For me, the best analogy for CBAC is that it's like a really smart
"established" keyword in access-lists. You still apply your access-list in
the inbound direction, and it's still the access-list that blocks traffic,
but the CBAC inspection commands make the access-list smart. In order for
the a
IPSec and redundancy is hard. The usual recommendation is to use GRE
tunnels over IPSec, since the tunnels provide a logical interface over which
you can run a routing protocol that will provide the redundancy.
With plain old IPSec, you use access-lists to specify which traffic goes to
which pee
It's easy for tunnel interfaces to look up and still not work. Verify that
you've specified IP protocol 47 between the tunnel endpoints as the traffic
to be encrypted, and check the traffic stats in the VPN boxes to see if
anything's really being encrypted ("sho crypto ipsec sa" in the PIX, and t
You have to order this from Cisco, part number "PIX-FLASH-16MB=", list price
$1000.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9437&t=9287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
You can absolutely delete individual static and conduit commands (there's no
significance to the order of static commands). You can only add conduits to
the end of the list, but they are processed on a best-match basis instead of
a first-match basis (even though the PIX docs imply otherwise), so
Could be something as simple as the timeout on the initial ping expiring.
Are the response times getting closer and closer to 2 seconds (or whatever
your timeout is) as the packets get bigger? VPN can add significant
processing overhead at each end, so a 1 or 2 second timeout may not be enough.
6 matches
Mail list logo
