It's a long story...
http://www.naplesnews.com/today/restate/a120401k.htm
-Kent
On Wed, 2003-07-23 at 11:28, Raj wrote:
> Anybody knows when and how did the number 13 get so unpopular? Whats the
> story behind it?
>
>
> ""MADMAN"" wrote in message
> news:[EMAIL PROTECTED]
> > There is a reaso
John,
A few things I would look at:
1) What is the MSS value that is passed between the servers during the
initial TCP setup?
2) What is the value of the MTU on the servers?
3) Are there any name resolution issues? I have seen Solaris boxes keep
trying to resolve the DNS name of a client stati
There are various tools to do this, as far as I know they all work based
on the ability to spoof arp replies. Here are a few links:
http://monkey.org/~dugsong/dsniff/
(a host of tools for sniffing through various spoofing attacks)
http://www.phenoelit.de/fr/tools.html
(specifically just for arp
Rusty,
I'm not clear from your question if there is an acl blocking everything
inbound to the nt servers except smtp and telnet or if the acl is for
inbound to the router itself. In the former case, unless your client is
forcing their users to use good passwords, it's likely that a brute
force te
AFAIK, no. Cisco IDS was purchased from the Wheel Group and previously
went by the name Netranger.
Regards,
Kent
On Wed, 2003-03-26 at 07:12, ritul wrote:
> Hi !
>
> I want to know is Snort used with CISCO IDS ?
>
> Ritul
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6625
Manny,
A couple of thoughts, not necessarily in order of applicability:
1) Change the timeout values for idle connections for conn (connection
slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to
5-10 minutes. These are idle timeouts and will probably work for most
environments
No. If you want mail content filtering (spam, virus, etc.) you need a
3rd party product like those from TrendMicro.
HTH,
Kent
On Tue, 2003-03-11 at 02:03, Carol smith wrote:
> Hi.. I wonder PIX generic IDS can block spam e-mail attack?
>
> Thanks
>
>
>
> -
>
No, subinterfaces on a trunked port fully support acl's in the same
manner as physical interfaces. Same for other services such as NAT,
CBAC, policy routing, etc.
HTH,
Kent
On Tue, 2003-02-25 at 11:47, Skarphedinsson Arni V. wrote:
> Hi
>
> When using vlan trunking from a router, for example i
Change this:
ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80
extendable
to something like:
ip nat inside source static tcp 192.168.0.30 80 200.10.15.189 80
extendable
-The inside from the 827's perspective needs to be something in the
192.168.0.x address space
And change this:
BTW, for the record I am personally a big fan of snort. Snort is what I
use on my own home network. But then I'm a tech geek with limited funds,
so it fits my needs perfectly. ;-)
Regards,
Kent
On Fri, 2003-02-14 at 10:32, Kent Hundley wrote:
> The term "team" was meant
ously, they will push the product.
>
> Rule 1. Never trust a salesperson.
> Rule 2. Never Believe a salesperson.
> Rule 3. Never forget Rules 1 & 2.
>
> -Original Message-
> From: Kent Hundley [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003
On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote:
> Someone told me in an authoritative voice today that Cisco doesn't
recommend
> their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
> big part of SAFE?
>
Whomever told you this:
1) Is extremely naiive (one Cisco eng
A) No
B) No
It appears that someone in mgmt. has made a layer 8 (political) decision to
migrate your firewall since the PIX does not support features you are
currently using and yet the decision has already been made.
At this point, I would recommend that you put together a brief presentation
You might also want to check out Ntop:
http://www.ntop.org/ntop.html
It's not for monitoring Cisco routers, but it will give you everything you
want to know about the traffic on your network.
HTH,
Kent
At 04:02 PM 11/27/2002 +, Curious wrote:
>Is there a tool which gives me very good traff
Yes, you can use as many IDS modules as you have free slots for (minus the
sups of course). Each IDS is managed independently, one does not affect
the other. You would, of course, use different VACL's to point different
traffic to each IDS blade, so each IDS "sees" different traffic.
HTH,
Ken
James,
Just to add a bit to what others have said, if your friend is cost
constrained, going open source ala OpenBSD, FreeBSD, Linux, etc will no
doubt be the cheapest in terms of immediate cost. An additional option is
the Cisco firewall feature set, it may require your friend to purchase
ad
Depends on your definition of "open standard". As far as I can tell there
are no RFC's for IGRP or EIGRP, which is pretty much the criteria for
something to be considered an "open standard" in the Internet
community. Also, I don't believe Cisco has released the source code for
either IGRP or
FYI,
This paper and other Cisco security docs can also be found at:
http://www.cisco.com/go/safe
Which has that advantage of being easier to remember. ;-)
Regards,
Kent
At 07:58 PM 10/31/2002 +, The Long and Winding Road wrote:
>found this while stumbling around:
>
>http://www.cisco.com/wa
Richard,
1) No comments are allowed right now. Yes, its a pain.
2) Try using PDM, its a fairly nic GUI interface. For large enviro's try
CSPM.
3) The PIX's default stance is a holdover from the days when not a lot of
people were concerned about blocking outbound traffic. Yes, it probably
shou
http://www.cisco.com/warp/public/110/pix_pptp.html
-Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Spencer Plantier
Sent: Tuesday, June 25, 2002 6:14 AM
To: [EMAIL PROTECTED]
Subject: Microsoft VPN ports [7:47376]
Does anyone know which ports nee
get the job done. Sounds to me like
the only barrier is getting BGP.
""Kent Hundley"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Wayne,
>
> I would suggest disabling NAT on the PIX and performing your NAT on the
> router. This elimin
Wayne,
I would suggest disabling NAT on the PIX and performing your NAT on the
router. This eliminates the problem of not knowing what packets originate
from the servers. Then, setup Policy-Based Routing (PBR) on the router.
You didn't post your config, so I assume you have 2 legal addresses, o
First, I think you need to determine that this is an actual attack before
you start blocking anything. It could be someone who didn't know better
enabled a DHCP server without even knowing what it did. I would recommend
going to the person who did it and asking them why they are enabling a DHCP
You need to block more than just your own subnet. You'll want to block at
least the RFC1918 address spaces and hosts that claim to be from 0.0.0.0,
255.255.255.255, 127.x.x.x and multicast addresses. You can take a look at
the following for more info:
http://www.cisco.com/univercd/cc/td/doc/cis
Check out the SNMP section in this doc:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
Additionally to the above suggestions, I would add:
-Do not allow SNMP write capability, you almost never need it
-Choose a _strong_ SNMP RO community. It should contain special characters
s
Maybe not if you keep the room temperature low enough, but your going to
need a lot of air conditioning. ;-)
Seriously, disconnecting fans will eventually cause your router, or any
computer, to fry. Without heat dissapation, your components will eventually
just quit working and fill your house w
The command you reference is for context-based access control (cbac), part
of the firewall feature set (ffs). What it is and how it works are clearly
explained in the cisco documentation at cisco.com. Here's a shortcut link
that gives you all the basics:
http://www.cisco.com/warp/public/110/32.
You can find lots of good info on Cisco NAT by surfing to cisco.com and
searching for NAT tips. Here's a shortcut:
http://www.cisco.com/warp/public/556/index.shtml
And here's an example to help with your specific question:
http://www.cisco.com/warp/public/105/nat_routemap.html
This whitepape
Brian,
Yes, most of them do nat. From the client WS perspective, there is only a
single server IP, so it sends packets to that IP address. Once the switch
gets the packet (since it is answering for that IP), it needs to forward the
packet to a server. Normally, for the server to accept that pa
The short answer is no. The PIX does not support a true http proxy, so
you'll need to reconfigure your clients or continue to use a cache/proxy in
addition to the PIX.
For info on the PIX, the documentation is fairly good:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/
First, take a look at the following links:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
http://phrack.org/phrack/55/P55-10
Then, you might want to consider using CBAC:
http://www.cisco.com/warp/public/110/32.html
Finally, for performance you may want to consider using a cach
In general, any Application Layer Gateway (ALG) firewall, or any firewall
that has a true http proxy, will only allow sessions on port 80 that are
actually http. Some examples of ALG's are Gauntlet and Raptor. An example
of a firewall that is not an ALG but that does support a true http proxy is
Go to
http://www.cisco.com/go/fn
and search for WCCP version 2
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Magdy H. Ibrahim
Sent: Thursday, May 02, 2002 4:19 AM
To: [EMAIL PROTECTED]
Subject: Content engine question! [7:43101]
Dear All,
This is possible in a number of different ways, but it really depends on
what VPN hardware and software you will be using, which you didn't specify.
If it's a cisco router to cisco router implementation, you can find an
example here:
http://www.cisco.com/warp/public/707/ios_804.html
If your tal
Place an access-list on the FE interface that only allows traffic with a
source IP of the Squid server. Configure your clients to use the Squid
proxy. If you run into issues of users trying to get around your proxy,
it's a matter of policy, not technology, and should be addressed by your
securit
George,
Yes, you can LB PIXen, but there are caveats:
1) PIXes can only do state sharing if one is in failover mode. If you have
2 active PIXen, you cannot share state so if one PIX fails, all active
sessions on that PIX will drop and have to start over on the other PIX.
2) It's usually not n
That is exactly the way I would do it. In fact, it's probably the only way
to accomplish your goal. One additional thing to consider is assisting your
client with a migration to 100% IP. Netware has supported native IP (not
IPX in IP) for some time now, and this is a logical next step. (though
Mea culpa. I thought the current version I had was 3.0i, I now see that it
is 2.3.3i.
-Kent
-Original Message-
From: Tim O'Brien [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 10:28 AM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: CSPM for IDS4210 [7:42788]
Kent,
There are different versions of CSPM 3.0. CSPM 3.0f supports PIX and
routers, CSPM 3.0i supports IDS. You can read about it here:
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver30/reln30.htm
#xtocid2
Regards,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMA
The issue isn't with IPSec per se, its with allowing split tunneling. If a
user PC becomes compromised via a trojan that allows remote control such as
BackOrifice, Netbus, etc., if you allow split tunneling then not only can
the attacker control the users machine, they can use it as a jumping off
Craig,
I have done quite a bit of research in this area, and I'm pretty confident
that no product exists that does what your looking for. There are plenty of
client side products that can simply peer with an IPSec gateway using a
shared secret or even a certificate, but as far as I have seen the
No, you'll need to use a router if you need this capability
-Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Audy Bautista
Sent: Thursday, April 25, 2002 10:24 AM
To: [EMAIL PROTECTED]
Subject: PIX Inside Interface - Secondary IP? [7:42567]
Is it
Craig,
I use the STS10 at home and it works great. I got it off ebay for $70 about
2 years ago and the only problem I had was getting the pinouts right. (it's
not the traditional rollover) Unfortunately, those boxes are EOL and seem
hard to come by. You might want to look at xyplex, they have
Ah yes, security through obscurity. ;-)
If I would have had to guess, I would have guessed you were using one of the
following VPN products:
1) Cisco
2) Checkpoint
3) Nortel
I would have started with Cisco and assumed either a VPN concentrator or a
PIX. (in your case, I would have hit the first
There are some pretty strict requirements for IOS based on the version of
netmeeting being used, you can check out the req's here:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm
If you meet the req's, netmeeting should work. However, I have had a lot of
problems in
Rico,
I would have to agree with the other posts, the Linksys is intended for
Small Office, Home Office, not for a small branch. It would typically fit
where you have somewhere between 1 and 10 users, not 100. The Linksys and
other similar routers are clearly intended for the low-end, home user
Short answer: It's probably going to be impossible to write a signature that
won't give you tons of false positives. The problem is that there is
virutally no difference between someone manually typing mail commands via
telnet to port 25 and a standard SMTP program sending the same commands.
Lon
Tom,
It's all about performance. Public key encryption/decryption such as DH is
about 100-1000 times slower than the same process using shared key
cryptography (it has to do with the type of algorithms required). Given
this, the standard modus operandi is for two hosts to use public key
cryptog
If all that's needed is general traffic trend patterns, things like how much
traffic, what stations are talking to what other stations, protocols in use,
etc, then you can do no better than NTOP: http://www.ntop.org
It has a small footprint, fairly low overhead, gives you RMON type stats
through
In the proxy/cache space, the products from Network Appliance are considered
by many, including myself, to be the best of breed. It meets all of your
listed requirements and is consistently rated high in 3rd party reviews. You
can check out their product line at http://www.netapp.com
As far as i
This is in the list archives: http://www.memoryx.com
-Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
The Edward Groove
Sent: Thursday, April 11, 2002 9:38 PM
To: [EMAIL PROTECTED]
Subject: Cisco Memory [7:41266]
Has anyone done any research on ch
AFAIK, you can only block HTTP content using NBAR, although Cisco is working
on adding additional protocols for classifying content.
You can use the IDS features in the IOS to catch some SPAM related mail,
such as the number of recipients in an email message. Based on this you
could setup your m
minicom or, the x version, xminicom. It should be included in most linux
distros.
-Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
hall
Sent: Thursday, April 11, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject: What is the best HyperTerminal program for
There are several factors:
1) Clock rate of the line
2) Buffering delay by any intermediary devices such as ATM/FR switches
3) Speed of light
If we take a simple case and say that there are no layer 2 devices in the
path and only digital cross-connects. I have read (somewhere) that the
speed of
You could, if the PIX supported NAT transparency for IPSec like the VPN 3000
does. Unfortunately, this feature is not yet available. My SE tells me its
on the road map for inclusion sometime this year, but there are no firm
dates yet.
Your other option would be to get rid of the cayman router,
I haven't tested it, but according to the Linksys release notes, they
support IPSec passthrough for multiple IPSec tunnels beginning in version
1.42.3 released Jan 25, 02.
Regards,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Fly Ers
Sent: Tuesda
provide Secondary DNS for them.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kent Hundley
Sent: Tuesday, April 09, 2002 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert,
Ok, I'm more confused than
web server, your going to have to
modify your conduit statement(s).
Regards,
Kent
-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, cond
Priscilla is correct, normally a span only shows unicast for the VLAN on the
switch where the span is enabled plus any bcast or mcast from other switches
that have active ports in the VLAN in question. However, there is a "remote
span" capability that has been added to the 6000 series in 5.3 code
Charlie,
As others noted, it depends on your OS. I would recommend doing a search on
google for "your OS"+hardening. You'll probably find what your looking for.
Also consult your vendors web site and http://www.sans.org for more info.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTE
t. If it's not done right now, when they expand later
this year, the network will suck.
--
RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com
""Kent Hundley"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> It's not a bad idea to ha
It's not a bad idea to have an IDS blade in the core, but if you have to
pick either the DMZ and server blocks or the core, I would choose the
former. Having an IDS blade in the core should not affect any other
processing of the switch since its a completely self contained module with
its own pro
Robert,
Your conduit command doesn't look right. Typically you want to allow any
outside host to access the inside host specified in the conduit. You can
specify 'any' by using 0.0.0.0 or 0:
conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0
Also, I'm not sure what your trying to accomplish
Avi,
You have a few things in your config that look strange:
1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255
This creates a static with the outside address of 192.168.2.13, which you
indicate is your router's IP address, and an inside address of 216.6.24.129,
which
Jeffrey,
A few things you'll need to be aware of:
1) If you want to get an additional Internet connection for redundancy, it
will have to be Ethernet since the PIX does not support WAN connections.
2) The PIX cannot act as an HTTP proxy, so you may have to change the config
on the clients so th
Very possible, not much different from using 1 provider as long as you have
your own address space. If you don't have your own address space, you'll
have to either get it from ARIN or convince one provider to advertise
addresses from another providers space. They will probably do this, for a
pri
Actually, depending on what Nokia boxes you compare with what PIXen and
whose numbers you believe, the Nokia boxes may be faster. According to
Nokia/Checkpoint, the high-end Nokia boxes are faster than the PIX 535's.
Course, a lot depends on what your rule-set looks like.
On the flexibility, I a
Kevin,
Check out "local area mobility", it looks like it may fit your needs:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/lam/tech/lamso_wp.htm
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kevin Campbell
Sent: Tuesday, April 02, 2002
If memory serves, William S. Bonnie is "Billy the Kid"
-K
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brian Zeitz
Sent: Monday, April 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Contest [7:40072]
Ill give you a free website that you can find t
John,
3 ways to verify the host key:
1) Connect over a network which you have a reasonable degree of confidence
is secure. This would normally mean connecting over a LAN to the host in
question to get its key. For the truly paranoid, this would mean connecting
over a x-over cable to the host i
Probably has something to do with the asymmetric nature of email and the
inherent delays in various mail servers and the Internet. Right now I see
no responses to your question in my inbox, but there could be 5 on their way
by the time I type this and hit send.
-Kent
-Original Message-
I have tried it, it works provided you have appropriate IOS and use 802.1q.
-Kent
-Original Message-
From: Walker, Jim [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 11:33 AM
To: 'Kent Hundley'; [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]
I neve
Incorrect. Only ISL requires FastE, 802.1q works perfectly well on a
standard Ethernet port. This was covered in another thread a few days ago.
-Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 10:15 AM
To: [EMAIL PROTECTED]
Subje
the pix is also a NAS,
network access server ? would that be correct to say,
atleast in this scenario where users connect to pix to
say access a web server behind or protected by the
pix.
> ""Kent Hundley"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROT
Yes, you are (lots of good info on NAT can be found by doing a search on CCO
for "NAT tips")
Regards,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Wilson, Gavin (KBPB)
Sent: Wednesday, March 27, 2002 6:00 AM
To: [EMAIL PROTECTED]
Subject: NAT [7:
George,
In current versions, it's "show access-list". :-)
pix# sh ver
Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)
pix# sh access-list
access-list 1 permit icmp any any (hitcnt=27)
access-list 1 permit ip any host 172.16.1.55 (hitcnt=0)
access-list 1 permit ip any
You can find this info and lots of other good SNMP info by searching on CCO
for "snmp tips". Here's the relevant direct url:
http://www.cisco.com/warp/public/477/SNMP/copy_configs_snmp.shtml
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
V\J
Tong,
There's no magic, you must either advertise a route for 192.168.2.0/24 or
the upstream router(s) must have a static route for the the 192.168.2.0/24
pointing to your router. One way around this issue is to configure NAT to
overload the routers interface IP or use addresses in the same rang
ct: Re: TACACS+ [7:39297]
I think cisco stopped the DL of the free tacacs server a while ago.
--
RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com
""Kent Hundley"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> IMO, the best way to study T
IMO, the best way to study TACACS+ is to download the free TACACS+ server
from Cisco, install it on Linux and play around with it. You'll learn much
more about how TACACS+ works by implementing it and trying different things
than any WP (it helps a lot if you have a router to work with as well).
Danny,
Sometimes even people who work for Cisco, even SE's who may by CCIE's, make
mistakes. The router never lies:
3620(config)#int ethernet 0/0.1
3620(config-subif)#encap ?
dot1Q IEEE 802.1Q Virtual LAN
sdeIEEE 802.10 Virtual LAN - Secure Data Exchange
Notice this is an Ethernet, no
Correct, it's essentially a 802.1q native VLAN issue, not a VLAN 1 issue per
se. I would note though that although the change to make a non-active VLAN
the native VLAN is an obvious fix, it strikes me as a bug that Cisco does
not perform a sanity check on native VLAN frames to ensure that they in
SS,
Point a route for the other ends LAN subnet to your IPSec peers address.
For example, if the far LAN is 10.1.1.0/24 and your IPSec peer's address is
1.1.1.1:
ip route 10.1.1.0 255.255.255.0 1.1.1.1
Create a similar route on the CES for the LAN subnet attached to the Cisco
2610.
HTH,
Kent
John,
I believe the matrix is a list of TCP features that are implemented on the
router as an end-system and affect only TCP traffic with the router as the
src or dst.
1) Socket API - sockets are a network programming application interface. To
me this would only be of interest to Cisco code joc
Aaron,
Do a "debug rip" on each router and see what advertisements its receiving
from the FW's. It sounds like one FW is not advertising any routes. You
should see something like this:
RIP: received v1 update from a.b.c.d on
0.0.0.0 in 1 hops
If both FW's are advertising the routes, the
Sam,
IIRC, Cisco uses 64 byte packets as the baseline. FYI, I have been
conducting some throughput tests on 2 2621's in the lab and here are some
results for you. I used TTCP between 2 Sparc ultras for the traffic. The
sparc ultras can generate about 90Mbps with no routers between them, so the
Mohannad,
1) Have you taken sniffer traces? If so, what information did they tell
you? If you have not taken a sniffer trace, you absolutely need to do this.
You need to look at the TCP windows and MSS values and compare the trace
through the PIX and without the PIX. If you have the traces you
Some protocols don't have a layer 3 address, examples of this would be LAT
and SNA. Since they have no layer 3 address, you must bridge them. The
docs on CCO show how to enable bridging on a router:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ibm_c
/index.htm
HTH,
Ke
Sam,
You can check out the DOCSIS standards here:
http://www.cablemodem.com/
(check out the "specifications" section)
You should, at a minimum, see broadcasts from the other devices on your
cable network. Mostly you will see arp broadcasts, but some Windows users on
"raw" cable may still be ou
Mohannad,
Look at this link, it may be the cause of your problem:
http://www.cisco.com/warp/public/110/21.html
If this is not the reason, try sniffing the connection.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mohannad Khuffash
Sent: Mo
Mark,
You can _advertise_ the whole subnet, but the problem is that once you
assign a subnet to the loopback, you cannot assign another interface an IP
address in the same address space. I'm still not sure I understand what
your trying to accomplish here. If you have hosts that will have IP
add
Justin,
I think you got your answer, but I just wanted to clarify for you that
contrary to some of the information you were given, you do _not_ need to
configure an access-list on the PIX for outbound traffic. You _do_ have to
setup, at a minimum, a "nat" statement. If you are not using nat, yo
Jim,
I normally ignore these sorts of wy OT posts, however
I am so glad that individuals such as yourself feel that you can better the
lives of all of us morally degenerate Americans by instructing us on the
proper rules of life and giving us s much to think about.
I am so glad
The problem is that most likely you are using a subnet for your wireless net
that is not routable. For example, if your using 192.168.1.0/24 for your
wireless IP's, you cannot use those addresses on the Internet, you'll need a
NATing device like a linksys router or some other low end NAT capable
Yes, you'll need to configure the PIX to use AAA and have it speak Radius or
TACACS+ to the ACE server:
How to do AAA with the PIX:
http://www.cisco.com/warp/public/110/atp52.html
Info on Cisco talking to ACE server:
http://www.rsasecurity.com/support/guides/imp_pdfs/Cisco_Remote_Access_Serve
rs
What your describing is fairly common and you can "fix" this by adjusting
the delay metric of router interfaces in your path. In your example, you
could adjust the delay between the routers so that the path metrics are
equal. This is, as you note, the preferred approach with IGRP/EIGRP to
manipul
You cannot. The PIX does not support forwarding of DHCP requests (or any
broadcast for that matter).
Your only options are to hard-code your IP address or use the DHCP server
built into the PIX.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
I assume that this would have to be a "crafted" packet since, as you say, it
would be awfully strange to see normal traffic matching this description.
For example, assume I created the following packet:
[ethernet header] + 46 data bytes + 4 byte crc = 64 byte packet
Normal IP total length = 46 b
As far as I can tell, it means essentially nothing. All SPI is by
definition, "multi layer" since it tracks at least both layer 3 and layer 4.
It looks like a term added to SPI to make it sound like its looking at more
"layers". It's probably a term cooked up by the marketing departments of
SPI
John,
Your correct, there is no support for the FFS on the 4x00 platform and there
probably will never be. Cisco has EOLed the 4x00 series and is not going to
continue development on that platform, although they will continue
supporting it for some time. The midrange router of choice is the 360
1 - 100 of 252 matches
Mail list logo
