The problem is not so much the the ISP is assigning an address to your DSL
device through DHCP as the problem of letting the PIX get to the peer
address(which will be the HOST inside not the DSL device).
Since you are using PAT the address from the host will likely always be the
same so it should
This should not be a problem on your side when using ESP. With ESP your
traffic is encapsulated, w/o modifying the original packet, and the firewall
forwards to your peer, where the outer packet is stripped revealing the
original data.
It is the peer that will have a problem as the address you c
This should not interfere with your other VPN's. It will simply allow the
Client to get an address from the pool. What I haven't figured out yet is if
there is a way to seperate IKE mode configed clients so that each group of
clients would have a different security policy. They have to get all the
I am not going to get into a PIX vs. Checkpoint argument here ;)
(chuckle)
but no way is checkpoint better then PIX when it comes to performance or
securitylol!!!
No just kidding, that is just my opinion (and the opinion of many lab tests
and firewall "wars")
Checkpoint is s
: Christopher Larson; [EMAIL PROTECTED]
Subject: Re: PIX VPN IP Pool
THATS what I meant to say ;) I was wondering how the damn pool worked and
how you'd be able to differentiate the ACLs by IP.
- Original Message -
From: "Christopher Larson" <[EMAIL PROTECTED]>
To:
We print to remote printers a lot.
We do NOT give our inside workstations a static address. The printers on the
remote end of course do have public addresses statically assigned. If you
are doing straight TCP/IP printing then this should work fine. The problem
(at least it used to be a problem
Address your BRI seperatly, add static routes to the networks through the
BRI, and then ping. Once you know you have connectivity and they are
dialing, you should be able to change the addressing and add the backup
interface command.
You can also setup your ISDN as if you are going to make it
www.cisco.com
-Original Message-
From: yohanus [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 05, 2001 1:56 AM
To: [EMAIL PROTECTED]
Subject: commands, please help
---Sorry for asking this question, if it's been asked before---
Anyone know of a good site that publicizes Cisco command
I am a little biased since I authored the chapter, but check out chapter 4
of Syngress Media's BCRAN book (the latest). It has several VPN scenarios
and configs as well as an explanation of ESP,AH, DES, Triple-pass DES,
TRIPLE DES etc.
As well as some good explanations of ISAKMP, IKE and how they
I have heard it is best to take this class about 4 to 6 weeks before your
test as the class will help you see where you may need improvements to pass
the lab, and you will probably want the time to practice the areas
identified.
-Original Message-
From: Charles Henson [mailto:[EMAIL PROTE
no. Longest match wins. If the client does not find an address match longer
then 0.0.0.0 then it will use the wildcard.
-Original Message-
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 05, 2001 4:06 PM
To: Christopher Larson; [EMAIL PROTECTED]
Subject: Re: PIX VPN IP
You might start with MRTG. It is free and is used to get snmp data from
devices through Perl and timer events. I am sure the Perl Script could be
modified to meet your needs, and you may be able to write the parameters
using SNMP through the web page MRTG creates.
This will probably cut your work
Frame-relay will not retransmit lost packets. It is up to the end stations.
X.25 will retransmit.
Any protocol that uses lapb will retransmit (at the router) if it does not
use lapb or some other error detection/correction mechanism then the end
station will be responsible for retransmission
-
HDLC will not retransmit as there is only error detection in HDLC, but no
error correction. This is the same with Frame-relay. Frame-relay, and HDLC
will detect and discard errored frames but will not retransmit those frames.
They depend on upper layers (like TCP for TCP/IP) to recognize there is
HDLC will not retransmit as there is only error detection in HDLC, but no
error correction.
Original Message-
From: Jeremy Dumoit [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 08, 2001 2:19 PM
To: Brant Stevens; Dennis Laganiere; [EMAIL PROTECTED]
Subject: RE: not quite sure...
This is the second time I have seen a post about HDLC enabling the router to
retransmit, and some other people who I have brought the topic up to seem to
think so to, so I dug up what Cisco says about HDLC encapsulation.
"HDLC Serial Encapsulation Method
Cisco provides HDLC serial encapsulati
Sweet!!Nice Post. Learn something new everyday!!!
For clarity though, native PPP will not retransmit. (Lest someone studying
for a particular high level test get's a question about it) ;)
-Original Message-
From: Brian Dennis [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 08
from that particular sequence number."
Is this correct?
-Original Message-
From: Christopher Larson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 08, 2001 3:22 PM
To: 'Jeremy Dumoit'; Brant Stevens; Dennis Laganiere;
[EMAIL PROTECTED]
Subject: RE: not quite sure...
Right, I am speaking of the process between end stations here. My thinking
is, if the router discarded the frame, then the originating station would
not get an ack out of sequence from the remote end station because the
packet was dropped (therefore the remote never got something to ack).
The o
I have not done it in awhile, and I don't have a config. However, when I did
do it you had to setup an l2tp tunnel first between win2k and the router and
then run ipsec through the l2tp tunnel.
-Original Message-
From: Ben Hockenhull [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2
Is the remote negotiating a ppp session or is it a straight serial
connection? If you are dialing in directly w/o ppp then you will most likely
want to do a reload and a break to get into rommon and then issue the
command xmodem (or whatever it is) and upload the new IOS. If you go this
route, ch
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_c
/fcprt2/fcaddfun.htm#xtocid160213
Watch the wrap. This has info on setting up your router as a tftp server. I
don't think the hardware matters, it is dependant more on the ios vers.
-Original Message-
From:
I have the security specialization and have been doing security for the last
3 years. I have never heard another name for a hash algorythm other then
hash. What is this term or word you speak of? Just curious?
-Original Message-
From: kevin smith [mailto:[EMAIL PROTECTED]]
Sent: Monday, M
Actually there is voice over hdlc. It is done on the Cisco MC3810
concentrator. In fact there is a good lab at mentortech dealing with voice
over hdlc. Lab 2400 Voice over HDLC Using MC3810
-Original Message-
From: Oleg Mazurov [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 16, 2001 1:25
Yes. You can make several phones have the same number or a single phone have
several numbers.
-Original Message-
From: carmelo Garofalo [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 16, 2001 12:31 PM
To: [EMAIL PROTECTED]
Subject: Cisco Ip Phones
Hi Guys,
i would a question for you. I
If all the interfaces in say area 0 are 170.100.1.0 /24 and my loopbacks
are 2.2.2.0/24, should I be able to ping each loopback from all the
other routers? or do I need to make my loopbacks a subnet of the
170.100.1.0/24 address??
Thanx!!
_
FAQ, list archives, and
1) I suppose that depends on the manufacturer. On most equipment placing
a striaght through cable on an MDI-X port makes it a crossover at the
port. That is the port is wired to cross 1,2,3 and 6 (hence the port
name MDI-X) so that you don't have to do it by changing the cable. So it
is not true t
WINS is not used for ping, ftp or telnet, but then neither is DNS.
WINS is used to resolve netbios names to IP addresses. DNS is used to
resolve host names to IP addresses. If you are implying that when you do
a Telnet, Ping or FTP by name that it will not use WINS to resolve the
name to an IP a
Are you doing NAT 0 between sites so that everyone get's to use the real
IP's and not the NAT'ed ones? Are all the domain controllers, WINS boxes
etc. in the access-list defining what get's encrypted? If you are
setting up a VPN based on IP's only then you do not need to define what
ports get open
Your users will will get 1 host per address under NAT unless you
specifiy overload command. I beleive then that any additioanl users will
use the last address in the pool and PAT on that address.
-Original Message-
From: Benjamin Walling [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 1
We have 2 routers plugged into the same Vlan on a cat 5500. All layer 2
info seems to be showing up just fine from all devices. The routers have
a basic simple config. You know e0 ip addrees/subnet... several people
have looked at it and agree all the configs look just fine.
Here is what happens
You would lose redundancy (which sounds like what your going for here as
a priority over LB), but you could set certain vlans for one trunk and
the other vlans for another.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 11, 2000 2:33 PM
To:
Serial interfaces do not have mac addresses so it chooses a mac to
represent the serial interface
-Original Message-
From: Hubert Pun [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 11, 2000 11:05 PM
To: Cisco Study Group
Subject: Spanning Tree Bridge Identifier
Why does it have the f
You can do site to site with pix, Router to pix, or host to pix using
the VPN client.
If every office does not have a PIX and you can't get budget to put one
in just do an IOS to PIX tunnel.
-Original Message-
From: Asad Jafari [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 12, 20
Just remove it and go straight from the router to the switch.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 13, 2000 5:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Opening PIX for all Users
Turn it off!!
>
> > Greetings all,
> >
> > I
That is actually only for the newer pix code. They recommend using
staics and conduit OR static and access-lists. Either way is fone, what
they really recommend isto do one or other but not combine conduits and
access-lists.
-Original Message-
From: Gareth Hinton [mailto:[EMAIL PROTECTED]
Saving IP Addresses, or using the same unnumbered interface for the 50
Frame-relay PVC's you have instead of giving each one a seperate IP.
-Original Message-
From: Dyland Desmarais [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 16, 2000 3:27 PM
To: '[EMAIL PROTECTED]'
Subject: Re: N
I passed my CCIE written today with a 90%. I want to thank the list for
the information I got from the group. Although I rarely posted, the
readings kept me thinking and referencing CCO for answers. Thanx to the
contirbutors and especially to Paul for making the list possible
I recently took the written. There is a LOT of bridging. Know your
briding, know your RIF's, know DLSW, and that the rif terminates at the
router. Know how to read the Route Descriptor and convert from TR to
Ether MAC.
Know who retransmits when there is an error on a serial link. HDLC,
FRAME, et
I want to especially thank those engineers who contribute to this group
even though they are already "there". People like Chuck Larrieu,
Priscilla O., Paul B., Howard Berkowitz and all the others who continue
to be a part of this even though they have already "made it".
THANK YOU
___
Yes, you can mark and go back.
-Original Message-
From: Billha [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 19, 2000 5:06 PM
To: [EMAIL PROTECTED]
Subject: CCIE R/S Exam 350-001
Several people have taken this exam recently, one post mentioned how you
could go back to questions.
I
I think, and I am certainly not certain as I do not remember exactly,
but I believe you get 56k on super-frame and 64k on extended super frame
and not the line coding. Please correct me if I am wrong. I believe that
super frame uses a robbed bit scheme and esf does not? I know this was
covered in
Get the Token Ring White paper at www.sitamoht.com
Very very usefull info!!! Extremely helpful!! The knowledge you need
answer all the bridging, token-ring and RIF question for the written is
in that paper.
-Original Message-
From: Eric Fisher [mailto:[EMAIL PROTECTED]]
Sent: Wednesday,
Could you post a link or somewhere to get this info. I have been looking
and cannot find anything. I remember covering this in BCRAN and would
like to go through it again. Having to do with the serial lines and the
sampling rate, bit robbing etc. SF/ESF AMI/B8ZS etc. If you have a link
to this in
Tacas should be setup so that if the TACAS server failed you would use the
local login.
aaa authentication login tacacs+ local
This will revert to local database if tacas is unavailable
-Original Message-
From: Brian Lodwick [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 29, 2000
Chuck- you should take up inspirational/motivational speaking as a side gig
(big $$$ I hear jk). Very nice. Thanx for sharing it Bill.
-Original Message-
From: Billy Monroe [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 29, 2000 12:19 PM
To: [EMAIL PROTECTED]
Subject: Re: Off Topic -
It actually saves a step in the processing. When you point to an interface
the router does not have to lookup what interface to switch out of.
ie. 0.0.0.0 0.0.0.0 1.1.1.1
The router processes for default then looks up 1.1.1.1 to see what interface
it is out of then fowards out the interface.
-
From: Ben Smith [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 29, 2000 1:26 PM
To: Christopher Larson
Cc: 'Stull, Cory'; '[EMAIL PROTECTED]'
Subject: RE: ip route question
I would actually like to disagree, the reason for specifying the interface
here is
not so that you c
Would you need proxy-arp turned on if there was a route already in the
neighboring routers table? I don't think you would. If the neighbor router
had a route in it's table wouldn't it respond anyway? My understanding of
proxy-arp (and my understanding could be wrong) was that the router would
resp
Yes you have 2 8 meg flash partitions. You could partition the flash into 1
big 16 meg chinck.
in config mode do a
partition flash 1 16
-Original Message-
From: ANDERSON, JEFFREY [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 29, 2000 3:51 PM
To: '[EMAIL PROTECTED]'
Subject: Pr
And after the reading of the RFC, and a quick response in e-mail I see my
understanding is not correct.
-Original Message-
From: Stull, Cory [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 29, 2000 2:27 PM
To: 'Andy Walden'
Cc: '[EMAIL PROTECTED]'
Subject: RE: ip route question
Andy,
Statefull failover can be doen if any interface on the PIX goes down. Each
interface needs to be able to talk to the other interface on the second pix.
So the inside on the primary has to be able to communicate with the inside
on the secondary, DMZ to DMZ etc. and for statefull fail there has to b
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
The VPN client does not run on 2000. There is a third party company that
does make a client for Win 2000 and Cisco, but I have never tried it and
forget who it is. If you want to run an IPSEC tunnel from a win2000 machine
to a Cisco device you have to do it through an l2tp tunnel. Set that up
firs
I am not sure about CSS switches, and maybe your needs are special, but
couldn't you just add a default route to both PIX's on each switch's RSM and
turn off fast-switching. You will then get per packet load balancing between
the switches and the pix's.
I have done this before between 6500's and
A switch recieves data in it's port buffer at 100 mbps, as the frame travels
the switches backplane it is copied to all ports, when it arrives at an ASIC
chip (I forget if it's the Earl or what)in the SUP module, the module looks
in it's table and decides what port it should go out of and tells al
27;s. You
could not maintain that info in this scenario. You could not have both pix's
advertising the same global address either so it would not work.
-Original Message-
From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 10:26 AM
To: Christopher Larson;
--
From: Christopher Larson
Sent: Friday, January 12, 2001 11:14 AM
To: 'Yonkerbonk'; Christopher Larson; Tim O'Brien; [EMAIL PROTECTED]
Subject: RE: Any body know about Cisco Content Switch
For statefull PIX failovers they do need to share info. In the scenario
below, a downe
Simply doing a shutdown on an interface will not bring up the backup line in
this scenario as it is administratively down. You would need to unplug the
serial line from the router or change the encaps on one side to make it go
down other then adminstrativly
-Original Message-
From: carmel
Actually it depends on what you mean by number one. Last month Sonicwall
surpassed all firewall manufacturers as having the largest installed base of
all firewalls.
Checkpoint is based on the OS. Break the OS and you break the firewall.
-Original Message-
From: Jim Brown [mailto:[EMA
There are only so many ways to ask how much is 2+2.
-Original Message-
From: Elijah Landreth [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 13, 2001 12:48 AM
To: [EMAIL PROTECTED]
Subject: CCIE Written Test - retraction
Hey All-
I neither meant to piss anyone off, nor to break a N
The netscreen is a very ggod box and simple to setup. The problem with the
Netscreen is it's scalability. The 1000 has the ability to do ISL off it's
interfaces, but the 100 and 10 do not and they only have 3 ports so you are
limited to Inside, Outside and a single DMZ. Oh, and if you plan to
impl
Correction. The netscreen will do non-proprietary trunking, (not ISL).
-Original Message-
From: Christopher Larson [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 15, 2001 11:04 AM
To: 'Aamir Lakhani'; 'roy'; [EMAIL PROTECTED]
Subject: RE: How about PIX vs Netscreen
I don't see anything wrong or illegal about the address. Also, addressing
within the range of IP's you are given is a matter of preference. That is
the gateway could have any address you want to give it. Some engineers
choose to give it the first available IP in the range or the last, which may
b
That would depend on the size of your network and the switches you use.
We are running an all switched network for everything from desktops to
servers. Of course we aren't using Cisco (gasp) which brings the cost down.
100 + nodes, 5 24 port l2 switches 2 8 port L3 switches.
- Original Messa
- Original Message -
From: "Alexander Pozdnjakov" <[EMAIL PROTECTED]>
Newsgroups: groupstudy.cisco
To: <[EMAIL PROTECTED]>
Sent: Monday, July 31, 2000 10:07 AM
Subject: --- Not own broadcast
I am not sure but a broadcast for that particular host subnet would be
192.168.1.23 if I am d
I copy start run merges the start config with the running. A copy run start
overwrites startup.
If you want to be able to use the same config when things go bad, take your
"template" config and
copy run flash:(if you have the room)
name it something other then startup-config
- Origin
I copy start run merges the start config with the running. A copy run start
overwrites startup.
If you want to be able to use the same config when things go bad, take your
"template" config and
copy run flash:(if you have the room)
name it something other then startup-config
- Origin
Ahhh. So that's why it works. I am using a 56k DSU. My bad. I thought I was
crazy cause it ws working fine despite the previous posts.
Thanx
- Original Message -
From: "Jay Hennigan" <[EMAIL PROTECTED]>
Newsgroups: groupstudy.cisco
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent:
Do you have something to simulate Frame-Relay? I did not think you could
simulate Frame-Relay going back to back with DSU's because the CO switch
sends the LMI?
You can connect (as I just learned the pinouts) the DSU's with a crossover
cable (the one cisco gives you for console will work) if it i
I know you can turn off CDP completely however I do not believe it can be
blocked by an IP access-list as it runs at layer 2.
If I am wrong, I am sure I will be corrected here, but I am pretty sure that
is accurate based on the fact that CDP uses layer 2.
- Original Message -
From: "Aaro
The Cisco client will is currently not supported on W2K. You can still use
W2k with a Cisco or PIX. What you need to do is configure L2TP on both the
W2k machine and the router/PIX. Then configure IPSEC on both ends to use the
L2TP tunnel. W2k has both in the os. Go to start/run and type mmc. Then
How would the IP Unicast know where to go? It has to resolve to a machine
address. If you wanted to get to a machine without ARP you would be
constantly broadcasting IP. And then the machine would respond, but you
still wouldn't be able to get to it because IP's logically identify a host.
A mac ad
You need to call phone company for both the frame realay, and for a DLCI to
map your pvc to isp. I have a suggestion though. Why doesn't your company
get DSL at the branch (and even hq) then use an IPSEC VPN to tunnel to the
branch and vice versa. If your branch is going to come to the HQ to use
75 matches
Mail list logo
