Never mind the fact that India and Pakistan are on the brink of war and
are sabre rattling with Nukes!!
- Original Message -
From: "Wes Stevens"
To:
Sent: Friday, May 24, 2002 10:17 PM
Subject: Re: CCIE Wanted. [7:44940]
> You may as well quit posting this and wasting our time a
No need to doubt. If you have the network 192.5.2.0/24 inside the pix, why
would a client want to connect to the same network outside the pix? As far
as the client is concerned it is ON the 192.5.2.0/24 network!!
- Original Message -
From: "Brett spunt"
To:
Sent: Saturday, October 26,
Hi Garrett,
There are two DOS attacks that I know of that use ACKS called stream.c and
raped.c, the stream.c sends ACK packets to the target with random sequence
numbers and source IP's. The raped.c sends ACKs with spoofed source IP's
but I believe the sequence numbers are the same.
C
- Orig
I don't think he is talking specifically about routers but about PC's on the
LAN behind the PIX. I'm fairly positive a PC will do a logical AND of the
destination IP, come up with a network address, compare that against it's
own network address, deduce that the IP must be local and send a layer tw
you should already have a helper-address on the ethernet of the router on
the remote site, but you will need the ip address of the wins server in the
central site and possibly an entry in the lmhosts file for the wins server,
in addition make sure there are not acls blocking netbios ports 137/8/9
kiwi tools is great.
-Original Message-
From: NetEng
To: [EMAIL PROTECTED]
Sent: 08/02/02 13:45
Subject: Re: Syslog Server [7:34818]
Take a look at Winsyslog. Good product, with great support and lots of
features.
""NKP"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
show access-list(s)
-Original Message-
From: george gittins
To: [EMAIL PROTECTED]
Sent: 27/03/02 13:05
Subject: pix question [7:39560]
whats the equivelent of show access-list on the pix
George Gittins
Internet Systems Manager
Weslaco, Tx 78599
Phone (956)9696557
***
nrf
NRF,
I think that this may help - you have to remember that packets outgoing_src
source addresses are what are recieved on the INSIDE interface ie your local
network, outgoing_dst are the destinatio of the packets recieved.
t the fact of the matter that this does not work for me. I have
di
I think u should read the article more closely
;-)
-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: 19 July 2001 10:05
To: [EMAIL PROTECTED]
Subject: FW: New CCIE Lab!!??!!! [7:12926]
This is what I received from a colleague.
Is this true?
http://angelfire.
async-bootp subnet-mask 255.255.255.0
async-bootp gateway
async-bootp dns-server
async-bootp nbns-server
-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: 19 July 2001 16:58
To: [EMAIL PROTECTED]
Subject: Remote Access [7:12958]
I have a 3640 set up with async dia
ns [mailto:[EMAIL PROTECTED]]
Sent: 19 July 2001 14:52
To: [EMAIL PROTECTED]
Subject: RE: New CCIE Lab!!??!!! [7:12926] - IGNORE THIS - JOKE
[7:12943]
thanks
I read this after an all night work session - half asleep
-Original Message-
From: Ciaron Gogarty [mailto:[EMAIL PROTECTED]
I've had a lot of experience with all three firewalls.
A pix is a great firewall if you want something fast and quick to install,
but not with all the fancy bells and whistles. It's more like a box u
install in a customers site that they don't go near unless they need
something specific. Bad po
use floating statics for ISND with a higher metric than the default for the
frame
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (frame route)
ip route 0.0.0.0 0.0.0.0 10.11.10.1 250 (floating static mapping to ip of
isdn on remote side
a higher metric
Hi Tony,
remember that the direction to which you apply an access list is dependant
on the router, for example:
applying an access list IN on a router mean packets going inbound on the
interface, this is independant of what you want to deny, ie inbound snmp.
so for example to block SNMP from the
well bware,
I think you'll find that your nic card1 172.16.x.x will not route anything
to an ip address such as 172.16.64.15 because as far as that network is
concerned that is a LOCAL address. ie on a local network, it will arp for
the mac of that IP which it will never find... but won't ever ro
use a reflexive access list
-Original Message-
From: Santosh Koshy [mailto:[EMAIL PROTECTED]]
Sent: 28 July 2001 04:02
To: [EMAIL PROTECTED]
Subject: Re: access lists [7:13928]
Joe,
If you are implying that you dont want users / hackers /
crackers from outside your company
To all,
Has anyone experienced any callback problems with a 3640, TACACS+ and
SecureID?? Specifically:
3640 with 8bri, 18 mica modem, 1 ethernet. ver12.2(2)T - plus ver2.0.7.0
portware for mica's
1 Tacacs+ server for NT ver2.6
SecureID ver4.1
Users dial into 3640 over Analogue, authenticate to
O'Reilly & Associates, DNS and BIND - is fantastic. Actually most of the
O'Reilly books are good.
C
-Original Message-
From: Brian [mailto:[EMAIL PROTECTED]]
Sent: 07 August 2001 22:56
To: [EMAIL PROTECTED]
Subject: Re: DNS, DHCP, UNIX, FTP help [7:15164]
hmm, a broad question.
for u
I would hazard a guess that your NAT rule does not include that subnet.
-Original Message-
From: Patrick Ramsey [mailto:[EMAIL PROTECTED]]
Sent: 27 August 2001 17:20
To: [EMAIL PROTECTED]
Subject: RE: Pix Route issue [7:17242]
Only one route is allowed? I hope you are not reffering to
or maybe...
Is your route inside 10.0.0.0 255.0.0.0? I think the message is indicating
that you have too general a route to the remote subnet. try adding a more
specific route.
-Original Message-
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: 27 August 2001 15:50
To: [EMAIL PROTECTED
Hi all,
I believe what your are seeing is called "proxy arp". Unix and Ms handle
this differently. The firewall will proxy arp for the client on the inside
of the firewall. This means that you must tell the firewall that when the
router does a broadcast for the arp of a virtual ip to answer wi
Depends on what you are using for your vpn endpoint... if you use a cisco
vpn concentrator , the certificate should authenticate at the group level -
which means you will still need to verify who you are via username/password
- in other words it will do exactly what you want.
Rgds,
Ciaron
-O
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 30 March 2002 19:14
To: [EMAIL PROTECTED]
Subject: Please confirm (conf#2317cf8dfaa6043b271074421e351e56)
Hi,
You have tried to post to GroupStudy.com's Professional mailing list.
Because
the server does not rec
-Original Message-
From: Rah Hussain [mailto:[EMAIL PROTECTED]]
Sent: 13 May 2002 18:00
To: [EMAIL PROTECTED]
Subject: RE: Reset the password on a 3015 [7:44049]
Did you try the default admin/admim
Rah
-Original Message-
From: Johnson, Richard (NY Int) [mailto:[EMAIL PROTECTE
you have to rename the config file, there is a doc for it on the cco
C
-Original Message-
From: Rah Hussain [mailto:[EMAIL PROTECTED]]
Sent: 13 May 2002 18:00
To: [EMAIL PROTECTED]
Subject: RE: Reset the password on a 3015 [7:44049]
Did you try the default admin/admim
Rah
-Orig
Not necessarily, the following link explains how to set up a lan to lan
tunnel using pixes where one is recieving an addres via DHCP.
http://www.cisco.com/warp/customer/110/dynamicpix.html
- Original Message -
From: "Steven A. Ridder"
To:
Sent: Sunday, June 16, 2002 6:51 PM
Subject: R
Hi RR,
You can get it to work using static one-to-one NAT if you are careful about
the IPSEC algorithms you use (you can't use AH, since it verifies the fields
in the encapsulating packet, which are ofcourse modified by the NAT
process), but you can use ESP (which is where the encryption is done
I believe 1494 is upd and 1604 is tcp. One port is used for the browser
sservice and is udp. A search on NAT on the citrix site will provide a doc
and how to set up citrix for nat through a firwall
c
-Original Message-
From: Jeff Smith
To: [EMAIL PROTECTED]
Sent: 9/7/01 4:05 PM
Subjec
Yes thats correct. You must boot into ROMMON and re-load your software (use
the same image), at some point it also asks you if you want to install a new
activation key, to which you obviously answer yes. Thats the only way to
get it on their prior to the new code.
from rommon use the following c
Yes, you must go into rommon to load an activation key prior to 6.2
software. Boot into rommon and use the following commands:
server
address
file
tftp = starts the transfer.
At some point it will ask you if you want to enter a new activation key.
rgds,
C
-Original Message-
From: [
Does anybody know if the PIX will support the client side TCP encapsulation
of VPN traffic in the near future, or must you buy a VPN concentrator to get
this feature??
Thanks
CG
**
This email and any files transmitted with it
Does anybody know the default username and password for a vanilla install of
Cisco Secure ACS for Windows version 3.0?? I'm being prompted for a
username and password to login, but can't find one in the documentation. I
tried the password recovery procedure, but there are no adminstrators
created
Cisco support ipsec over tcp, very hany for remote access vpn through
firewalls. it also easy to set up CA for certificate authentication,
secureID ect. In short the Cisco VPN product is very easy to use, set up,
and it works pretty well. Having said that I don't have a lot of MS vpn
experience,
Hi Group,
Does any one know offhand how many simultaneous tunnels a Cisco 3620 can
handle (des and 3des)??
I can't find any hard evidence of this information on the cisco site...
Thanks,
CG
**
This email and any files transmi
luable tool for configuration documents =
www.cisco.com, in addition the following website has a mailing list that =
I also find very useful www.groupstudy.com =20
If you have any queries or support related questions don't hesitate to =
e-mail us at:
[EMAIL PROTECTED]
Kind Rega
Hi,
Assuming you only have one IP on the external interface try the following
Global (outside) 10 interface
Nat (inside) 10 0 0
static (inside,outside) tcp interface www www
netmask 255.255.255.255
access-list out-in permit tcp any host eq www
Of course this would be to allow people on the I
Netsaint may be an idea, it's a network monitoring tool and has some neat
abilities, plus it's free and runs quite will on linux. It has the built in
ability to send e-mail/pager alerts. It also would allow you to write
custom scripts to do just about anything. Plus, it's a Web front end, so
yo
Hi Richard,
The simple answer to your question is "yes you need a seperate router
outside the pix". Leave your internal router alone and just add a default
route pointing at the pix interface .
He doesn't necessarily have to be using VLANS as long as all the subnets is
routing for are on the
Not yet, hopefully soon. The only Firewall hardware platform that I'm aware
of that supports it is the Nokia with Checkpoint.
-Original Message-
From: Jeffrey Reed [mailto:[EMAIL PROTECTED]]
Sent: 17 July 2002 16:33
To: [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]
Hi Chris,
I would suggest going with one of the bigger VPN optimized routers such as
the 1700 series. I'm pretty sure the 800 would not be able to support 15
tunnels using 3des (assuming your going to use 3des). Normally the 800
would be used in one of the remote sites, with a 1700 or so in the
Cheers Guys... docs on da way!!!
- Original Message -
From: "Shawn Heisey"
To:
Sent: Tuesday, July 23, 2002 8:41 PM
Subject: Re: Cisco IOS Docs Hardcopy? [7:49444]
> Virtually any Cisco contract will entitle you to free documentation. If
> it shows up with an orderable quantity in t
Hi John,
Although not intuitive, you also need static commands to use with NAT 0 if
going from a lower to higher level security interface sort of like this, the
following is an example of allowing ftp from the outside interface (any
network) to the internal network:
Access-list NONAT permit ip 1
Hi Mike,
When the other member mentioned 50 and 51 he was talking about two protocols
ESP and AH rather than two ports. ie -- access-list FromInternet permit
esp any host 1.1.1.1
If your using ESP/AH protocols you will need to allow it bidirectionally,
so if you have an access-list on the "in
It was only particular to Dot1q trunks as well... as far as I can remember
it wasn't an issue on isl trunked ports.
is that correct??
rgds,
Ciaron
- Original Message -
From: "Priscilla Oppenheimer"
To:
Sent: Thursday, August 01, 2002 11:34 PM
Subject: Re: RE: Cat2950 VLAN 1 ip address
Priscilla, you may have a good point. Perhaps Mike your missing the command
"sysopt connection permit-ipsec" this is what allows IPSEC to bypass the ASA
via crypto maps. without it you must explicitly allow IPSEC and Isakmp in
on your access-lists. It may explain why your phase one negotiation
An interesting fact is also that you must use one of the following transform
sets (or so I seem to remember reading):
"The transform must be one of the following combinations. If it is not,
modify the transform to match one of the following and try again.
a.. Esp-3des esp-sha-hmac
b.. Esp-3de
Hi mike,
Could be that IPSEC is being filtered out by one of the intermediary
providers. Would explain why your ike negotiation is working but ipsec
never gets established.
worth checking.
rgds,
C
- Original Message -
From: "supernet"
To:
Sent: Friday, August 02, 2002 3:08 AM
Subjec
I not sure what code your using, but Cisco recommend using Access-lists
instead of conduit statements. Just create a typical cisco access-list
(except don't invert your masks) and apply it inbound to the outside
interface and you will get the same result as your conduits!!
C
- Original Mess
Hi Silju,
If my understanding of IPSEC is correct... his initial IKE (isakmp)
negotiation - phase-1 exchange has completed, this is used to set up the
exchange of the IPSEC proposals -- phase-2. So since phase-1 negotiations
succeed (isakmp - udp500) but phase two proposals are never obtained
Hi Silju,
I would have to disagree with you one point, or perhaps modify your
statement -- "Normally" ISP's don't filter IPSEC, but some do -- I know
this from personal experience. Granted the ISP in question didn't know they
were doing it (misconfigured access-list).
I remember reading somew
Hi Tunji,
I would remove the route statement
network 192.168.1.0
from your EIGRP process on the 3640. You only enter networks that are
directly connected to your router into the EIGRP process -- unless
redistributing statics.
I think you may also need to add the following to your async group:
I think that it may be more secure to just allow echo-reply back to the
internal hosts. You can do this with the access-list that is on the outside
interface.
Assuming that you want to allow echo-reply back to users who are hidden
behind a PAT address (or the hide address in checkpoint parlance)
Hi GS,
Does anyone know off hand whether you can authenticate a group on a Cisco
vpn concentrator (3030) with digital certificates and the user with Secure
ID?? So far I can do one or the other as it seems that the although the SDI
server authenticates a user it is configured at group level and s
53 matches
Mail list logo
