from
 
  the /29 to map to Servers, etc. behind the pix.
  
  Why would you ever want to put public ip's behind a pix ?
 especially
  for a vpn ? Not cool. It makes it an easier target to spoof,
 as
  apposed to RFC1918 addresses.
 
 I don't think he was suggesting using public IP addresses behind the
 PIX. What addressing would you recommend for the LAN between
 the outside
 interface of the PIX and the router, per this part of his
 drawing:
 
 PIX1(outside)(e0)R1(e1)INTERNET
 
 
 By the way, he really did show R1 having an Ethernet interface out to
 the Internet. I don't think it was a typo. In the case that
 came up last
 week, this Ethernet than went to a wireless WAN of some sort.
 
 Could you take another look at the question and give us some advice?
 This question came up last week too and the person never got a
 good
 answer. I would answer it myself but I'm PIX and VPN challenged
 (but
 learning! ;-)
 
 Priscilla
 
 
  
  Answering your original qwestion -
  
  If I'm provided a /29 address by my ISP for PIX1's site,
 then how
  does the PIX1's outside and R1's ethernet addresses get
 provisioned
  (same question for PIX2's site)?
  
  If you insist on using public's behind your pix, you get a
 /29 for
  behind, and 2 /30's. One for Pix to RTR and one for RTR to
 ISP EDGE.
  
  The routers also should NEVER use UNNUMBERED !  How do you
 remote
  manage the router if the Ethernet line proto is down ?
 Loopback ?
  You wont have a public IP if your ISP skimps on Addresses.. I have 
  seem some whack configs where s0/0 is unnumbered, and the only
  routed block is on e0/0. Its not worth saving the /30 for
 added
  aggrevation.
  
  Are they bridged or unnumbered in some way? the routers
 know nothing
 
  of your Site to Site VPN. They just route.. nuff said on that.
  
  
  How do the
  PIX's use private addresses as for their crypto peer statements?
  
  They can't. Not unless you use outside nat on the rtr's
 something I
  don't think you can or want to do.. Just use Publics all
 around for
  your crypto peer statements.. I dont think you can do it
 anyother
  way.. one creative way to do it, maybe, run a
  
  GRE tunnel from router to router (say 10.0.1.0/24). Use 2
 more /24
  private class C's for in between router and pix on each side.
  
  Just route everthing (which is also encrypted) thru the
 tunnel.
  have NO NAT on your pixes for internal stuff to go out of router 
  on S0/0 (instead of VPN traffic which goes out TUNNEL0). this 
  should make your PIX's harder to attack, and if you want you can run

  nat on the router for hosts, or have another nat proxy behind pix 
  (either way, pix wont do nat,
 with
  this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57665t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Edward Sohn]

okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote
 manage the router if the Ethernet line proto is down ? Loopback ?
 You wont have a public IP if your ISP skimps on Addresses.. I
 have seem some whack configs where s0/0 is unnumbered, and the
 only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto peer statements?
 
 They can't. Not unless you use outside nat on the rtr's something I
 don't think you can or want to do.. Just use Publics all around for 
 your crypto peer statements.. I dont think you can do it anyother 
 way.. one creative way to do it, maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24
 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel. have 
 NO NAT on your pixes for internal stuff to go out of router on S0/0 
 (instead of VPN traffic which goes out TUNNEL0). this should make 
 your PIX's harder to attack, and if you want you can run nat on the 
 router for hosts, or have another nat proxy behind pix (either way, 
 pix wont do nat, with this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57666t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially 
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how 
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for 
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote 
 manage the router if the Ethernet line proto is down ? Loopback ? You 
 wont have a public IP if your ISP skimps on Addresses.. I have seem 
 some whack configs where s0/0 is unnumbered, and the only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto peer statements?
 
 They can't. Not unless you use outside nat on the rtr's something I 
 don't think you can or want to do.. Just use Publics all around for 
 your crypto peer statements.. I dont think you can do it anyother 
 way.. one creative way to do it, maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 
 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel. have
 NO NAT on your pixes for internal stuff to go out of router on S0/0 
 (instead of VPN traffic which goes out TUNNEL0). this should make 
 your PIX's harder to attack, and if you want you can run nat on the 
 router for hosts, or have another nat proxy behind pix (either way, 
 pix wont do nat, with this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57668t=57648
--
FAQ, list

RE: PIX site-to-site VPN question... [7:57648]

[Elijah Savage III]

May I also ask why you want to use private?

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially 
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how 
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for 
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote 
 manage the router if the Ethernet line proto is down ? Loopback ? You 
 wont have a public IP if your ISP skimps on Addresses.. I have seem 
 some whack configs where s0/0 is unnumbered, and the only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto peer statements?
 
 They can't. Not unless you use outside nat on the rtr's something I 
 don't think you can or want to do.. Just use Publics all around for 
 your crypto peer statements.. I dont think you can do it anyother 
 way.. one creative way to do it, maybe, run a
 
 GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 
 private class C's for in between router and pix on each side.
 
 Just route everthing (which is also encrypted) thru the tunnel. have
 NO NAT on your pixes for internal stuff to go out of router on S0/0 
 (instead of VPN traffic which goes out TUNNEL0). this should make 
 your PIX's harder to attack, and if you want you can run nat on the 
 router for hosts, or have another nat proxy behind pix (either way, 
 pix wont do nat, with this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57669t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Edward Sohn]

thanks for your help, elijah...however, i think are still missing the
full point of my question...i am looking for a complete solution rather
than just 'what's possible' at different points in the network.

i did mean to use a /29 in my example.  i used that b/c if i was only
given one IP address from my ISP, and used it for the outside interface
of the PIX (as you suggested), then how do i configure the perimeter
router?  what IP addresses does that use?

let's go with this example to answer my question for now--with using
public addresses.  just fyi, however, here is a diagram on CCO which
uses private addressing on the outside interface of the PIX in a VPN
solution (doesn't show the perimeter routers, though)...

thanks,

ed

-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 8:13 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map to Servers, etc. behind the pix.
 
 Why would you ever want to put public ip's behind a pix ? especially
 for a vpn ? Not cool. It makes it an easier target to spoof, as 
 apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)(e0)R1(e1)INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


 
 Answering your original qwestion -
 
 If I'm provided a /29 address by my ISP for PIX1's site, then how
 does the PIX1's outside and R1's ethernet addresses get provisioned 
 (same question for PIX2's site)?
 
 If you insist on using public's behind your pix, you get a /29 for
 behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
 
 The routers also should NEVER use UNNUMBERED !  How do you remote
 manage the router if the Ethernet line proto is down ? Loopback ? You 
 wont have a public IP if your ISP skimps on Addresses.. I have seem 
 some whack configs where s0/0 is unnumbered, and the only
 routed block is on e0/0. Its not worth saving the /30 for added
 aggrevation.
 
 Are they bridged or unnumbered in some way? the routers know nothing

 of your Site to Site VPN. They just route.. nuff said on that.
 
 
 How do the
 PIX's use private addresses as for their crypto

RE: PIX site-to-site VPN question... [7:57648]

[Edward Sohn]

excellent...now we're getting somewhere.  that's what i thought...but if
this is the case, then how does the PIX establish the actual peering
with the other PIX?  

again, my crypto map peer _address_ example...what IP address do you
use here if using private addresses?  and if it's simply the private
address of the other PIX, then how do the perimeter routers route this
private addressing over the public internet?

thanks again,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:38 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Yes,

He should use public on the outside link and then private on the inside
the setup would be much easier that way. NAT or PAT on a pix is so easy.

And I had a slight brain fart he can't use private on the outside. The
reason being because of the peer addressing that has to go on the pix
for the vpn tunnel. So of course if he used private there is no way site
A can talk to site B across the internet.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Elijah Savage III wrote:
 
 Oh yeah with the limited address space the correct term I meant to use

 is PAT not to confuse anyone. The outside interface on the pix has 1
 public and everyone gets NAT's to that one global address.

So, use public addressing on the PIX(outside)-router link. In the
previous message you said he could use either, but it will make things
easier if he uses public on that link and private on the

---(inside)PIX link, eh?

Sorry, if I'm being dim-witted. :-)

Priscilla


 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
 Sent: Monday, November 18, 2002 9:27 PM
 To: [EMAIL PROTECTED]
 Subject: RE: PIX site-to-site VPN question... [7:57648]
 
 
 Brunner Joseph wrote:
  
  You should use private addressing behind the pix and use
 static's from
 
  the /29 to map to Servers, etc. behind the pix.
  
  Why would you ever want to put public ip's behind a pix ?
 especially
  for a vpn ? Not cool. It makes it an easier target to spoof,
 as
  apposed to RFC1918 addresses.
 
 I don't think he was suggesting using public IP addresses behind the 
 PIX. What addressing would you recommend for the LAN between the 
 outside interface of the PIX and the router, per this part of his
 drawing:
 
 PIX1(outside)(e0)R1(e1)INTERNET
 
 
 By the way, he really did show R1 having an Ethernet interface out to 
 the Internet. I don't think it was a typo. In the case that came up 
 last week, this Ethernet than went to a wireless WAN of some sort.
 
 Could you take another look at the question and give us some advice? 
 This question came up last week too and the person never got a good
 answer. I would answer it myself but I'm PIX and VPN challenged
 (but
 learning! ;-)
 
 Priscilla
 
 
  
  Answering your original qwestion -
  
  If I'm provided a /29 address by my ISP for PIX1's site,
 then how
  does the PIX1's outside and R1's ethernet addresses get
 provisioned
  (same question for PIX2's site)?
  
  If you insist on using public's behind your pix, you get a
 /29 for
  behind, and 2 /30's. One for Pix to RTR and one for RTR to
 ISP EDGE.
  
  The routers also should NEVER use UNNUMBERED !  How do you
 remote
  manage the router if the Ethernet line proto is down ?
 Loopback ?
  You wont have a public IP if your ISP skimps on Addresses.. I have
  seem some whack configs where s0/0 is unnumbered, and the only
  routed block is on e0/0. Its not worth saving the /30 for
 added
  aggrevation.
  
  Are they bridged or unnumbered in some way? the routers
 know nothing
 
  of your Site to Site VPN. They just route.. nuff said on that.
  
  
  How do the
  PIX's use private addresses as for their crypto peer statements?
  
  They can't. Not unless you use outside nat on the rtr's
 something I
  don't think you can or want to do.. Just use Publics all
 around for
  your crypto peer statements.. I dont think you can do it
 anyother
  way.. one creative way to do it, maybe, run a
  
  GRE tunnel from router to router (say 10.0.1.0/24). Use 2
 more /24
  private class C's for in between router and pix on each side.
  
  Just route everthing (which is also encrypted) thru the
 tunnel.
  have NO NAT on your pixes for internal stuff to go out of router
  on S0/0 (instead of VPN traffic which goes out TUNNEL0). this 
  should make your PIX's harder to attack, and if you want you can run

  nat on the router for hosts, or have another nat proxy behind pix
  (either way, pix wont do nat,
 with
  this low-profile config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57671t=57648
--
FAQ, list archives, and subscription info: http

RE: PIX site-to-site VPN question... [7:57648]

[Mark W. Odette II]

The only way that you could put private addresses on the OUTSIDE
interface of the PIX (Site A), and still successfully set up a Tunnel to
another PIX across the internet that is behind an edge router of your
own control (Site B), is to build a GRE Tunnel between the Edge Routers.

EX: Public Addresses
PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses

If you tried to set up NAT on the two Edge Routers to Static Translate
for the PIX Hosts on their outside interfaces, the Tunnel would never
establish.  Even though you would define the Crypto Peer as a public
address, when the packet arrives at the far side, it would have the
private address headers, and thus the tunnel would never come up, and is
why you would need a GRE Tunnel between the two routers to use private
addresses between the two PIXen end-points.


I have set up the scenario you speak of in production, but the ISP
assigned a /30 for the routers connecting to the ISP, AND they assigned
/27's for the customer's own use.  So, with this, I configured the S0
interfaces of each router as part of the /30's, and configured the Fa0
interfaces of the Routers and the Pix Outside interfaces as hosts in the
/27 blocks that were assigned to each site, while creating a PAT pool
and NAT statics for appropriate hosts behind the PIX.  The Inside/DMZ
side of the PIXen were configured with RFC1918 addresses.  Site to Site
VPN's were established using the Public IP addresses on the Outside
interface of each PIX.

HTH's
Mark

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]

thanks for your help, elijah...however, i think are still missing the
full point of my question...i am looking for a complete solution rather
than just 'what's possible' at different points in the network.

i did mean to use a /29 in my example.  i used that b/c if i was only
given one IP address from my ISP, and used it for the outside interface
of the PIX (as you suggested), then how do i configure the perimeter
router?  what IP addresses does that use?

let's go with this example to answer my question for now--with using
public addresses.  just fyi, however, here is a diagram on CCO which
uses private addressing on the outside interface of the PIX in a VPN
solution (doesn't show the perimeter routers, though)...

thanks,

ed

-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 8:13 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
 
 You should use private addressing behind the pix and use static's from

 the /29 to map

RE: PIX site-to-site VPN question... [7:57648]

[Edward Sohn]

Perfect...

very interesting, indeed.  I have long wondered about this scenario, and
have wondered how companies are implementing their site-to-site VPN's
over the internet.  so you're saying (regarding your own roll out), that
your ISP assigned you two address spaces and routed your /27 towards
your perimeter router, right?  in any case, your scenario explains the
answer to that particular example...however, new questions arise:

(1) if i DIDN'T decide to set up a GRE over the internet, then what
other options do i have?  would a simple NAT on the perimeter routers
suffice?  this would introduce dual-NAT, and i have heard that
dual-NATing is less-than-desired in production due to performance
issues.

(2) if i wanted to use public addressing on the outsides of the PIX's,
then would i have to have two address spaces, as described in your own
scenario?  can anyone think of any other options on the perimeter
router?  like i said, bridging or unnumbered or something of the like?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Mark W. Odette II
Sent: Monday, November 18, 2002 9:19 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


The only way that you could put private addresses on the OUTSIDE
interface of the PIX (Site A), and still successfully set up a Tunnel to
another PIX across the internet that is behind an edge router of your
own control (Site B), is to build a GRE Tunnel between the Edge Routers.

EX: Public Addresses
PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses

If you tried to set up NAT on the two Edge Routers to Static Translate
for the PIX Hosts on their outside interfaces, the Tunnel would never
establish.  Even though you would define the Crypto Peer as a public
address, when the packet arrives at the far side, it would have the
private address headers, and thus the tunnel would never come up, and is
why you would need a GRE Tunnel between the two routers to use private
addresses between the two PIXen end-points.


I have set up the scenario you speak of in production, but the ISP
assigned a /30 for the routers connecting to the ISP, AND they assigned
/27's for the customer's own use.  So, with this, I configured the S0
interfaces of each router as part of the /30's, and configured the Fa0
interfaces of the Routers and the Pix Outside interfaces as hosts in the
/27 blocks that were assigned to each site, while creating a PAT pool
and NAT statics for appropriate hosts behind the PIX.  The Inside/DMZ
side of the PIXen were configured with RFC1918 addresses.  Site to Site
VPN's were established using the Public IP addresses on the Outside
interface of each PIX.

HTH's
Mark

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]

thanks for your help, elijah...however, i think are still missing the
full point of my question...i am looking for a complete solution rather
than just 'what's possible' at different points in the network.

i did mean to use a /29 in my example.  i used that b/c if i was only
given one IP address from my ISP, and used it for the outside interface
of the PIX (as you suggested), then how do i configure the perimeter
router?  what IP addresses does that use?

let's go with this example to answer my question for now--with using
public addresses.  just fyi, however, here is a diagram on CCO which
uses private addressing on the outside interface of the PIX in a VPN
solution (doesn't show the perimeter routers, though)...

thanks,

ed

-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 8:13 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x

RE: PIX site-to-site VPN question... [7:57648]

[Brunner Joseph]

In-Line...

Perfect... 

very interesting, indeed. I have long wondered about this scenario, and 
have wondered how companies are implementing their site-to-site VPN's 
over the internet. so you're saying (regarding your own roll out), that 
your ISP assigned you two address spaces and routed your /27 towards 
your perimeter router, right? in any case, your scenario explains the 
answer to that particular example...however, new questions arise: 

(1) if i DIDN'T decide to set up a GRE over the internet, then what 
other options do i have? would a simple NAT on the perimeter routers 
suffice? this would introduce dual-NAT, and i have heard that 
dual-NATing is less-than-desired in production due to performance 
issues. 

No. The pix does not work like most VPN/IPSEC/NAT Devices. You have to have
routable addresses on the pix outside. (maybe some CCIE SECURITY will chime
in). Its helps for surf the web bit in addition to your VPN, you have
public ip on the OUTSIDE of the pix (prevent the edge routers from DOING
NAT, which they should not have to here).

Based on your original post, I was assuming you were talking about going the
public internet for you Site-to-Site VPN ? well that is about the only
reason I could see doing all this for.

(2) if i wanted to use public addressing on the outsides of the PIX's, 
then would i have to have two address spaces, as described in your own 
scenario? can anyone think of any other options on the perimeter 
router? like i said, bridging or unnumbered or something of the like? 

You will not run bridging first of all. (unless you want both pixes at both
sites to be on 1 lan). This probably won't work. Unless your NOT providing
Internet access, (seperate) at both sites. It will work if you want one site
ONLY to be the internet gateway site or something, for a central point of
security, whatever. It will also cause you to have the same public block at
both sites. Not going to happen, with any carriers I have seen. One block,
One T-1, One Location. Also forget the unnumbered. Bad Operational mistake,
invented by lazy ISP's to conserve a /30. Does not provide any security,
locks your out of the router for basic troubleshooting if your eth INT has
no lineproto. You should do this (per 2 year experience with PIX VPN)

SITE A  PUBLIC  INET SITE B
PIX A(PUBLIC IP)(RTRA)(PUBLIC IP)(PUBLIC IP)(RTRB)(PUBLIC IP)PIX B


Your crypto peer statements reflect the Opposite Pix's Public IP.
(make sure you isakmp enable outside etc...

Your Internet access at either site, will come from a 
global overload (pat) statement for the pixes, on the Interface or
another IP in your routed block. 

FYI don't try the GRE tunnel trick.. had someproblems with fragmentation of
IPSEC packets, speed issues, etc... also your
edge routers will have to run NAT to get those private tunneled outside IP's
to the NET for surf access.

thanks, 

ed 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57680t=57648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Vitaliy Vishnevskiy]

I think you might be wrong.  I never had to do this outside of the lab
on two VPN routers and 2 pixes in between doing NAT but you should be
able to establish an ESP in tunnel mode between two devices using
private addresses with NAT happening somewhere in between.  Remember,
ESP only cares about the payload, not the header.  Therefore as long as
the payload is intact - this is valid.  Of course, both VPN devices
would have to know each other by NATed or in your case public IP
addresses.  I can show you the config, if you like
Thanks


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Mark W. Odette II
Sent: Tuesday, November 19, 2002 12:19 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


The only way that you could put private addresses on the OUTSIDE
interface of the PIX (Site A), and still successfully set up a Tunnel to
another PIX across the internet that is behind an edge router of your
own control (Site B), is to build a GRE Tunnel between the Edge Routers.

EX: Public Addresses
PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses

If you tried to set up NAT on the two Edge Routers to Static Translate
for the PIX Hosts on their outside interfaces, the Tunnel would never
establish.  Even though you would define the Crypto Peer as a public
address, when the packet arrives at the far side, it would have the
private address headers, and thus the tunnel would never come up, and is
why you would need a GRE Tunnel between the two routers to use private
addresses between the two PIXen end-points.


I have set up the scenario you speak of in production, but the ISP
assigned a /30 for the routers connecting to the ISP, AND they assigned
/27's for the customer's own use.  So, with this, I configured the S0
interfaces of each router as part of the /30's, and configured the Fa0
interfaces of the Routers and the Pix Outside interfaces as hosts in the
/27 blocks that were assigned to each site, while creating a PAT pool
and NAT statics for appropriate hosts behind the PIX.  The Inside/DMZ
side of the PIXen were configured with RFC1918 addresses.  Site to Site
VPN's were established using the Public IP addresses on the Outside
interface of each PIX.

HTH's
Mark

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]

thanks for your help, elijah...however, i think are still missing the
full point of my question...i am looking for a complete solution rather
than just 'what's possible' at different points in the network.

i did mean to use a /29 in my example.  i used that b/c if i was only
given one IP address from my ISP, and used it for the outside interface
of the PIX (as you suggested), then how do i configure the perimeter
router?  what IP addresses does that use?

let's go with this example to answer my question for now--with using
public addresses.  just fyi, however, here is a diagram on CCO which
uses private addressing on the outside interface of the PIX in a VPN
solution (doesn't show the perimeter routers, though)...

thanks,

ed

-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 8:13 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure

Re: VPN Primer on Cisco site - FYI [7:56618]

[Kent Hundley]

FYI,

This paper and other Cisco security docs can also be found at:

http://www.cisco.com/go/safe

Which has that advantage of being easier to remember. ;-)

Regards,
Kent

At 07:58 PM 10/31/2002 +, The Long and Winding Road wrote:
found this while stumbling around:

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf

enjoy

--

www.chuckslongroad.info




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56686t=56618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN Primer on Cisco site - FYI [7:56618]

[The Long and Winding Road]

found this while stumbling around:

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf

enjoy

--

www.chuckslongroad.info




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56618t=56618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[The Long and Winding Road]

Howard C. Berkowitz  wrote in message
news:200210252303.XAA06341;groupstudy.com...
 Tim Medley wrote:
 
   Oh did they mean to redesign the website? I thought some script
   kiddies defaced it and Cisco hadn't had time to fix it.
 
 
 Nope, marketing kiddies! ;-)
 
 Priscilla
 
 Oh.  Script kiddies with incompetent adult supervision.


CL: all in good fun so far, but I am starting to run into some real issues.
I work for one of Cisco's largest partners, and my CCO account gives me
access to a number of partner specific areas that I use regularly. I was
working on something for a client, was sent a link by Cisco pre-sales (
partner only information link ) and I have been unable to get in. Let's
see - fifteen email messages later we fixed it try - grrr no you
didn't ... 
try it now ,,, still doesn't work and I am giving up. What's more
irritating is that every time I respond to their automated e-mail, I get a
reply that says write your comments between the lines ( special
formatting ) Thing is, on the original e-mail, these formatting lines do not
exist.

CL: I can live with the marketing crap. I can live with the colors. I can't
live with the loss of certain functionality.

CL: I will say that if you dig around, there can be a lot more and a lot
better information to be found.

CL: I can also say with assurance that there are some tools, like the
configurator, which still need a LOT of work.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56326t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Patrick Donlon]

It stinks, it doesn't even use the same look throughout, why bother?


Tim Metz  wrote in message
news:200210250414.EAA05528;groupstudy.com...
 I used to bitch about the old one and am now totally screwed... I guess
I'll
 learn to like it ;-(

 Tim

 sam sneed  wrote in message
 news:200210241956.TAA01985;groupstudy.com...
  Am I the only one that hates Cisco's new site? I can't find anything
that
  I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56263t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Tshepo Kowane (TO)]

u can still  acces the old site try this url
http://www.cisco.com/cco.shtml

-Original Message-
From: Tim Metz [mailto:timmetz;hotmail.com]
Sent: 25 October 2002 06:14
To: [EMAIL PROTECTED]
Subject: Re: hate cisco's new site? [7:56236]


I used to bitch about the old one and am now totally screwed... I
guess I'll
learn to like it ;-(

Tim

sam sneed  wrote in message
news:200210241956.TAA01985;groupstudy.com...
 Am I the only one that hates Cisco's new site? I can't find anything
that
 I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56266t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[mike Dang]

I agree.  I prefer the old one.
 [EMAIL PROTECTED]  wrote:I agree, it is horrible,
absolutely horrible.

-Original Message-
From: sam sneed [mailto:vristevski;hotmail.com]
Sent: Thursday, October 24, 2002 12:56 PM
To: [EMAIL PROTECTED]
Subject: hate cisco's new site? [7:56236]


Am I the only one that hates Cisco's new site? I can't find anything that
I'm looking for on the there. Its driving me up the wall.
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56275t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Howard C. Berkowitz]

It's awful. Unless I make an extremely tiny font, I have to scroll to 
get to the search function, which I would swear now has a smaller 
entry field. There's no obvious place to link directly to a search 
page.

Navigation other than search is also rather strange.

So, I filled out the feedback form about the page.  What happened 
when I hit submit?

Internal server error.

I don't know whether to laugh or cry.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56277t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Howard C. Berkowitz]

At 9:37 AM + 10/25/02, Tshepo Kowane (TO) wrote:
u can still  acces the old site try this url
http://www.cisco.com/cco.shtml



THANK YOU!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56278t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Carroll Kong]

Well, a few work arounds.  You can just go straight to the documentation CD

(right now the site seems down for me, ugh, so I cannot verify 100%, the
links are pretty close, and if you navigate hard enough it really just links
back to the universal cd anyway)

http://www.cisco.com/univercd/

OR just go to the bottom right and click on GO TO THE OLD SITE.  And
presto you get your old site back.  Ironically it usually takes a very long
time to load the old site

As for general navigation, if you guys want to find docs, I think it was
under support, hardware (for stuff like the pix) and software for IOS, then
you can drill down and one of them eventually brings you back to the
universal cd.  ;)

While I hate it too, but come on guys we are powerful Cisco Study
candidates, we should be able to solve anything that comes up quickly!  If
we can crunch Cisco problems we can navigate this new nasty site as
well!  :)

 I used to bitch about the old one and am now totally screwed... I guess
I'll
 learn to like it ;-(
 
 Tim
 
 sam sneed  wrote in message
 news:200210241956.TAA01985;groupstudy.com...
  Am I the only one that hates Cisco's new site? I can't find anything that
  I'm looking for on the there. Its driving me up the wall.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56282t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Tom Lisa]

I can't get to cisco.com either, must be down.

Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco ATC/Regional Networking Academy
Cunctando Restituit Rem
 
 

Carroll Kong wrote:

  Well, a few work arounds.  You can just go straight to the
  documentation CD

  (right now the site seems down for me, ugh, so I cannot verify 100%,
  the
  links are pretty close, and if you navigate hard enough it really
  just links
  back to the universal cd anyway)

  http://www.cisco.com/univercd/

  OR just go to the bottom right and click on GO TO THE OLD SITE. 
  And
  presto you get your old site back.  Ironically it usually takes a
  very long
  time to load the old site

  As for general navigation, if you guys want to find docs, I think it
  was
  under support, hardware (for stuff like the pix) and software for
  IOS, then
  you can drill down and one of them eventually brings you back to the
  universal cd.  ;)

  While I hate it too, but come on guys we are powerful Cisco Study
  candidates, we should be able to solve anything that comes up
  quickly!  If
  we can crunch Cisco problems we can navigate this new nasty site as
  well!  :)

   I used to bitch about the old one and am now totally screwed... I
  guess
  I'll
   learn to like it ;-(
  
   Tim
  
   sam sneed  wrote in message
   news:200210241956.TAA01985;groupstudy.com...
Am I the only one that hates Cisco's new site? I can't find
  anything that
I'm looking for on the there. Its driving me up the wall.
  -Carroll Kong
  [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56286t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Tim Medley]

Oh did they mean to redesign the website? I thought some script kiddies
defaced it and Cisco hadn't had time to fix it.

tm



Tim Medley, CCNP+Voice, CCDP, CWNA
Sr. Network Architect
VoIP Group
iReadyWorld
 



-Original Message-
From: sam sneed [mailto:vristevski;hotmail.com]
Sent: Thursday, October 24, 2002 3:56 PM
To: [EMAIL PROTECTED]
Subject: hate cisco's new site? [7:56236]


Am I the only one that hates Cisco's new site? I can't find anything that
I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56254t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Brad Ellis]

lol...I wouldnt say I hate it, it just takes a little getting used to.  Or
maybe they just want you to spend more time on the website and less time
looking at the current stock price???  :)

-Brad Ellis
CCIE#5796

sam sneed  wrote in message
news:200210241956.TAA01985;groupstudy.com...
 Am I the only one that hates Cisco's new site? I can't find anything that
 I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56248t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Kaminski, Shawn G]

I'm not too fond of the snot green color that was obviously taken from the
color of their cables! :-)

Shawn K.

-Original Message-
From: Tim Medley [mailto:tim.medley;ireadyworld.com]
Sent: Friday, October 25, 2002 1:44 PM
To: [EMAIL PROTECTED]
Subject: RE: hate cisco's new site? [7:56236]


Oh did they mean to redesign the website? I thought some script kiddies
defaced it and Cisco hadn't had time to fix it.

tm



Tim Medley, CCNP+Voice, CCDP, CWNA
Sr. Network Architect
VoIP Group
iReadyWorld
 



-Original Message-
From: sam sneed [mailto:vristevski;hotmail.com]
Sent: Thursday, October 24, 2002 3:56 PM
To: [EMAIL PROTECTED]
Subject: hate cisco's new site? [7:56236]


Am I the only one that hates Cisco's new site? I can't find anything that
I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56318t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Priscilla Oppenheimer]

Tim Medley wrote:
 
 Oh did they mean to redesign the website? I thought some script
 kiddies defaced it and Cisco hadn't had time to fix it.
 

Nope, marketing kiddies! ;-)

Priscilla

 tm
 
 
 
 Tim Medley, CCNP+Voice, CCDP, CWNA
 Sr. Network Architect
 VoIP Group
 iReadyWorld
  
 
 
 
 -Original Message-
 From: sam sneed [mailto:vristevski;hotmail.com]
 Sent: Thursday, October 24, 2002 3:56 PM
 To: [EMAIL PROTECTED]
 Subject: hate cisco's new site? [7:56236]
 
 
 Am I the only one that hates Cisco's new site? I can't find
 anything that
 I'm looking for on the there. Its driving me up the wall.
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56308t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[sam sneed]

So its not just me, thats good to know

Kaminski, Shawn G  wrote in message
news:200210252049.UAA17577;groupstudy.com...
 I'm not too fond of the snot green color that was obviously taken from the
 color of their cables! :-)

 Shawn K.

 -Original Message-
 From: Tim Medley [mailto:tim.medley;ireadyworld.com]
 Sent: Friday, October 25, 2002 1:44 PM
 To: [EMAIL PROTECTED]
 Subject: RE: hate cisco's new site? [7:56236]


 Oh did they mean to redesign the website? I thought some script kiddies
 defaced it and Cisco hadn't had time to fix it.

 tm



 Tim Medley, CCNP+Voice, CCDP, CWNA
 Sr. Network Architect
 VoIP Group
 iReadyWorld




 -Original Message-
 From: sam sneed [mailto:vristevski;hotmail.com]
 Sent: Thursday, October 24, 2002 3:56 PM
 To: [EMAIL PROTECTED]
 Subject: hate cisco's new site? [7:56236]


 Am I the only one that hates Cisco's new site? I can't find anything that
 I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56321t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Howard C. Berkowitz]

Tim Medley wrote:

  Oh did they mean to redesign the website? I thought some script
  kiddies defaced it and Cisco hadn't had time to fix it.


Nope, marketing kiddies! ;-)

Priscilla

Oh.  Script kiddies with incompetent adult supervision.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56323t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[rau ren]

THANK YOUU. 
I wonder how long they will have this one up for.Can we do something
about it :(
 Howard C. Berkowitz  wrote: At 9:37 AM + 10/25/02, Tshepo Kowane (TO)
wrote:
u can still acces the old site try this url
http://www.cisco.com/cco.shtml



THANK YOU!
Raul Renteria (CCNA,CCDA,CCNP)
DJ1Integration. NY,NY. 10016


-
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56324t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[John Neiberger]

I'm with you, Mr. Sneed.  I've even had an email conversation with
someone at Cisco where I detailed why I hate their new site.  They have
good intentions and I think once they're completely finished it will be
nice, but at the moment it's hard to navigate.  I suggested that they
allow us to create our own stylized home pages and she said they are
already working on that.

I would love to have that!  My home page would consist of:

Software Center
TAC
Pricing Tool
Service Contract Center
Technical Docs

And that's about it.  I'd love to get rid of all the junk they use to
clutter up the main page.

 sam sneed  10/24/02 1:56:01 PM 
Am I the only one that hates Cisco's new site? I can't find anything
that
I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56238t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

hate cisco's new site? [7:56236]

[sam sneed]

Am I the only one that hates Cisco's new site? I can't find anything that
I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56236t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[MADMAN]

I'm getting used to finding stuff but I really dislike the small font,
hard to read!!

  Dave

sam sneed wrote:
 
 Am I the only one that hates Cisco's new site? I can't find anything that
 I'm looking for on the there. Its driving me up the wall.
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

You don't make the poor richer by making the rich poorer. --Winston
Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56241t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[[EMAIL PROTECTED]]

I agree, it is horrible, absolutely horrible. 

-Original Message-
From: sam sneed [mailto:vristevski;hotmail.com]
Sent: Thursday, October 24, 2002 12:56 PM
To: [EMAIL PROTECTED]
Subject: hate cisco's new site? [7:56236]


Am I the only one that hates Cisco's new site? I can't find anything that
I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56246t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: hate cisco's new site? [7:56236]

[Paul Forbes]

You are by no means the only one. I'm composing a letter to our SE
detailing the many ways in which the new site hinders both
troubleshooting and fact-finding. Now, it appears to be a lot more
marketing and significantly less technical.

For example, the way they have classified everything into software,
hardware and technology is at best obtuse. How many people trying to
troubleshoot/optimize their infrastructure want to wander around until
they find the appropriate tech note? Wouldn't it be simpler and easier
to have it the way it used to be, by product (e.g. CallManager) or by
technology (e.g. EIGRP)?

If enough of us complain, perhaps they'll change it back.

I also think a SlashApp-like RSS feed from CCO would be pretty nice...

Cheers all.

Paul Forbes
Network Engineer
Trimble
+1.408.481.8291

 -Original Message-
 From: sam sneed [mailto:vristevski;hotmail.com] 
 Sent: Thursday, October 24, 2002 12:56 PM
 To: [EMAIL PROTECTED]
 Subject: hate cisco's new site? [7:56236]
 
 
 Am I the only one that hates Cisco's new site? I can't find 
 anything that
 I'm looking for on the there. Its driving me up the wall.
 Report misconduct 
 and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56249t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Tim Metz]

I used to bitch about the old one and am now totally screwed... I guess I'll
learn to like it ;-(

Tim

sam sneed  wrote in message
news:200210241956.TAA01985;groupstudy.com...
 Am I the only one that hates Cisco's new site? I can't find anything that
 I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56260t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

multi site and bridging [7:55760]

[John Brandis]

Hi All,
 
Got this problem. Have a site at the moment, site a running the 172.17.x.x
networks. Management has just informed me that we have just acquired an
empty building down the road, site b. The idea is that we move all servers
and core infrastructure to site b over a series of weekends.  After the
move, we will sell site a.
 
In order to do this, I will need to move all servers , using the same IP
scheme to building b, thus I will need to have something that resembles a
LAN, between 2 buildings, connected via a frame relay link (telstra tpips)
 
Is there any way possible, to have something like a bridged network between
the 2 buildings that will permit me to use the same IP scheme, utilize the
VLAN's in use in site A, when I move to site b.
 
Thanks all for your help
 
When chuck wakes up, I will give you the whole story on this as he would
love to hear my fights with non technical managers.


**

visit http://www.solution6.com

UK Customers - http://www.solution6.co.uk

*
This email message (and attachments) may contain information that is
confidential to Solution 6. If you are not the intended recipient you cannot
use, distribute or copy the message or attachments.  In such a case, please
notify the sender by return email immediately and erase all copies of the
message and attachments.  Opinions, conclusions and other information in
this message and attachments that do not relate to the official business of
Solution 6 are neither given nor endorsed by it.
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55760t=55760
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: multi site and bridging [7:55760]

[The Long and Winding Road]

John Brandis  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi All,

 Got this problem. Have a site at the moment, site a running the 172.17.x.x
 networks. Management has just informed me that we have just acquired an
 empty building down the road, site b. The idea is that we move all servers
 and core infrastructure to site b over a series of weekends.  After the
 move, we will sell site a.

CL: hope the rats, rabbits, and walabees don't follow you to the new site
:-


 In order to do this, I will need to move all servers , using the same IP
 scheme to building b, thus I will need to have something that resembles a
 LAN, between 2 buildings, connected via a frame relay link (telstra tpips)

CL: don't you have some high speed alternative like gigabit available? is
this a contract / term / price issue?


 Is there any way possible, to have something like a bridged network
between
 the 2 buildings that will permit me to use the same IP scheme, utilize the
 VLAN's in use in site A, when I move to site b.

CL: sure - easily done. in the Cisco world you just need to add the
frame-relay map bridge 16(dlci) ietf broadcast etc commands on the physical
interfaces.



 Thanks all for your help

 When chuck wakes up, I will give you the whole story on this as he would
 love to hear my fights with non technical managers.


CL: whaddaya mean when I wake up? I never sleep! I do spend a lot of my
time in the office contemplating designs and customer issues, something I do
best with my feet up on the desk and my eyes closed ;-





 **

 visit http://www.solution6.com

 UK Customers - http://www.solution6.co.uk

 *
 This email message (and attachments) may contain information that is
 confidential to Solution 6. If you are not the intended recipient you
cannot
 use, distribute or copy the message or attachments.  In such a case,
please
 notify the sender by return email immediately and erase all copies of the
 message and attachments.  Opinions, conclusions and other information in
 this message and attachments that do not relate to the official business
of
 Solution 6 are neither given nor endorsed by it.
 *




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55761t=55760
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Off topic - Cisco's jazzy web site [7:54966]

[Gaz]

I think the idea is that when you look for a 2600 for example, 
everything is there together (the sales gumpf, the tech specs, etc etc)
Not sure whether that's a good idea or not. As an engineer you're fairly 
regularly going to certain areas, and it's handy to have the info for 
all the routers there, rather than going to a different place for each 
router (if that's the way it's going).

Gaz


In article , 
[EMAIL PROTECTED] says...
 I'm seeing more integration between the marketing materials and the
 technical materials. As expected, the marketing seems to be prominent.
 I'll keep an open mind as to its improved/not improved logic.
 
  -Original Message-
  From: John Neiberger [mailto:[EMAIL PROTECTED]]
 
  Ugh...I just took a look.  Am I the only one who thinks this 
  is horrid?
  Perhaps I'm too used to the old layout but this seems to be much more
  difficult to follow.  
  
  Oh well, in a few months I'm sure it will be old-hat.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55129t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off topic - Cisco's jazzy web site [7:54966]

[John Neiberger]

Ugh...I just took a look.  Am I the only one who thinks this is horrid?
Perhaps I'm too used to the old layout but this seems to be much more
difficult to follow.  

Oh well, in a few months I'm sure it will be old-hat.

John

 Nigel Taylor  10/6/02 1:13:25 PM 
Hey Chuck,
Yep, I noticed this as well.  The greatest addition
to
the new site is the button/link(image) that read Go to the old Site.
After mastering where all the information is on CCO, it's going to
take
sometime to fimilarize myself with the new layout..

Nigel

- Original Message -
From: Chuck's Long Road 
To: 
Sent: Sunday, October 06, 2002 10:46 AM
Subject: Off topic - Cisco's jazzy web site [7:54966]


 Apparently the elves were busy last night. CCO has a new look.

 www.cisco.com 



 --

 www.chuckslongroad.info 
 like my web site?
 take the survey!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55007t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Off topic - Cisco's jazzy web site [7:54966]

[Daniel Cotts]

I'm seeing more integration between the marketing materials and the
technical materials. As expected, the marketing seems to be prominent.
I'll keep an open mind as to its improved/not improved logic.

 -Original Message-
 From: John Neiberger [mailto:[EMAIL PROTECTED]]

 Ugh...I just took a look.  Am I the only one who thinks this 
 is horrid?
 Perhaps I'm too used to the old layout but this seems to be much more
 difficult to follow.  
 
 Oh well, in a few months I'm sure it will be old-hat.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55008t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Off topic - Cisco's jazzy web site [7:54966]

[John Neiberger]

I think that's what's bugging me.  The main page is WAY too busy; too
much information makes it difficult to take in.  I think they should
include an expert mode that turns off the 'helpful' notes about which
links do what.  If they really wanted to be helpful, they should allow
customizable home pages so that when we log in we have the items most
important to us immediately available.  If Excite can do it, I'm sure
Cisco can.  :-)

John

 Daniel Cotts  10/7/02 10:32:16 AM 
I'm seeing more integration between the marketing materials and the
technical materials. As expected, the marketing seems to be prominent.
I'll keep an open mind as to its improved/not improved logic.

 -Original Message-
 From: John Neiberger [mailto:[EMAIL PROTECTED]] 

 Ugh...I just took a look.  Am I the only one who thinks this 
 is horrid?
 Perhaps I'm too used to the old layout but this seems to be much
more
 difficult to follow.  
 
 Oh well, in a few months I'm sure it will be old-hat.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55041t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Off topic - Cisco's jazzy web site [7:54966]

[Chuck's Long Road]

Apparently the elves were busy last night. CCO has a new look.

www.cisco.com



--

www.chuckslongroad.info
like my web site?
take the survey!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54966t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off topic - Cisco's jazzy web site [7:54966]

[Nigel Taylor]

Hey Chuck,
Yep, I noticed this as well.  The greatest addition to
the new site is the button/link(image) that read Go to the old Site.
After mastering where all the information is on CCO, it's going to take
sometime to fimilarize myself with the new layout..

Nigel

- Original Message -
From: Chuck's Long Road 
To: 
Sent: Sunday, October 06, 2002 10:46 AM
Subject: Off topic - Cisco's jazzy web site [7:54966]


 Apparently the elves were busy last night. CCO has a new look.

 www.cisco.com



 --

 www.chuckslongroad.info
 like my web site?
 take the survey!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54973t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off topic - Cisco's jazzy web site [7:54966]

[Gaz]

In article , 
[EMAIL PROTECTED] says...
 Hey Chuck,
 Yep, I noticed this as well.  The greatest addition to
 the new site is the button/link(image) that read Go to the old Site.
 After mastering where all the information is on CCO, it's going to take
 sometime to fimilarize myself with the new layout..
 
 Nigel
 
 - Original Message -
 From: Chuck's Long Road 
 To: 
 Sent: Sunday, October 06, 2002 10:46 AM
 Subject: Off topic - Cisco's jazzy web site [7:54966]
 
 
  Apparently the elves were busy last night. CCO has a new look.
 
  www.cisco.com
 
 
 
  --
 
  www.chuckslongroad.info
  like my web site?
  take the survey!
We went to a Cisco presentation to introduce the new web site. It has 
been developed from customer feedback apparently.
I'm sure most customers would say leave the bloody thing alone for a bit 
:-)

Myself and 2 CCIE's went to the two hour presentation, and had to 
chuckle as we walked out and our summary was Same shit - different 
place

Can't knock it really though. I have worked with masses of different 
products over the years, and in my view, one of the best things about 
Cisco is the availability and quality of information on their web site.


Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54977t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site To Site VPN b/w PIX 515 and Open BSD [7:53511]

[Curious]

All-
Any one knows to configure site to site VPN over IPSEC tunnel b/w PIX 515
and OpenBSD.

Thanks


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53511t=53511
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 150 site, site-to-site VPN [7:42661]

[Greg]

I think you're tlking about pre-shared keys, the other option is to use
public and private keys with either an outside thrid party or a certificate
authority yourself.
Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Guys,

 I have a global financial company that is upgrading their core data
 infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote
 locations over the next few years, going all IP telephony with Call
Mangers
 and now wants to encrypt ALL traffic to all sites.  I know site-to -site
 VPN's can be achieved with key's configured in the crypto maps in IOS, but
 what if someone compromises the key on the IOS.  I, or my client, if we
even
 knew the key was stolen, would have to update all the routers across the
 network.

 What options do you recommend for using certificate servers to distribute
 keys instead?  What problems have you encountered with this?  Would it be
 easier to just have the client update the key's once a month via
CiscoWorks?

 --
 RFC 1149 Compliant

 Get in my head:
 http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52539t=42661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 150 site, site-to-site VPN [7:42661]

[Juan Blanco]

I total agree with you, to many sites, to many worries, to many
configurations..CA will be your answer

Juan Blanco

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Greg
Sent: Monday, September 02, 2002 9:44 AM
To: [EMAIL PROTECTED]
Subject: Re: 150 site, site-to-site VPN [7:42661]


I think you're tlking about pre-shared keys, the other option is to use
public and private keys with either an outside thrid party or a certificate
authority yourself.
Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Guys,

 I have a global financial company that is upgrading their core data
 infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote
 locations over the next few years, going all IP telephony with Call
Mangers
 and now wants to encrypt ALL traffic to all sites.  I know site-to -site
 VPN's can be achieved with key's configured in the crypto maps in IOS, but
 what if someone compromises the key on the IOS.  I, or my client, if we
even
 knew the key was stolen, would have to update all the routers across the
 network.

 What options do you recommend for using certificate servers to distribute
 keys instead?  What problems have you encountered with this?  Would it be
 easier to just have the client update the key's once a month via
CiscoWorks?

 --
 RFC 1149 Compliant

 Get in my head:
 http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52548t=42661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to setup Pix site-to-site VPN with overlapping [7:50255]

[Silju Pillai]

HI David,

I have a link for you. It may help you a bit. It says NAT the existing
addresses to a different address at both sites (although the document says
one bcoz of the concentrator).

http://www.cisco.com/warp/public/707/vpn_pix_private.html.

If you are trying this ust tell me if it works or not.

regards
Silju


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50556t=50255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to setup Pix site-to-site VPN with overlapping IP addresses [7:50255]

[david smith]

I have this scenario:

Network 1 with IP address 172.16.1.0/24 is on the inside interface of a 
Pix 515 running Code version 6.2(2) and PDM 2.0(2). The IP address
of the Pix inside interface is 172.16.1.1.  Workstations on network
172.16.1.0/24 can access the Internet via Port Address Translation (PAT) 
just fine.  The IP address of the outside interface is
207.172.4.5


Network 2 with IP address 172.16.1.0/24 is on the inside interface of a 
Pix 515 running Code version 6.2(2) and PDM 2.0(2). The IP address
of the Pix inside interface is 172.16.1.1.  Workstations on network
172.16.1.0/24 can access the Internet via Port Address Translation (PAT) 
just fine.  The IP address of the outside interface is
12.45.2.9

I would like to setup a Site-to-Site VPN between these two network.
I know that dual-NAT will have to be done on both ends.  I've been
looking at Cisco website for documentation on how to do this.  But
so far, I've not been able to find it.  By the way, RE-IPing one of
the network IS NOT AN OPTION.  I know how to set up Site-to-Site
VPN with NON-overlapping address with Pix Firewalls on both end but not
when they have identical address space on both end.

I know how to do with with CheckPoint Next Generation (NG).  With
CP, it is very simple.

I am sure this has done before.  Can someone give me an example on
how to get this done?  Just send me the configuration and I know how
to figure out from there.

Regards,



_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50255t=50255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Can we save the pdf file from CCO web site? [7:49623]

[Nuurul Basar Mohd Baki]

Hai,

Can I download and save pdf file from CCO web site or do I need either to
have a diffrent ID and password for that?.


Thanks

Basar




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49623t=49623
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Can we save the pdf file from CCO web site? [7:49623]

[Monty]

no u dont need any thing else. try before you post a query next time.
- monty


Nuurul Basar Mohd Baki  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hai,

 Can I download and save pdf file from CCO web site or do I need either to
 have a diffrent ID and password for that?.


 Thanks

 Basar




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49639t=49623
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Frame Relay multi site [7:48927]

[Kiddo Guy]

I have 3 sites that I need to connect together.  Telco has setup a port and
a single PVC for each site.  Basically you have the following diagram

Site A

  /\

   /  \

   Site B  Site C

It's basically a triangle with three circuits each going to each other. 
Telco has a single DLCI and built one PVC for each site.  So Site A would
have DLCI 1, Site B would have DLCI 2 and Site C would have DLCI 3.  How
would I configure it so that all three sites can talk to each other.  Would
it be using frame relay multipoint subinterface with two DLCIs define under
the subinterface.  Any comments would be appreciated.

Kid

 

 



-
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48927t=48927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Frame Relay multi site [7:48927]

[Kris Keen]

p2mp would work


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48977t=48927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Real ZOO web site, welcome! ID [7:46951]

[Farmgirl17085]

The BEST zoo site on the @net!
Sex With Dogs
Horse Blow Jobs.
Snake @!#$.
REAL ANIMAL FUCKING!
100% HARDCORE!
ww1.only-beasts.com



unsub
Good luck, .




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46951t=46951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Real ZOO web site, welcome! ID [7:46951]

[Michael L. Williams]

WOOHOO!!  I've have been DYING for a site like this to FINALLY appear on the
internet!!!

Why do these lamers even bother to advertise their crap?!?!?

LOL!

Mike W.

Farmgirl17085  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 The BEST zoo site on the @net!
 Sex With Dogs
 Horse Blow Jobs.
 Snake @!#$.
 REAL ANIMAL FUCKING!
 100% HARDCORE!
 ww1.only-beasts.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46956t=46951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Real ZOO web site, welcome! ID [7:46951]

[[EMAIL PROTECTED]]

Because Sick-Os pay for it.

I hate these sites so much that I won't even hack them to get rid of them. 
 I don't want to see the images on my computer even for a second. 

Moderator dude!  Yo!  Ban this stuff please!

Theo






Michael L. Williams 
Sent by: [EMAIL PROTECTED]
06/19/2002 09:32 AM
Please respond to Michael L. Williams

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: Real ZOO web site, welcome! ID [7:46951]


WOOHOO!!  I've have been DYING for a site like this to FINALLY appear on 
the
internet!!!

Why do these lamers even bother to advertise their crap?!?!?

LOL!

Mike W.

Farmgirl17085  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 The BEST zoo site on the @net!
 Sex With Dogs
 Horse Blow Jobs.
 Snake @!#$.
 REAL ANIMAL FUCKING!
 100% HARDCORE!
 ww1.only-beasts.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46959t=46951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Real ZOO web site, welcome! IDflvfrCjurxsvwxg| [7:46951]

[Paul Borghese]

Oops, looks as if I will need to add a few additional keywords for the
moderators queue :-).

I am still trying to figure out how this message bypassed the Anti-Spam
mechanisms of the site.

Paul Borghese






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46964t=46951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Query on Site to Site VPN [7:46712]

[Anil Kumar]

Hi All,

I have an office which is connected to internet through an ISDN line with a
router.PIX firewall has been installed and connected in the same office.

 I have another office which is having a lease line to internet connected
with PIX. The standard config has been followed on both  the PIX firewalls.

Now if i need to create a site-to-site VPN tunnel between these PIX, will it
work, since once side i am getting a dynamic IP address from the ISP(ISDN
Line). Other side since being a Lease Line, i have obtained static IP address.

Is it nessasary that i need to have both the side static Ip address.

Can some one help on this..

 

Thanks in Advance..

Regards..Anil

 



-
Do You Yahoo!?
Sign-up for Video Highlights of 2002 FIFA World Cup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46712t=46712
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Query on Site to Site VPN [7:46712]

[Steven A. Ridder]

You do need two static IP's in order to set up the crypto maps.

--

RFC 1149 Compliant.



Anil Kumar  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi All,

 I have an office which is connected to internet through an ISDN line with
a
 router.PIX firewall has been installed and connected in the same office.

  I have another office which is having a lease line to internet connected
 with PIX. The standard config has been followed on both  the PIX
firewalls.

 Now if i need to create a site-to-site VPN tunnel between these PIX, will
it
 work, since once side i am getting a dynamic IP address from the ISP(ISDN
 Line). Other side since being a Lease Line, i have obtained static IP
address.

 Is it nessasary that i need to have both the side static Ip address.

 Can some one help on this..



 Thanks in Advance..

 Regards..Anil





 -
 Do You Yahoo!?
 Sign-up for Video Highlights of 2002 FIFA World Cup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46721t=46712
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Query on Site to Site VPN [7:46712]

[Ciaron Gogarty]

Not necessarily, the following link explains how to set up a lan to lan
tunnel using pixes where one is recieving an addres via DHCP.

http://www.cisco.com/warp/customer/110/dynamicpix.html


- Original Message -
From: Steven A. Ridder 
To: 
Sent: Sunday, June 16, 2002 6:51 PM
Subject: Re: Query on Site to Site VPN [7:46712]


 You do need two static IP's in order to set up the crypto maps.

 --

 RFC 1149 Compliant.



 Anil Kumar  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi All,
 
  I have an office which is connected to internet through an ISDN line
with
 a
  router.PIX firewall has been installed and connected in the same office.
 
   I have another office which is having a lease line to internet
connected
  with PIX. The standard config has been followed on both  the PIX
 firewalls.
 
  Now if i need to create a site-to-site VPN tunnel between these PIX,
will
 it
  work, since once side i am getting a dynamic IP address from the
ISP(ISDN
  Line). Other side since being a Lease Line, i have obtained static IP
 address.
 
  Is it nessasary that i need to have both the side static Ip address.
 
  Can some one help on this..
 
 
 
  Thanks in Advance..
 
  Regards..Anil
 
 
 
 
 
  -
  Do You Yahoo!?
  Sign-up for Video Highlights of 2002 FIFA World Cup
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept for the
presence of computer viruses.

For more information contact [EMAIL PROTECTED]

phone + 353 1 4093000

fax + 353 1 4093001

**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46724t=46712
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

150 site, site-to-site VPN [7:42661]

[Steven A. Ridder]

Guys,

I have a global financial company that is upgrading their core data
infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote
locations over the next few years, going all IP telephony with Call Mangers
and now wants to encrypt ALL traffic to all sites.  I know site-to -site
VPN's can be achieved with key's configured in the crypto maps in IOS, but
what if someone compromises the key on the IOS.  I, or my client, if we even
knew the key was stolen, would have to update all the routers across the
network.

What options do you recommend for using certificate servers to distribute
keys instead?  What problems have you encountered with this?  Would it be
easier to just have the client update the key's once a month via CiscoWorks?

--
RFC 1149 Compliant

Get in my head:
http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42661t=42661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Site-Site VPN Performance [7:41924]

[Jeffrey Reed]

I have a situation where a customer, a school district, has the use of a
sonnet ring (3M connection) to connect 5 of his elementary schools back to
the main district office. There are other schools on the ring, so they are
currently using old PIX 1s to establish private tunnels back to the
main site. We are using 2500s at each of the schools for routing. I want to
replace those boxes with something that will facilitate dot1q inter-vlan
routing. Im thinking of the newer 1721 router with a VPN accelerator
module. Will this unit provide 3M worth of sustained throughput or should we
be looking at a larger router?

Jeff Reed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=41924t=41924
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]