RE: WLAN security matters [7:57160]

As far as I know Cisco does support AES on the Concentrators. It's on the roadmap for the router and PIX, but already out for the Concentrators. Michael --- mike greenberg wrote: > paul, > When I talked about IPSec, I mean to say that AES is > not currently supported > on > on Pix Firewalls on a

Re: General PIX question DES/3DES [7:55200]

Upgrade. You can get DES free but 3DES is upgrade. --- "[EMAIL PROTECTED]" wrote: > Do any of the PIX firewalls come with 3DES or is it > an upgrade option on all > the models Particularly the PIX-525-UR-BUN. > > Thanx, > mkj [EMAIL PROTECTED]

Re: CCIE Security Lab schedule FYI [7:52281]

The only two places that offer this test is San Jose and Brussels. As you know SJ does not have an opening until April. Brussels has their first opening next week! My company only has a certain amount of money alloted for these test so I can either take it in October or wait until after Februa

Re: failover only licence on PIX [7:45475]

Hi Richard, The FO is just a license and can be upgraded. The hardware is all the same. So is the software for that matter. Its the activation key that lets you use the software and hardware the way you want or can afford. Michael --- nettable_walker wrote: > 5/30/2002 6:35pm Thursday > >

Re: PIX: Active FTP vs Passive FTP [7:43625]

The 'fixup protocol ftp strict 21' is generally suggested for passive ftp. This is to make sure servers are the only ones that can send the PASV command. This closed a security hole in the past. Michael Le, CCIE #6811 --- Jeffrey Reed wrote: > Are there any special considerations when allowing

Re: Async dial access parameters [7:23910]

He is right. You can pass DNS and WINS information, but subnet mask and stuff won't be in there. I don't believe there is even a field in the IPCP packet for that. Don't worry about what ipconfig says. It works right? :) Michael Le, CCIE #6811 --- nrf wrote: > Strange, I was able to pass inform

RE: VPN to PIX using Win2000 or Millennium?? [7:16452]

VPN Client > v1.0.a succesfully, but > it's not Win2K compatible. > > Thanks, > > Jose Villatoro > > -Original Message- > From: Yonkerbonk [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 20, 2001 1:34 AM > To: [EMAIL PROTECTED] > Subject: RE: V

RE: VPN to PIX using Win2000 or Millennium?? [7:16452]

I have PPTP running fine with Win2K. I had it working on 5.3 and am now running 6.1. I recently upgraded to DES but haven't tried using IPSec. Michael Le, CCIE #6811 --- Rik Guyler wrote: > Yes, PIX supports PPTP acording to CCO. However, I > became frustrated with > PPTP as each version of Wi

Re: blocking PORTS ON PIX!!! [7:16275]

Well, by default your internal devices will be able to access anything on the outside. You don't need to open a port for that. Allen is correct in just shutting down the port. Michael Le --- "Magdy H. Ibrahim" wrote: > Hi Allen, > Actually my point it hot to restrict my outbound > POP3 from acc

Re: VPN 3000 design and PIX [7:15653]

Though some Cisco documentation says to put it in parallel to the PIX, Cisco actually prefers three ways and they all require you to go through the PIX. One way is to have the public interface of the VPN to be in the DMZ. This way the only traffic that hits the VPN has been through the firewall al

Re: VPN ...firewall [7:14463]

Cisco advises using one of three solutions. 1.) Firewall DMZ one going to VPN outside so that encrypted traffic can be filtered. Then VPN inside going to another DMZ on the firewall so that unencrypted traffic has to go again through firewall. This is best probably if you have the interfaces. 2.)

Re: Weird VPN issue [7:11055]

If all the users are having problems accessing the same server, have you checked to see if it's an issue with that box? Do a route print and see what routes are set on that box? Check the arp cache and nbtstat cache. --- Mark Smith wrote: > I am using several PIX units to tunnel between > locati

Re: Catalyst 6500 & Alteon [7:10895]

You need to worry about native vlans if you're doing 802.1q trunking. It is trying to talk CDPv2 to the Alteons and probably expecting something back. Just turn off CDP since you won't need it with Alteons anyway. At least I don't think so, unless Alteons do 802.1q trunking. If they do, then prob

Re: VPN troubles [7:10714]

> just mean I have to add > another access-list for source IP's allowed into the > TACACS+ box. More work > but it would be do-able. > > Allen > - Original Message - > From: "Yonkerbonk" > To: "Allen May" ; > > Sent: Tuesday, July

Re: VPN troubles [7:10714]

> just mean I have to add > another access-list for source IP's allowed into the > TACACS+ box. More work > but it would be do-able. > > Allen > - Original Message - > From: "Yonkerbonk" > To: "Allen May" ; > > Sent: Tuesday, July

Re: VPN troubles [7:10714]

> just mean I have to add > another access-list for source IP's allowed into the > TACACS+ box. More work > but it would be do-able. > > Allen > - Original Message - > From: "Yonkerbonk" > To: "Allen May" ; > > Sent: Tuesday, July

Re: tracking rogue dialup users [7:10859]

You tell the devices that are logging how specific you want them to be, regarding dates and minutes and all that. The parameter is 'timestamps'. This is also why you need to have a central timekeeping server that syncs your devices across the enterprise, so that the times make sense to everyone. N

Re: ARP cache [7:10832]

That's not minimum. That's minutes. Michael Le, CCIE #6811 --- andylow wrote: > Hi, > > I would like to find out if anyone knows why the age > min is 133? What cause > it? Definitely I did not create static ARP. > Is there a link about ARP information on cisco > router. > > > > Protocol Ad

Re: VPN troubles [7:10714]

That's what I get for not creating a signature. Michael --- Kevin Wigle wrote: > can't resist > > Hey Michael, that's some CCIE# you go there :-) > > Kevin Wigle > > ----- Original Message - > From: "Yonkerbonk" > To

Re: VPN troubles [7:10714]

0.0.0.255 > access-list 130 deny ip 10.43.2.0 0.0.0.255 > 10.43.1.0 0.0.0.255 > access-list 130 permit ip 10.43.2.0 0.0.0.255 any > access-list 130 permit ip 192.168.103.0 0.0.0.255 > any > access-list 198 permit icmp any any > route-map nonat permit 10 > match ip address 1

Re: VPN troubles [7:10714]

What you need to test with is do an extended ping. Type in ping ip and then enter. And then follow the prompts after that. It gives you the choice of picking which ip address the router will use as the source. By default is uses the interface the packet leaves from. Michael Le, CCIE #681 --- All

Re: network security issue [7:9556]

Implement soft security tokens. They work like the hard SecurID tokens, but you have to install them on all the machines and have an AAA server to authenticate them. Michael Le, CCIE #6811 --- Jim Bond wrote: > Hello, > > My client is a Cisco shop and they have many offices > all over the worl

Re: PIX static addreess translation updated [7:8090]

Have you allowed pings through the PIX? --- Gary Crouch wrote: > config as below > > Address translation unable to pass traffic to server > farm > Have static and conduits configured > added static route on fire wall to Internal router > have statics routes on internal router to ISP router > al

Re: Pix 6.0 debut? Anyone know when? Thanks [7:1780]

I installed 6.0.0.200 yesterday because I wanted the port redirection features. It stopped passing traffic. Oh well. Back to 5.2.4 for now. Michael Le, CCEI #6811 --- "Howard C. Berkowitz" wrote: > (slipping into movie trivia mode) > > As long as it is after Star Wars Day, and that its > insta

Re: BGP multi-homed load sharing/balancing and redundancy [7:2107]

If you're not running BGP to ISP2 yet and you have a default route in there, it will take precedence over the BGP routes to ISP1. So, you will end up only using the FT3 link. When you get BGP running to ISP2, in step two, then things will work fine. Michael Le, CCIE #6811 --- Kim Seng wrote: >

Re: ADSL Splits off a 4KHz Region

I think it refers to the fact that voice is ran at the 3KHz or abouts spectrum. ADSL runs higher than that so they don't interfere with each other. That's why you can surf and talk on the phone at the same time. But you still need a splitter to send traffic from your phone line to either the phone

Off Topic: Load Balancing Through a PIX

What with the talk going on about load balancing between two PIXs, it has gotten me curious about another scenario. [RouterA] [RouterB] | | -- | [PIX] | [RouterC] In this scenario, I have two routers connecting to the Internet, a PIX

Re: Any magazine about routers and networks??

Network Magazine is great. It's free too if you fill out the standard forms. You can find them online too at http://www.networkmagazine.com/. Michael Le, CCIE #6811 (R&S) --- xzadio <[EMAIL PROTECTED]> wrote: > Did you know any good magazine about network > technology and routers or > switches??

Re: CCIE salary

That's a pretty broad stroke you're painting. The CCIE is great, but the other certs can get you very good paying jobs. Especially if you have good experience with it. I made very good money as a CCNP, alot more than what was quoted to you - $65K. And I live in city that has very low cost of livin

Re: Good book on Catalyst Switches

Cisco LAN Switching by Cisco Press Kennedy Clark and Kevin Hamilton Michael --- Jon Krabbenschmidt <[EMAIL PROTECTED]> wrote: > Hi All! > > I am looking for your recommendations on a(some) > good book(s) on Catalyst > switches. I have several 4000 and 5000 switches and > want to get to know the

Re: Creating Multiple Interfaces on an Ethernet Port

You can add IPX addresses to it, so it doesn't seem to be an issue of layer 3 addresses. I think it just a matter of Cisco IOS supporting it. Michael --- Kenneth <[EMAIL PROTECTED]> wrote: > try adding an ip address to it. > > "Tim Lovelace" <[EMAIL PROTECTED]> wrote in > message > news:[EMAIL

Re: 2 default routes on PIX???

To extend this line of thought - if you had another 2600 inside the PIX, could you point two default routes through the PIX to the other routers? I don't think there is a way to run two HSRP groups in this case for redundancy, but we could have the two 2600 Internet routers point to each other as

Re: OSPF config

Routes that have their next-hop as being Null0, will be distributed. The second Null0 seems to be redundant since it means 'match either interface Null0 or interface Null0'. The only reason I can see this being used is if you're advertising a summary route to your neighbors. Michael --- Jon Kuhn

Firewall design question (was Re: Does a PIX Route)

to not allow a firewall to run routing protocols, could someone give me advice on how to set up my proposed redundant firewalls. Please refer to my ugly ASCII network. [BGP]---[BGP] | | --[PIX]---[PIX]-- || || | [ A ]---[ A ] | || || --[CPT]---[CPT

Re: Does a PIX Route (was Re: Firewalls and VPNs)

Is there any good reason why the PIX doesn't route? Why it doesn't run OSPF? A Checkpoint firewall running on a Solaris box would be able to run OSPF or something, right? Why not a PIX? Michael --- anthony kim <[EMAIL PROTECTED]> wrote: > Does your pix have a default route? > Does your pix forwa

RE: DISTURBING: Spanning Tree Protocol Does not Work.

Hi Pierre, You still need to finish setting up trunking on the 2924XL to see if my theory is correct. The two Catalysts on the segment between Port B on the C1912 and Fa0/21 on the 2924XL don't seem to be talking. So Port B shows that it knows who the root bridge is, but it shows itself as the de

Re: VLAN routing

Outbound access-lists on each sub-interface, blocking other VLANs and allowing everything else. Michael --- Moiz Badr <[EMAIL PROTECTED]> wrote: > Hi all, > What is the best way to prevent a router on a stick > from routing between VLANs, I have to route the > VLANs > traffic only to the Intern

RE: DISTURBING: Spanning Tree Protocol Does not Work.

that works. The C1912 'show spantree' output still doesn't look right. I don't know why the C1912 shows the root port as having a cost of 0 instead of 10. Michael --- Pierre-Alex <[EMAIL PROTECTED]> wrote: > Hi Yonkerbonk, > > As you requested, I did a show interfa

Re: DISTURBING: Spanning Tree Protocol Does not Work.

Could you send a config for both switches? How about a fuller show spantree? A show port on the two ports? Maybe this is caused by some half-duplex, full-duplex issue... though I can't rationalize that explanation. The fact that one port shows the switch as being the root bridge and the other port

Re: Are Traditional Routing Protocols going to DIE

I'm not sure increased bandwidth would affect routing policy. That's an interesting question though. As far as the granularity of the delay formula, they will probably do the same as they did with calculating Spanning-Tree path costs. With the old calculations (1000MB/Bandwidth), Fastethernet woul

RE: HSRP on my WKS subnet

Well, the 6509s will past broadcasts and multicasts through so your hosts off each VLAN will see that. The only thing that I can think of (and I have no idea if it would work) is to run CGMP on the switch to denote which ports should and should not get the multicast traffic. Michael --- Stephen

Re: Load Balancing Advice

There is BGP running on the Internet routers and they have their own AS. So now that I know default-information originate is the way to go, can it be put on two routers on the same segment at the same time? And also, since the command requires the router to have a default route itself, should I pu

Re: Token Ring White Paper

I originall found it on ccprep.com and it's still there. So check that out under Resources. Michael --- Hal White <[EMAIL PROTECTED]> wrote: > Several people have asked me where I got the Token > Ring white paper that I > used to study for the CCIE written. I got the paper > from > www.certif

Re: CCIE Recertification UPDATE (Networkers not needed anymore)

That means we have no more excuses to tell our managers we need to go to New Orleans or Vegas. :) Michael --- Brad Ellis <[EMAIL PROTECTED]> wrote: > Thanks to Mr. Zudal, CCIEs are no longered required > to attend Networkers to > recert for their CCIE status. > > -Brad Ellis > CCIE#5796 > Cisco

Load Balancing Advice

[MCI][Cat5K w/RSM][UUNet] | Internal LAN I have a client with two Internet routers running BGP multihomed to the ISPs, MCI and UUNET. Inbound traffic to their AS is pretty much balanced between MCI and UUNET. On the inside however, where MCI and UUNET connect

Re: CCIE Advantages

That's definitely not the case. It makes no sense. Cisco is famous for great support, and denying support to 99% of their clients is not a way to attain that reputation. What you can do as a CCIE though is demand to talk to another CCIE on the TAC, someone at your level. They assume you've already

Re: Help me Urgent all CCIES please !!!!!!!!!!!!!!!

What do you consider a paper CCIE? I've known some not-so-impressive CCIEs, but I don't know of any I'd consider paper. Michael --- Circusnuts <[EMAIL PROTECTED]> wrote: > EEEKKK !!! I'd have to agree... I work with a > couple paper CCIE's > > Phil > CCNA Lot's of hands on- closing in on CCNP

RE: Altiga Question

Make sure if you have the right level of encryption running on both the VPN concentrator and your clients. I had to upgrade my IE Explorer with the high encryption pack to make it 128-bit. Michael --- Dave <[EMAIL PROTECTED]> wrote: > Open a case with Cisco. > > I am working with the VPN 3000 s

Re: BGP Reg Expressions

Your method should work, but if you want to be exact then you can filter by using ^\(65001\)_. The \ allows you to use the parentheses. --- Katson PN Yeung <[EMAIL PROTECTED]> wrote: > I use a very very stupid method to do it. But it > works I found that > all private AS path cannot be id

RE: Any body know about Cisco Content Switch

> cusriosity is peaked. I > think I should research the CSS' and what they do > exactly to allow for > firewall load balancing. > > > > > > Original Message- > From: Christopher Larson > Sent: Friday, January 12, 2001 11:14 AM > To: 

Re: Checkpoint & Cisco VPN 5000 Concentrator

I installed a VPN 3010 and it goes parallel with the firewall, in my case a PIX. I didn't use the VPN 3000 client, but rather Windows 2000 built-in VPN adapter. It does have the abilitity to do all the things you listed. I did run into some issues with the box talking MS-CHAPv2 and our NT server o

RE: Any body know about Cisco Content Switch

witches and the pix's. > > I have done this before between 6500's and routers > in for high > avail/reliability but not between the switches and > PIX's. I don't know why > it wouldn't work with the pix though . > > > > > > >

Re: Any body know about Cisco Content Switch

public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm > http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm > > - Original Message - > From: "Yonkerbonk" <[EMAIL PROTECTED]> > To: "Wayne Lawson" <[EMAIL PROTECTED]>; "Tommy > Mitc

RE: Any body know about Cisco Content Switch

Hi Wayne, Could you point me to some information on the CSSes and how to configure for load balancing? I was looking at Local Director and Alteon boxes to do that for two PIXs. Do I need them on both he outside and inside? Thanks. --- Wayne Lawson <[EMAIL PROTECTED]> wrote: > Tommy, > > Actu

Re: VPN location

Typically it runs parallel to the PIX. Check out the Cisco page on that. The Getting Started link will tell you where Cisco thinks you should put it, which is in parallel. http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/vpn3kco/vcogs/index.htm --- SH Wesson <[EMAIL PROTECTED]> wrote:

Re: crossover or straight cable?

A trunk port is simply a port that has traffic from more than one VLAN running over it. It is a function of the software to combine and split the data. That has nothing to do with how the cabling is done. If you have a trunk running from switch to switch, it will be crossover. If you have a trunk

Re: W2K and 98, off subject sorry but I need help

This should do it. [boot loader] timeout=30 default=multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft Windows 98" [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft Windows 98" --- Brandon Pey

Re: ISL to 2600 series router

Ethernet running at 100mb *is* FastEthernet. For the 2620s and 2621s you need to run IOS with "plus" feature set. --- Michael Everett <[EMAIL PROTECTED]> wrote: > In my lab at work I have 2 2924xl switches, 1 > cat5509, and a Cisco 2600 > router with a 10/100 ethernet port. The router will > not

Re: Can any one explain this Ping problem...

Yahoo load balances it's traffic across two web servers, with different ip addresses. If you run nslookup to www.yahoo.fr you get this: nslookup www.yahoo.fr Server: houdhcp1.houston.rr.com Address: 24.28.99.64 Non-authoritative answer: Name:homerc.europe.yahoo.com Addresses: 217.12.6.16,

Re: CCIE Salary article

; reseller discount from Ciscois determined by the > number of Cisco Certified > SEs. > So when a CCIE leaves Company A for Company B, > Company B submits to Cisco > that they have another CCIE ... this is how Cisco > knows. The same goes for > Compaq ASEs. > > Hope this expl

Re: CCIE Salary article

Quoted from article: "For example, Cisco frowns on competing solutions providers raiding each other in search of CCIEs. Should one company lure another's CCIE, Cisco will not recognize that engineer's certification for a year, meaning the company that scored the new employee cannot count on him or

Re: A challenge

Host A has subnet mask of 255.255.255.252? --- Brian <[EMAIL PROTECTED]> wrote: > > Here is an interesting challenge, that may not be so > obvious to some of > you. > > You were told to configure a network as follows: > > 10.1.1.1/8router > 10.1.1.2/8hostA gw 10.1.1.1 > 10.1.1.3/8h