RE: Farm Site [7:66090]
Look ok to me, just a pity that there isnt a CIP card for the 6509 chassis :) [EMAIL PROTECTED] wrote: This is a network requirement: It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA FETCH and OSA ATM), 215 other server (Windows 2000 and Unix) and 31 serial interfaces. There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and 1Mbps serial links to small sites (31 sites). The idea was using a 6509 with FlexWan and ATM interfaces to provide high access to the most high speed requirement corporate sites. The 6509 would also provide 215 FaEthernet interfaces to the servers. For small office, routers 7507 would be used. The 7507 would also provide interfaces to the Channels and to the OSA interfaces of a Mainframe. Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215 FastEthernet interfaces || || | 7507 15 serial interfaces | | |_channel CX-CIP2-ECAP1 | |__to OSA FETCH | | 7507---16 serial interfaces | |_channel CX-CIP2-ECAP1 |__to OSA ATM Redundancy is not a concernment. Its is a mirror site and will be used during the recovery time of the main Farm site Any Thought ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66124t=66090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Farm Site [7:66068]
Any Comments for the following network requirement? It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA FETCH and OSA ATM), 215 other server (Windows 2000 and Unix) and 31 serial interfaces. There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and 1Mbps serial links to small sites (31 sites). The idea was using a 6509 with FlexWan and ATM interfaces to provide high access to the most high speed requirement corporate sites. The 6509 would also provide 215 FaEthernet interfaces to the servers. For small office, routers 7507 would be used. The 7507 would also provide interfaces to the Channels and to the OSA interfaces of a Mainframe. Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215 FastEthernet interfaces || || | 7507 15 serial interfaces | | |_channel CX-CIP2-ECAP1 | |__to OSA FETCH | | 7507---16 serial interfaces | |_channel CX-CIP2-ECAP1 |__to OSA ATM Redundancy is not a concernment. Its is a mirror site and will be used during the recovery time of the main Farm site Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66068t=66068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Farm Site [7:66090]
This is a network requirement: It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA FETCH and OSA ATM), 215 other server (Windows 2000 and Unix) and 31 serial interfaces. There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and 1Mbps serial links to small sites (31 sites). The idea was using a 6509 with FlexWan and ATM interfaces to provide high access to the most high speed requirement corporate sites. The 6509 would also provide 215 FaEthernet interfaces to the servers. For small office, routers 7507 would be used. The 7507 would also provide interfaces to the Channels and to the OSA interfaces of a Mainframe. Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215 FastEthernet interfaces || || | 7507 15 serial interfaces | | |_channel CX-CIP2-ECAP1 | |__to OSA FETCH | | 7507---16 serial interfaces | |_channel CX-CIP2-ECAP1 |__to OSA ATM Redundancy is not a concernment. Its is a mirror site and will be used during the recovery time of the main Farm site Any Thought ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66090t=66090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site to Site VPN on VPN Concentrator 3005 [7:65596]
Guys- I have setup VPN (Site to Site Cisco VPN Client) on PIX, now we are moving in off from the PIX and buying a Cisco VPN concentrator 3005. I have heard that Cisco VPN concentrator is not a good choice for Site to Site VPN connection. Please tell me is it true and why a dedecated VPN device is not suitable for Site to Site VPN. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65596t=65596 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Backup Site - 152Mbps [7:63866]
To build a backup server farm site (22 servers), with maximum requirement of 152Mbps (peak): Economic approach: 3640 with ATM module 3550-48-SMI 3 ATM PVCs, to the major points of the backbone (LS1010 switches and 6509-FlexWan ATM card); each PVC 5 Mbps SCR. Robust and Scalable approach: 6006 with ATM module The peak is considering the maximum rate if all servers were accessed at the same time (based on MRTG daily statistics). Any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63866t=63866 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Backup Site - 152Mbps [7:63866]
wrote in message news:[EMAIL PROTECTED] To build a backup server farm site (22 servers), with maximum requirement of 152Mbps (peak): Economic approach: 3640 with ATM module 3550-48-SMI 3 ATM PVCs, to the major points of the backbone (LS1010 switches and 6509-FlexWan ATM card); each PVC 5 Mbps SCR. Robust and Scalable approach: 6006 with ATM module The peak is considering the maximum rate if all servers were accessed at the same time (based on MRTG daily statistics). Any thoughts? based on my experience, the 3640 may not give you the performance you require. especially if you are using any access-lists, route-maps, QoS. Also, with your peaks at well over 100 meg, you might want to consider a gig interface on the LAN side. a thought - use a dual ethernet router like a 3745 ( twice the performance of the 3640 ) in combination with the switch ( which can easily handle the load ) put your servers into two subnets / vlans and do quasi-load-sharing across those two ethernet interfaces. depends on your traffic requirements. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63873t=63866 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Backup Site - 152Mbps [7:63866]
I'm never a big fan of having backup sites that lie active | standby! You may want to look at getting a CSS and doing GSLB (Global Server Load Balancing!) Anyway, back to your question ...How much of the traffic is local ? You say that you have a peak of 152MB's, but you will only have 3 x 5MB PVC's coming into the server farm? Do you have a lot of traffic between the servers ?? If not a 3620 would even be sufficient, with ATM interface and FE interface. It also depends on how much reslience you would like in this backup site? . I have a similar scenario, where I make use of a 3620, with 100FX, and 100TX interfaces, going to a 3548G-L3, and fom there into server / user vlans etc! Cheers Troy The Long and Winding Road wrote: wrote in message news:[EMAIL PROTECTED] To build a backup server farm site (22 servers), with maximum requirement of 152Mbps (peak): Economic approach: 3640 with ATM module 3550-48-SMI 3 ATM PVCs, to the major points of the backbone (LS1010 switches and 6509-FlexWan ATM card); each PVC 5 Mbps SCR. Robust and Scalable approach: 6006 with ATM module The peak is considering the maximum rate if all servers were accessed at the same time (based on MRTG daily statistics). Any thoughts? based on my experience, the 3640 may not give you the performance you require. especially if you are using any access-lists, route-maps, QoS. Also, with your peaks at well over 100 meg, you might want to consider a gig interface on the LAN side. a thought - use a dual ethernet router like a 3745 ( twice the performance of the 3640 ) in combination with the switch ( which can easily handle the load ) put your servers into two subnets / vlans and do quasi-load-sharing across those two ethernet interfaces. depends on your traffic requirements. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63878t=63866 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISDN BRI- 3-site, Full Mesh - DDR w/Dialer Profile [7:63570]
Each of the three routers had the same exact config. except for details such as username/password for CHAP, IP's, phone #'s, etc... The config'd items were the same. 1 BRI int 2 Dialer Ints (dialer profile for each of the other 2 sites) 1 dialer pool This was in a lab at school and is disconnected now. However, this issue was I could get the first connection up fine. For example SJ-1 to London and the pings were good. Then, with the 1st connection up I couldn't get the 2nd. DEBUG showed: It couldn't dial b/c 2 calls were going on and 2 was the max. BUT sh dialer showed the 1st B-channel connected and the 2nd idle. The debug output was from the dialer I got it to work by using the min parameter in the dialer-pool member command. (Set it to 2). I want to know why this worked. What am I not understanding? I have read a lot of the DDR and ISDN BRI documentation I could find on Cisco's site and I have re-read the Networking Academy chapter on DDR and ISDN BRI. I still don't understand why that command made it work. It seems to me the problem was that the dialer profile did not see any available physical int's to use so, it failed. (BTW, it started the fast-idle timer right away which makes sense) Maybe, if I hear/see it explained a couple of different ways it'll sink in. Thanks in Advance!! Joshua Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63570t=63570 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FTP site needed for MPLS for 2500 files [7:63056]
Thank's Aidan Dennis. I've got them. How about the flash DRAM requirement to run those IOSs ? Rgrds, Chris - Original Message - From: Aidan Marks To: Sent: Friday, February 14, 2003 12:36 PM Subject: Re: FTP site needed for MPLS for 2500 files [7:63056] The 2500 mpls images are available here: ftp://ftp-eng.cisco.com/rraszuk/specials/ They have been there for a while. What more do you need? Aidan At 07:09 AM 15/02/2003, Dennis Laganiere wrote: A few months ago I put together a free document for loading an experimental version of IOS that allows you to run MPLS on cheap 2500 series routers. I didn't create the software, I just gave instructions for installing it and then pointed out where the files were, for anybody who wanted to play with it. Since then the ftp site where the files were posted keeps deleting them (not surprising, since I didn't ask permission)... Is anyone running an FTP server where the files can be posted for anybody who wants to play with MPLS to be able to pull them down? Think of it as contributing to the common good of the group (or rather, groupstudy)... Let me know. Thanks... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63141t=63056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site-to-Site and Remote Access VPN on PIX? [7:63100]
Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63100t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]
Look into Dynamic map configuration. It's an extension of the Crypto Map, as you can only apply one crypto map to the interface (outside). See CCO website for more details (search Google for dynmap and PIX, and you should find several examples). On CCO's site, do a search on Technical Tips on PIX HTH's -Mark -Original Message- From: Kim Seng [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 15, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100] Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63102t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FTP site needed for MPLS for 2500 files [7:63070]
Dennis, I tried to pull the images but identification (username,password) was asked from me. Dennis Laganiere wrote: As long as it's available to everybody, that's good enough for me. Thanks... --- Dennis -Original Message- From: Aidan Marks [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 12:34 PM To: Dennis Laganiere Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: FTP site needed for MPLS for 2500 files The 2500 mpls images are available here: ftp://ftp-eng.cisco.com/rraszuk/specials/ They have been there for a while. What more do you need? Aidan At 07:09 AM 15/02/2003, Dennis Laganiere wrote: A few months ago I put together a free document for loading an experimental version of IOS that allows you to run MPLS on cheap 2500 series routers. I didn't create the software, I just gave instructions for installing it and then pointed out where the files were, for anybody who wanted to play with it. Since then the ftp site where the files were posted keeps deleting them (not surprising, since I didn't ask permission)... Is anyone running an FTP server where the files can be posted for anybody who wants to play with MPLS to be able to pull them down? Think of it as contributing to the common good of the group (or rather, groupstudy)... Let me know. Thanks... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63114t=63070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]
Kim, It will work, I've done it before. It is true that you can only have 1 crypto map per interface, but you can have multiple ISAKMP/IPSEC policies for different tunnels in that crypto map. However, for dynamic crypto map used for remote access VPN, what happens is that the dynamic crypto map is just like the normal crypto map in the way it's defined, but you hook up the dynamic crypto map to the crypto map which is applied to the interface. Check out the link below. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config /ipsecint.htm One limitation I encountered with client VPN on a PIX is that you won't be able to use local authentication, since PIX doesn't support local usernames/password like the IOS. So you just login with groupname and password. Although you can hook it up to a ACS server to do your extended authentication to specify different users. Regards, Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kim Seng Sent: Sunday, February 16, 2003 4:26 AM To: [EMAIL PROTECTED] Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100] Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63119t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FTP site needed for MPLS for 2500 files [7:63054]
A few months ago I put together a free document for loading an experimental version of IOS that allows you to run MPLS on cheap 2500 series routers. I didn't create the software, I just gave instructions for installing it and then pointed out where the files were, for anybody who wanted to play with it. Since then the ftp site where the files were posted keeps deleting them (not surprising, since I didn't ask permission)... Is anyone running an FTP server where the files can be posted for anybody who wants to play with MPLS to be able to pull them down? Think of it as contributing to the common good of the group (or rather, groupstudy)... Let me know. Thanks... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63054t=63054 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FTP site needed for MPLS for 2500 files [7:63056]
The 2500 mpls images are available here: ftp://ftp-eng.cisco.com/rraszuk/specials/ They have been there for a while. What more do you need? Aidan At 07:09 AM 15/02/2003, Dennis Laganiere wrote: A few months ago I put together a free document for loading an experimental version of IOS that allows you to run MPLS on cheap 2500 series routers. I didn't create the software, I just gave instructions for installing it and then pointed out where the files were, for anybody who wanted to play with it. Since then the ftp site where the files were posted keeps deleting them (not surprising, since I didn't ask permission)... Is anyone running an FTP server where the files can be posted for anybody who wants to play with MPLS to be able to pull them down? Think of it as contributing to the common good of the group (or rather, groupstudy)... Let me know. Thanks... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63056t=63056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FTP site needed for MPLS for 2500 files [7:63070]
As long as it's available to everybody, that's good enough for me. Thanks... --- Dennis -Original Message- From: Aidan Marks [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 12:34 PM To: Dennis Laganiere Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: FTP site needed for MPLS for 2500 files The 2500 mpls images are available here: ftp://ftp-eng.cisco.com/rraszuk/specials/ They have been there for a while. What more do you need? Aidan At 07:09 AM 15/02/2003, Dennis Laganiere wrote: A few months ago I put together a free document for loading an experimental version of IOS that allows you to run MPLS on cheap 2500 series routers. I didn't create the software, I just gave instructions for installing it and then pointed out where the files were, for anybody who wanted to play with it. Since then the ftp site where the files were posted keeps deleting them (not surprising, since I didn't ask permission)... Is anyone running an FTP server where the files can be posted for anybody who wants to play with MPLS to be able to pull them down? Think of it as contributing to the common good of the group (or rather, groupstudy)... Let me know. Thanks... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63070t=63070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
translating network from VPN site [7:62919]
Hello, I have some interesting scenario for all. Well, I have two location connected over ISP thru VPN tunnel: Central office side: I have router and PIX 515E with 3 interface. 'remote office' network: 192.168.2.0/24 'main office' network : 192.0/24 VPN tunnel is over frame-relay dlci and only one subinterface on central office router can access to global network: IPsec Tunnel: (outside port PIX) (router on remote office some Alaied Tellesyn) The hint: I can access from remote office to main office, but I CAN'T do static map IP address from remote office to exit to internet with public IP address, because a can't nat ip address from outside interface back to outside interface again with public IP, or I can!? The one solution is probably to configure another interface for VPN tunnelling with remote office and than do NAT for that interface thru outside, but I don't have another interface only for intf2/DMZ. Please is there any good advice for this scenario? Best regards, Milan Jovancic Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62919t=62919 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site-to-Site and Remote Access VPN on PIX? [7:62937]
Greetings, Can I configure a Cisco PIX firewall to do both site-to-site and remote access vpn preshares key in one box? The reason I asked because after configuring site-to-site vpn, my remote access vpn stops working. Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62937t=62937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Site to Site VPN Monitering on PIX [7:62676]
CiscoWorks VMS 2.1 -- RFC 1149 Compliant. Curious wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have setup Site to Site VPN between our corporate PIX 515 and our developers PIX 501, i want to moniter the VPN traffic of these Site to Site VPN connections. Please tell me what tools are available to accomplish this. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62693t=62676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site to Site VPN Monitering on PIX [7:62676]
You want to use PDM. That is easy. Martijn -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Verzonden: vrijdag 7 februari 2003 23:46 Aan: [EMAIL PROTECTED] Onderwerp: Site to Site VPN Monitering on PIX [7:62676] I have setup Site to Site VPN between our corporate PIX 515 and our developers PIX 501, i want to moniter the VPN traffic of these Site to Site VPN connections. Please tell me what tools are available to accomplish this. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62709t=62676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site to Site VPN Monitering on PIX [7:62676]
I have setup Site to Site VPN between our corporate PIX 515 and our developers PIX 501, i want to moniter the VPN traffic of these Site to Site VPN connections. Please tell me what tools are available to accomplish this. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62676t=62676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site to Site VPN Monitering on PIX [7:62676]
What kind of info are you looking for we are actually use mrtg to graph how many users we have logged in to our 3030's that are load balanced. -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 5:46 PM To: [EMAIL PROTECTED] Subject: Site to Site VPN Monitering on PIX [7:62676] I have setup Site to Site VPN between our corporate PIX 515 and our developers PIX 501, i want to moniter the VPN traffic of these Site to Site VPN connections. Please tell me what tools are available to accomplish this. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62685t=62676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Management and Reporting for Cisco Site-to-site VPN [7:62418]
Hi All, I am deploying Site-to-site VPN using Cisco IOS routers. I am wondering what software package offering the management, connectivity monitoring of tunnels, and content reporting available? How much it costs? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62418t=62418 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Management and Reporting for Cisco Site-to-site VPN [7:62426]
Thomas N. wrote in message ... I am deploying Site-to-site VPN using Cisco IOS routers. I am wondering what software package offering the management, connectivity monitoring of tunnels, and content reporting available? How much it costs? Thanks! Most people roll-their-own (i.e. use a home-grown solution). They often use the following base programming languages to do so: C, C++, Java, Perl, Python, Tcl, Expect, Ruby, Unix Shell, and similar, less-powerful Microsoft or IBM languages (NT Shell, Visual Basic, VBScript, C#, REXX, JCL, COBOL, etc). Sometimes applications are written in assembly (x86, m68k, mips), but this is less often the case. Sometimes the use of libraries, or modules, are used (net-snmp, libgd, the ANSI/ISO C libraries, C++ STL templates, CPAN Perl modules) other times, horrific sub-languages are created instead (Microsoft Foundation Classes) and munged -- but possibly made useful. Sometimes these are packaged together in the form of commercial (read: over-priced) or open-source software (e.g. MRTG), but often these packages do not meet any specific needs, only generic requirements that often involve complex customization anyways. However, functionality that meets your criteria is available as a $20k or thereabouts software package from Cisco, simply search on their website under Network Management and find a VPN-specific solution that appears to meet your needs. In reality, this sort of package requires more than just customization, it requires more time and money in the form of software application babysitting, and late-night calls to Cisco for tech support calls that are followed-up the next day and night by more calls, ad nauseum. For some reason, other commercial products and even the least hardened (or worst coded) open-source software packages do not seem to suffer this babysitting complex, while CiscoWorks does. I do not have room in this email to further explain this phenonmenon. You may find that the easiest route is to collect some Cisco IOS SNMP MIB OID's (enough acronyms for you there?) and graph them, while also either using an external application to create thresholds on the OID values (counter or gauge integer types), or an internal polling mechanim such as SAA or RMON alarms and events (and have the thresholds sent to your pager or email or syslog file or operations center monitor). This is often very easily accomplished with NET-SNMP or MRTG, which are open-source and free to download. Others find it is best to have it centrally located in some type of overlord system such as IRCd, or $100M/year software-supported applications made by the likes of the network management triumvirate - HP, CA, and IBM/Tivoli. It is also recommended that you choose one platform/package and not, for example, 3 (especially when you end up spending $300M per year). Often what you hear of as best-of-breed is normally just another way of adding additional complexity, under-utilization, and exponential interoperability issues between platforms/packages. -dre Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62426t=62426 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - More Bitching about Cisco's New Web Site [7:60438]
Chuck, I hate to say Me, too! but that's the case. I still hate the new site with a passion. They swear that it's supposed to be easier to use but it certainly is not, at least not yet. I'm sure we'll all get used to it and they'll eventually fix all the links, but as it stands right now I tried to avoid their site whenever possible. John The Long and Winding Road 1/4/03 11:37:15 AM Is it just me? More broken links? Harder to find the everyday tools? lower - a LOT slower - navigating around? Seems like just about every day I'm filling out one of those feedback forms to report a problem. assuming I've found the basic page I'm looking for anyway. For example - check out the links on this page. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r /iprprt2/index.htm watch the wrap and whatever happened to the tool index? It was no fun searching for the Software Advisor and the IOS Upgrade Planner this morning. grumble grumble grumble -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60438t=60438 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - More Bitching about Cisco's New Web Site [7:60443]
I do not know any of my colleagues who like the new format. I always choose the previous format by clicking Access Former Website on the right column of the new home page. Or go to http:// www . cisco. com/cco.shtml for the old good familiar format. -Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Neiberger Sent: Monday, January 06, 2003 8:56 AM To: [EMAIL PROTECTED] Subject: Re: Off Topic - More Bitching about Cisco's New Web Site [7:60438] Chuck, I hate to say Me, too! but that's the case. I still hate the new site with a passion. They swear that it's supposed to be easier to use but it certainly is not, at least not yet. I'm sure we'll all get used to it and they'll eventually fix all the links, but as it stands right now I tried to avoid their site whenever possible. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60443t=60443 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - More Bitching about Cisco's New Web Site [7:60468]
I dont like the new format either. Sent them feedback which included a request for the ability to personalize my own version of CCO start page like you can with Yahoo ala My Yahoo. They say that's in the works. maybe something to look forward to Bernard wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I do not know any of my colleagues who like the new format. I always choose the previous format by clicking Access Former Website on the right column of the new home page. Or go to http:// www . cisco. com/cco.shtml for the old good familiar format. -Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Neiberger Sent: Monday, January 06, 2003 8:56 AM To: [EMAIL PROTECTED] Subject: Re: Off Topic - More Bitching about Cisco's New Web Site [7:60438] Chuck, I hate to say Me, too! but that's the case. I still hate the new site with a passion. They swear that it's supposed to be easier to use but it certainly is not, at least not yet. I'm sure we'll all get used to it and they'll eventually fix all the links, but as it stands right now I tried to avoid their site whenever possible. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60468t=60468 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off Topic - More Bitching about Cisco's New Web Site [7:60299]
Is it just me? More broken links? Harder to find the everyday tools? lower - a LOT slower - navigating around? Seems like just about every day I'm filling out one of those feedback forms to report a problem. assuming I've found the basic page I'm looking for anyway. For example - check out the links on this page. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r /iprprt2/index.htm watch the wrap and whatever happened to the tool index? It was no fun searching for the Software Advisor and the IOS Upgrade Planner this morning. grumble grumble grumble -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60299t=60299 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - More Bitching about Cisco's New Web Site [7:60308]
Well I thought the site was very slow - until I realised I'd stuck a clock rate 64000 on my frameswitch router so that I could see some queueing :-) I now go straight for the search button, but there are some horrors in there. There seem to be more pdfs as well which is good, but then sometimes there is only a pdf. Theres a bit under technologies where I burrowed down through QoS, congestion management, through queuing and then to WFQ to find a short paragraph telling me what it was. I'd really wanted a white paper detailing algorithms! I'm sure I'll crack it sometime. rgds Marc The Long and Winding Road wrote: Is it just me? More broken links? Harder to find the everyday tools? lower - a LOT slower - navigating around? Seems like just about every day I'm filling out one of those feedback forms to report a problem. assuming I've found the basic page I'm looking for anyway. For example - check out the links on this page. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r /iprprt2/index.htm watch the wrap and whatever happened to the tool index? It was no fun searching for the Software Advisor and the IOS Upgrade Planner this morning. grumble grumble grumble -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60308t=60308 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site to Site VPN b/w PIX 515 and PIX 501 by using Dynamic Map [7:59084]
Guys I am having a issue Site To Site VPN between PIX 515 and PIX 501. PIX 501 is at our develper location, and he has DHCP Internet IP address from his ISP, i am using Dynamic Map on PIX 515 for Site To Site VPN. Develoer is complaing that his VPN connection goes down (although he sees a vpn light on PIX 501 but can not access any thing in our office network) on PIX 501 I see the Crypto map, and access list counter increase on 501 but on PIX 515 side i dont see his PIX 501 in crypto map. I thought of timeout or in activity time out issue. Please Advice. thanks, -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59084t=59084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Host your site for just 20$/year [7:57900]
[TABLE NOT SHOWN] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57900t=57900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete
RE: PIX site-to-site VPN question... [7:57648]
That is basically what I was saying in my email that he had 6 addresses to use so I am confused why there even needs to be another solution. Making it a lot harder than what it has to be. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:10 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses
RE: PIX site-to-site VPN question... [7:57648]
Elijah Savage III wrote: That is basically what I was saying in my email that he had 6 addresses to use so I am confused why there even needs to be another solution. You didn't say how he would use the 6 addresses. I thought it needed spelling out. Making it a lot harder than what it has to be. It's not hard, which may be your point. It's very simple if what I'm suggesting actually works. But maybe there are some gotchas I don't know about. The point that was missing in our discussion before was that there are multiple networks using the public addresses. I don't think anyone understood why he was aking about bridging. He will need bridging if he doesn't subdivide his address space. I simply told him how to subdivide it. I didn't mean to step on your toes or imply your answers were wrong. Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:10 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would
PIX site-to-site VPN question... [7:57648]
Would someone mind explaining to me how addressing works on the outside interface of a PIX in a site-to-site VPN configuration with edge routers connected to the internet? PIX1(outside)(e0)R1(e1)INTERNET--(e1)R2(e0)(outside) PIX2 If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? Is it a simple /30 private network between the PIX and routers, or do they get public addressing? In all the VPN examples I've seen on TAC, they've used public addressing here. If so, then how do the routers use IP addresses? Are they bridged or unnumbered in some way? How do the PIX's use private addresses as for their crypto peer statements? What are the best practices here? Sorry for the barrage... Thanks, Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57648t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57654t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57656t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Well I am a little confused by the question call me stupid :) But he can use public or private on that link if he uses private just nat on the pix. VPN to VPN will still work with nat in place. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57662t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57663t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57664t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Yes, He should use public on the outside link and then private on the inside the setup would be much easier that way. NAT or PAT on a pix is so easy. And I had a slight brain fart he can't use private on the outside. The reason being because of the peer addressing that has to go on the pix for the vpn tunnel. So of course if he used private there is no way site A can talk to site B across the internet. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57665t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57666t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57668t=57648 -- FAQ, list
RE: PIX site-to-site VPN question... [7:57648]
May I also ask why you want to use private? -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57669t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto
RE: PIX site-to-site VPN question... [7:57648]
excellent...now we're getting somewhere. that's what i thought...but if this is the case, then how does the PIX establish the actual peering with the other PIX? again, my crypto map peer _address_ example...what IP address do you use here if using private addresses? and if it's simply the private address of the other PIX, then how do the perimeter routers route this private addressing over the public internet? thanks again, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:38 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Yes, He should use public on the outside link and then private on the inside the setup would be much easier that way. NAT or PAT on a pix is so easy. And I had a slight brain fart he can't use private on the outside. The reason being because of the peer addressing that has to go on the pix for the vpn tunnel. So of course if he used private there is no way site A can talk to site B across the internet. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57671t=57648 -- FAQ, list archives, and subscription info: http
RE: PIX site-to-site VPN question... [7:57648]
The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map
RE: PIX site-to-site VPN question... [7:57648]
Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. (2) if i wanted to use public addressing on the outsides of the PIX's, then would i have to have two address spaces, as described in your own scenario? can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x
RE: PIX site-to-site VPN question... [7:57648]
In-Line... Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. No. The pix does not work like most VPN/IPSEC/NAT Devices. You have to have routable addresses on the pix outside. (maybe some CCIE SECURITY will chime in). Its helps for surf the web bit in addition to your VPN, you have public ip on the OUTSIDE of the pix (prevent the edge routers from DOING NAT, which they should not have to here). Based on your original post, I was assuming you were talking about going the public internet for you Site-to-Site VPN ? well that is about the only reason I could see doing all this for. (2) if i wanted to use public addressing on the outsides of the PIX's, then would i have to have two address spaces, as described in your own scenario? can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? You will not run bridging first of all. (unless you want both pixes at both sites to be on 1 lan). This probably won't work. Unless your NOT providing Internet access, (seperate) at both sites. It will work if you want one site ONLY to be the internet gateway site or something, for a central point of security, whatever. It will also cause you to have the same public block at both sites. Not going to happen, with any carriers I have seen. One block, One T-1, One Location. Also forget the unnumbered. Bad Operational mistake, invented by lazy ISP's to conserve a /30. Does not provide any security, locks your out of the router for basic troubleshooting if your eth INT has no lineproto. You should do this (per 2 year experience with PIX VPN) SITE A PUBLIC INET SITE B PIX A(PUBLIC IP)(RTRA)(PUBLIC IP)(PUBLIC IP)(RTRB)(PUBLIC IP)PIX B Your crypto peer statements reflect the Opposite Pix's Public IP. (make sure you isakmp enable outside etc... Your Internet access at either site, will come from a global overload (pat) statement for the pixes, on the Interface or another IP in your routed block. FYI don't try the GRE tunnel trick.. had someproblems with fragmentation of IPSEC packets, speed issues, etc... also your edge routers will have to run NAT to get those private tunneled outside IP's to the NET for surf access. thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57680t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
I think you might be wrong. I never had to do this outside of the lab on two VPN routers and 2 pixes in between doing NAT but you should be able to establish an ESP in tunnel mode between two devices using private addresses with NAT happening somewhere in between. Remember, ESP only cares about the payload, not the header. Therefore as long as the payload is intact - this is valid. Of course, both VPN devices would have to know each other by NATed or in your case public IP addresses. I can show you the config, if you like Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Tuesday, November 19, 2002 12:19 AM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure
Re: VPN Primer on Cisco site - FYI [7:56618]
FYI, This paper and other Cisco security docs can also be found at: http://www.cisco.com/go/safe Which has that advantage of being easier to remember. ;-) Regards, Kent At 07:58 PM 10/31/2002 +, The Long and Winding Road wrote: found this while stumbling around: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf enjoy -- www.chuckslongroad.info Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56686t=56618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Primer on Cisco site - FYI [7:56618]
found this while stumbling around: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf enjoy -- www.chuckslongroad.info Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56618t=56618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
Howard C. Berkowitz wrote in message news:200210252303.XAA06341;groupstudy.com... Tim Medley wrote: Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. Nope, marketing kiddies! ;-) Priscilla Oh. Script kiddies with incompetent adult supervision. CL: all in good fun so far, but I am starting to run into some real issues. I work for one of Cisco's largest partners, and my CCO account gives me access to a number of partner specific areas that I use regularly. I was working on something for a client, was sent a link by Cisco pre-sales ( partner only information link ) and I have been unable to get in. Let's see - fifteen email messages later we fixed it try - grrr no you didn't ... try it now ,,, still doesn't work and I am giving up. What's more irritating is that every time I respond to their automated e-mail, I get a reply that says write your comments between the lines ( special formatting ) Thing is, on the original e-mail, these formatting lines do not exist. CL: I can live with the marketing crap. I can live with the colors. I can't live with the loss of certain functionality. CL: I will say that if you dig around, there can be a lot more and a lot better information to be found. CL: I can also say with assurance that there are some tools, like the configurator, which still need a LOT of work. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56326t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
It stinks, it doesn't even use the same look throughout, why bother? Tim Metz wrote in message news:200210250414.EAA05528;groupstudy.com... I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56263t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
u can still acces the old site try this url http://www.cisco.com/cco.shtml -Original Message- From: Tim Metz [mailto:timmetz;hotmail.com] Sent: 25 October 2002 06:14 To: [EMAIL PROTECTED] Subject: Re: hate cisco's new site? [7:56236] I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56266t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
I agree. I prefer the old one. [EMAIL PROTECTED] wrote:I agree, it is horrible, absolutely horrible. -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 12:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56275t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
It's awful. Unless I make an extremely tiny font, I have to scroll to get to the search function, which I would swear now has a smaller entry field. There's no obvious place to link directly to a search page. Navigation other than search is also rather strange. So, I filled out the feedback form about the page. What happened when I hit submit? Internal server error. I don't know whether to laugh or cry. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56277t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
At 9:37 AM + 10/25/02, Tshepo Kowane (TO) wrote: u can still acces the old site try this url http://www.cisco.com/cco.shtml THANK YOU! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56278t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
Well, a few work arounds. You can just go straight to the documentation CD (right now the site seems down for me, ugh, so I cannot verify 100%, the links are pretty close, and if you navigate hard enough it really just links back to the universal cd anyway) http://www.cisco.com/univercd/ OR just go to the bottom right and click on GO TO THE OLD SITE. And presto you get your old site back. Ironically it usually takes a very long time to load the old site As for general navigation, if you guys want to find docs, I think it was under support, hardware (for stuff like the pix) and software for IOS, then you can drill down and one of them eventually brings you back to the universal cd. ;) While I hate it too, but come on guys we are powerful Cisco Study candidates, we should be able to solve anything that comes up quickly! If we can crunch Cisco problems we can navigate this new nasty site as well! :) I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56282t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
I can't get to cisco.com either, must be down. Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy Cunctando Restituit Rem Carroll Kong wrote: Well, a few work arounds. You can just go straight to the documentation CD (right now the site seems down for me, ugh, so I cannot verify 100%, the links are pretty close, and if you navigate hard enough it really just links back to the universal cd anyway) http://www.cisco.com/univercd/ OR just go to the bottom right and click on GO TO THE OLD SITE. And presto you get your old site back. Ironically it usually takes a very long time to load the old site As for general navigation, if you guys want to find docs, I think it was under support, hardware (for stuff like the pix) and software for IOS, then you can drill down and one of them eventually brings you back to the universal cd. ;) While I hate it too, but come on guys we are powerful Cisco Study candidates, we should be able to solve anything that comes up quickly! If we can crunch Cisco problems we can navigate this new nasty site as well! :) I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. -Carroll Kong [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56286t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 3:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56254t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
lol...I wouldnt say I hate it, it just takes a little getting used to. Or maybe they just want you to spend more time on the website and less time looking at the current stock price??? :) -Brad Ellis CCIE#5796 sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56248t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
I'm not too fond of the snot green color that was obviously taken from the color of their cables! :-) Shawn K. -Original Message- From: Tim Medley [mailto:tim.medley;ireadyworld.com] Sent: Friday, October 25, 2002 1:44 PM To: [EMAIL PROTECTED] Subject: RE: hate cisco's new site? [7:56236] Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 3:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56318t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
Tim Medley wrote: Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. Nope, marketing kiddies! ;-) Priscilla tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 3:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56308t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
So its not just me, thats good to know Kaminski, Shawn G wrote in message news:200210252049.UAA17577;groupstudy.com... I'm not too fond of the snot green color that was obviously taken from the color of their cables! :-) Shawn K. -Original Message- From: Tim Medley [mailto:tim.medley;ireadyworld.com] Sent: Friday, October 25, 2002 1:44 PM To: [EMAIL PROTECTED] Subject: RE: hate cisco's new site? [7:56236] Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 3:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56321t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
Tim Medley wrote: Oh did they mean to redesign the website? I thought some script kiddies defaced it and Cisco hadn't had time to fix it. Nope, marketing kiddies! ;-) Priscilla Oh. Script kiddies with incompetent adult supervision. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56323t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
THANK YOUU. I wonder how long they will have this one up for.Can we do something about it :( Howard C. Berkowitz wrote: At 9:37 AM + 10/25/02, Tshepo Kowane (TO) wrote: u can still acces the old site try this url http://www.cisco.com/cco.shtml THANK YOU! Raul Renteria (CCNA,CCDA,CCNP) DJ1Integration. NY,NY. 10016 - Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56324t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
I'm with you, Mr. Sneed. I've even had an email conversation with someone at Cisco where I detailed why I hate their new site. They have good intentions and I think once they're completely finished it will be nice, but at the moment it's hard to navigate. I suggested that they allow us to create our own stylized home pages and she said they are already working on that. I would love to have that! My home page would consist of: Software Center TAC Pricing Tool Service Contract Center Technical Docs And that's about it. I'd love to get rid of all the junk they use to clutter up the main page. sam sneed 10/24/02 1:56:01 PM Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56238t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
hate cisco's new site? [7:56236]
Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56236t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
I'm getting used to finding stuff but I really dislike the small font, hard to read!! Dave sam sneed wrote: Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56241t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
I agree, it is horrible, absolutely horrible. -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 12:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56246t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hate cisco's new site? [7:56236]
You are by no means the only one. I'm composing a letter to our SE detailing the many ways in which the new site hinders both troubleshooting and fact-finding. Now, it appears to be a lot more marketing and significantly less technical. For example, the way they have classified everything into software, hardware and technology is at best obtuse. How many people trying to troubleshoot/optimize their infrastructure want to wander around until they find the appropriate tech note? Wouldn't it be simpler and easier to have it the way it used to be, by product (e.g. CallManager) or by technology (e.g. EIGRP)? If enough of us complain, perhaps they'll change it back. I also think a SlashApp-like RSS feed from CCO would be pretty nice... Cheers all. Paul Forbes Network Engineer Trimble +1.408.481.8291 -Original Message- From: sam sneed [mailto:vristevski;hotmail.com] Sent: Thursday, October 24, 2002 12:56 PM To: [EMAIL PROTECTED] Subject: hate cisco's new site? [7:56236] Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56249t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56260t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
multi site and bridging [7:55760]
Hi All, Got this problem. Have a site at the moment, site a running the 172.17.x.x networks. Management has just informed me that we have just acquired an empty building down the road, site b. The idea is that we move all servers and core infrastructure to site b over a series of weekends. After the move, we will sell site a. In order to do this, I will need to move all servers , using the same IP scheme to building b, thus I will need to have something that resembles a LAN, between 2 buildings, connected via a frame relay link (telstra tpips) Is there any way possible, to have something like a bridged network between the 2 buildings that will permit me to use the same IP scheme, utilize the VLAN's in use in site A, when I move to site b. Thanks all for your help When chuck wakes up, I will give you the whole story on this as he would love to hear my fights with non technical managers. ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55760t=55760 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: multi site and bridging [7:55760]
John Brandis wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, Got this problem. Have a site at the moment, site a running the 172.17.x.x networks. Management has just informed me that we have just acquired an empty building down the road, site b. The idea is that we move all servers and core infrastructure to site b over a series of weekends. After the move, we will sell site a. CL: hope the rats, rabbits, and walabees don't follow you to the new site :- In order to do this, I will need to move all servers , using the same IP scheme to building b, thus I will need to have something that resembles a LAN, between 2 buildings, connected via a frame relay link (telstra tpips) CL: don't you have some high speed alternative like gigabit available? is this a contract / term / price issue? Is there any way possible, to have something like a bridged network between the 2 buildings that will permit me to use the same IP scheme, utilize the VLAN's in use in site A, when I move to site b. CL: sure - easily done. in the Cisco world you just need to add the frame-relay map bridge 16(dlci) ietf broadcast etc commands on the physical interfaces. Thanks all for your help When chuck wakes up, I will give you the whole story on this as he would love to hear my fights with non technical managers. CL: whaddaya mean when I wake up? I never sleep! I do spend a lot of my time in the office contemplating designs and customer issues, something I do best with my feet up on the desk and my eyes closed ;- ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55761t=55760 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off topic - Cisco's jazzy web site [7:54966]
I think the idea is that when you look for a 2600 for example, everything is there together (the sales gumpf, the tech specs, etc etc) Not sure whether that's a good idea or not. As an engineer you're fairly regularly going to certain areas, and it's handy to have the info for all the routers there, rather than going to a different place for each router (if that's the way it's going). Gaz In article , [EMAIL PROTECTED] says... I'm seeing more integration between the marketing materials and the technical materials. As expected, the marketing seems to be prominent. I'll keep an open mind as to its improved/not improved logic. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Ugh...I just took a look. Am I the only one who thinks this is horrid? Perhaps I'm too used to the old layout but this seems to be much more difficult to follow. Oh well, in a few months I'm sure it will be old-hat. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55129t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off topic - Cisco's jazzy web site [7:54966]
Ugh...I just took a look. Am I the only one who thinks this is horrid? Perhaps I'm too used to the old layout but this seems to be much more difficult to follow. Oh well, in a few months I'm sure it will be old-hat. John Nigel Taylor 10/6/02 1:13:25 PM Hey Chuck, Yep, I noticed this as well. The greatest addition to the new site is the button/link(image) that read Go to the old Site. After mastering where all the information is on CCO, it's going to take sometime to fimilarize myself with the new layout.. Nigel - Original Message - From: Chuck's Long Road To: Sent: Sunday, October 06, 2002 10:46 AM Subject: Off topic - Cisco's jazzy web site [7:54966] Apparently the elves were busy last night. CCO has a new look. www.cisco.com -- www.chuckslongroad.info like my web site? take the survey! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55007t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off topic - Cisco's jazzy web site [7:54966]
I'm seeing more integration between the marketing materials and the technical materials. As expected, the marketing seems to be prominent. I'll keep an open mind as to its improved/not improved logic. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Ugh...I just took a look. Am I the only one who thinks this is horrid? Perhaps I'm too used to the old layout but this seems to be much more difficult to follow. Oh well, in a few months I'm sure it will be old-hat. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55008t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off topic - Cisco's jazzy web site [7:54966]
I think that's what's bugging me. The main page is WAY too busy; too much information makes it difficult to take in. I think they should include an expert mode that turns off the 'helpful' notes about which links do what. If they really wanted to be helpful, they should allow customizable home pages so that when we log in we have the items most important to us immediately available. If Excite can do it, I'm sure Cisco can. :-) John Daniel Cotts 10/7/02 10:32:16 AM I'm seeing more integration between the marketing materials and the technical materials. As expected, the marketing seems to be prominent. I'll keep an open mind as to its improved/not improved logic. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Ugh...I just took a look. Am I the only one who thinks this is horrid? Perhaps I'm too used to the old layout but this seems to be much more difficult to follow. Oh well, in a few months I'm sure it will be old-hat. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55041t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off topic - Cisco's jazzy web site [7:54966]
Apparently the elves were busy last night. CCO has a new look. www.cisco.com -- www.chuckslongroad.info like my web site? take the survey! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54966t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off topic - Cisco's jazzy web site [7:54966]
Hey Chuck, Yep, I noticed this as well. The greatest addition to the new site is the button/link(image) that read Go to the old Site. After mastering where all the information is on CCO, it's going to take sometime to fimilarize myself with the new layout.. Nigel - Original Message - From: Chuck's Long Road To: Sent: Sunday, October 06, 2002 10:46 AM Subject: Off topic - Cisco's jazzy web site [7:54966] Apparently the elves were busy last night. CCO has a new look. www.cisco.com -- www.chuckslongroad.info like my web site? take the survey! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54973t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off topic - Cisco's jazzy web site [7:54966]
In article , [EMAIL PROTECTED] says... Hey Chuck, Yep, I noticed this as well. The greatest addition to the new site is the button/link(image) that read Go to the old Site. After mastering where all the information is on CCO, it's going to take sometime to fimilarize myself with the new layout.. Nigel - Original Message - From: Chuck's Long Road To: Sent: Sunday, October 06, 2002 10:46 AM Subject: Off topic - Cisco's jazzy web site [7:54966] Apparently the elves were busy last night. CCO has a new look. www.cisco.com -- www.chuckslongroad.info like my web site? take the survey! We went to a Cisco presentation to introduce the new web site. It has been developed from customer feedback apparently. I'm sure most customers would say leave the bloody thing alone for a bit :-) Myself and 2 CCIE's went to the two hour presentation, and had to chuckle as we walked out and our summary was Same shit - different place Can't knock it really though. I have worked with masses of different products over the years, and in my view, one of the best things about Cisco is the availability and quality of information on their web site. Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54977t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site To Site VPN b/w PIX 515 and Open BSD [7:53511]
All- Any one knows to configure site to site VPN over IPSEC tunnel b/w PIX 515 and OpenBSD. Thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53511t=53511 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 150 site, site-to-site VPN [7:42661]
I think you're tlking about pre-shared keys, the other option is to use public and private keys with either an outside thrid party or a certificate authority yourself. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys, I have a global financial company that is upgrading their core data infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote locations over the next few years, going all IP telephony with Call Mangers and now wants to encrypt ALL traffic to all sites. I know site-to -site VPN's can be achieved with key's configured in the crypto maps in IOS, but what if someone compromises the key on the IOS. I, or my client, if we even knew the key was stolen, would have to update all the routers across the network. What options do you recommend for using certificate servers to distribute keys instead? What problems have you encountered with this? Would it be easier to just have the client update the key's once a month via CiscoWorks? -- RFC 1149 Compliant Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52539t=42661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 150 site, site-to-site VPN [7:42661]
I total agree with you, to many sites, to many worries, to many configurations..CA will be your answer Juan Blanco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Sent: Monday, September 02, 2002 9:44 AM To: [EMAIL PROTECTED] Subject: Re: 150 site, site-to-site VPN [7:42661] I think you're tlking about pre-shared keys, the other option is to use public and private keys with either an outside thrid party or a certificate authority yourself. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys, I have a global financial company that is upgrading their core data infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote locations over the next few years, going all IP telephony with Call Mangers and now wants to encrypt ALL traffic to all sites. I know site-to -site VPN's can be achieved with key's configured in the crypto maps in IOS, but what if someone compromises the key on the IOS. I, or my client, if we even knew the key was stolen, would have to update all the routers across the network. What options do you recommend for using certificate servers to distribute keys instead? What problems have you encountered with this? Would it be easier to just have the client update the key's once a month via CiscoWorks? -- RFC 1149 Compliant Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52548t=42661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to setup Pix site-to-site VPN with overlapping [7:50255]
HI David, I have a link for you. It may help you a bit. It says NAT the existing addresses to a different address at both sites (although the document says one bcoz of the concentrator). http://www.cisco.com/warp/public/707/vpn_pix_private.html. If you are trying this ust tell me if it works or not. regards Silju Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50556t=50255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to setup Pix site-to-site VPN with overlapping IP addresses [7:50255]
I have this scenario: Network 1 with IP address 172.16.1.0/24 is on the inside interface of a Pix 515 running Code version 6.2(2) and PDM 2.0(2). The IP address of the Pix inside interface is 172.16.1.1. Workstations on network 172.16.1.0/24 can access the Internet via Port Address Translation (PAT) just fine. The IP address of the outside interface is 207.172.4.5 Network 2 with IP address 172.16.1.0/24 is on the inside interface of a Pix 515 running Code version 6.2(2) and PDM 2.0(2). The IP address of the Pix inside interface is 172.16.1.1. Workstations on network 172.16.1.0/24 can access the Internet via Port Address Translation (PAT) just fine. The IP address of the outside interface is 12.45.2.9 I would like to setup a Site-to-Site VPN between these two network. I know that dual-NAT will have to be done on both ends. I've been looking at Cisco website for documentation on how to do this. But so far, I've not been able to find it. By the way, RE-IPing one of the network IS NOT AN OPTION. I know how to set up Site-to-Site VPN with NON-overlapping address with Pix Firewalls on both end but not when they have identical address space on both end. I know how to do with with CheckPoint Next Generation (NG). With CP, it is very simple. I am sure this has done before. Can someone give me an example on how to get this done? Just send me the configuration and I know how to figure out from there. Regards, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50255t=50255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Can we save the pdf file from CCO web site? [7:49623]
Hai, Can I download and save pdf file from CCO web site or do I need either to have a diffrent ID and password for that?. Thanks Basar Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49623t=49623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can we save the pdf file from CCO web site? [7:49623]
no u dont need any thing else. try before you post a query next time. - monty Nuurul Basar Mohd Baki wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hai, Can I download and save pdf file from CCO web site or do I need either to have a diffrent ID and password for that?. Thanks Basar Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49639t=49623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Frame Relay multi site [7:48927]
I have 3 sites that I need to connect together. Telco has setup a port and a single PVC for each site. Basically you have the following diagram Site A /\ / \ Site B Site C It's basically a triangle with three circuits each going to each other. Telco has a single DLCI and built one PVC for each site. So Site A would have DLCI 1, Site B would have DLCI 2 and Site C would have DLCI 3. How would I configure it so that all three sites can talk to each other. Would it be using frame relay multipoint subinterface with two DLCIs define under the subinterface. Any comments would be appreciated. Kid - Do You Yahoo!? Yahoo! Autos - Get free new car price quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48927t=48927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay multi site [7:48927]
p2mp would work Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48977t=48927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Real ZOO web site, welcome! ID [7:46951]
The BEST zoo site on the @net! Sex With Dogs Horse Blow Jobs. Snake @!#$. REAL ANIMAL FUCKING! 100% HARDCORE! ww1.only-beasts.com unsub Good luck, . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46951t=46951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Real ZOO web site, welcome! ID [7:46951]
WOOHOO!! I've have been DYING for a site like this to FINALLY appear on the internet!!! Why do these lamers even bother to advertise their crap?!?!? LOL! Mike W. Farmgirl17085 wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The BEST zoo site on the @net! Sex With Dogs Horse Blow Jobs. Snake @!#$. REAL ANIMAL FUCKING! 100% HARDCORE! ww1.only-beasts.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46956t=46951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Real ZOO web site, welcome! ID [7:46951]
Because Sick-Os pay for it. I hate these sites so much that I won't even hack them to get rid of them. I don't want to see the images on my computer even for a second. Moderator dude! Yo! Ban this stuff please! Theo Michael L. Williams Sent by: [EMAIL PROTECTED] 06/19/2002 09:32 AM Please respond to Michael L. Williams To: [EMAIL PROTECTED] cc: Subject:Re: Real ZOO web site, welcome! ID [7:46951] WOOHOO!! I've have been DYING for a site like this to FINALLY appear on the internet!!! Why do these lamers even bother to advertise their crap?!?!? LOL! Mike W. Farmgirl17085 wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The BEST zoo site on the @net! Sex With Dogs Horse Blow Jobs. Snake @!#$. REAL ANIMAL FUCKING! 100% HARDCORE! ww1.only-beasts.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46959t=46951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Real ZOO web site, welcome! IDflvfrCjurxsvwxg| [7:46951]
Oops, looks as if I will need to add a few additional keywords for the moderators queue :-). I am still trying to figure out how this message bypassed the Anti-Spam mechanisms of the site. Paul Borghese Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46964t=46951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Query on Site to Site VPN [7:46712]
Hi All, I have an office which is connected to internet through an ISDN line with a router.PIX firewall has been installed and connected in the same office. I have another office which is having a lease line to internet connected with PIX. The standard config has been followed on both the PIX firewalls. Now if i need to create a site-to-site VPN tunnel between these PIX, will it work, since once side i am getting a dynamic IP address from the ISP(ISDN Line). Other side since being a Lease Line, i have obtained static IP address. Is it nessasary that i need to have both the side static Ip address. Can some one help on this.. Thanks in Advance.. Regards..Anil - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46712t=46712 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Query on Site to Site VPN [7:46712]
You do need two static IP's in order to set up the crypto maps. -- RFC 1149 Compliant. Anil Kumar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I have an office which is connected to internet through an ISDN line with a router.PIX firewall has been installed and connected in the same office. I have another office which is having a lease line to internet connected with PIX. The standard config has been followed on both the PIX firewalls. Now if i need to create a site-to-site VPN tunnel between these PIX, will it work, since once side i am getting a dynamic IP address from the ISP(ISDN Line). Other side since being a Lease Line, i have obtained static IP address. Is it nessasary that i need to have both the side static Ip address. Can some one help on this.. Thanks in Advance.. Regards..Anil - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46721t=46712 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Query on Site to Site VPN [7:46712]
Not necessarily, the following link explains how to set up a lan to lan tunnel using pixes where one is recieving an addres via DHCP. http://www.cisco.com/warp/customer/110/dynamicpix.html - Original Message - From: Steven A. Ridder To: Sent: Sunday, June 16, 2002 6:51 PM Subject: Re: Query on Site to Site VPN [7:46712] You do need two static IP's in order to set up the crypto maps. -- RFC 1149 Compliant. Anil Kumar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I have an office which is connected to internet through an ISDN line with a router.PIX firewall has been installed and connected in the same office. I have another office which is having a lease line to internet connected with PIX. The standard config has been followed on both the PIX firewalls. Now if i need to create a site-to-site VPN tunnel between these PIX, will it work, since once side i am getting a dynamic IP address from the ISP(ISDN Line). Other side since being a Lease Line, i have obtained static IP address. Is it nessasary that i need to have both the side static Ip address. Can some one help on this.. Thanks in Advance.. Regards..Anil - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46724t=46712 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
150 site, site-to-site VPN [7:42661]
Guys, I have a global financial company that is upgrading their core data infrastructure (bunch of 7200's and 6509's, etc), opening up 150 remote locations over the next few years, going all IP telephony with Call Mangers and now wants to encrypt ALL traffic to all sites. I know site-to -site VPN's can be achieved with key's configured in the crypto maps in IOS, but what if someone compromises the key on the IOS. I, or my client, if we even knew the key was stolen, would have to update all the routers across the network. What options do you recommend for using certificate servers to distribute keys instead? What problems have you encountered with this? Would it be easier to just have the client update the key's once a month via CiscoWorks? -- RFC 1149 Compliant Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42661t=42661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site-Site VPN Performance [7:41924]
I have a situation where a customer, a school district, has the use of a sonnet ring (3M connection) to connect 5 of his elementary schools back to the main district office. There are other schools on the ring, so they are currently using old PIX 1s to establish private tunnels back to the main site. We are using 2500s at each of the schools for routing. I want to replace those boxes with something that will facilitate dot1q inter-vlan routing. Im thinking of the newer 1721 router with a VPN accelerator module. Will this unit provide 3M worth of sustained throughput or should we be looking at a larger router? Jeff Reed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=41924t=41924 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]