|
H110Hawk posted:I assume this means you work for Cisco? http://cisco.com/en/US/products/hw/routers/ps359/prod_troubleshooting_guide09186a00801c62e8.html http://www.cisco.com/warp/public/708/GPSTools/RMAWebReturns/rma_web_based_returns.html
|
# ¿ Apr 23, 2007 18:23 |
|
|
# ¿ Apr 29, 2024 03:11 |
|
jwh posted:I'm wondering if anybody has any advice for DMVPN tunnel monitoring. Because the mGRE tunnels don't ever go down/down (unless the associated physical interface goes down), it's not very practical to simply watch the tunnel interface itself. I think you need the objects in CISCO-IPSEC-FLOW-MONITOR-MIB. http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
|
# ¿ Apr 23, 2007 20:27 |
|
jwh posted:Isn't autonegotiation required for 1000base-t? I know you can force it off on fiber interfaces, but I don't think I can turn down autonegotiation on my X6548-GE-TX modules. Were you thinking the PA-4E modules for VXRs?
|
# ¿ May 11, 2007 06:11 |
|
As far as 7600/6500 goes the code trains are split now. More switching features will be implemented for 6k while more routing features will be making it into the 7k. I guess it mostly comes down to the capacity you need and topology (collapsed core or distributed).
|
# ¿ May 18, 2007 21:05 |
|
Captain, post a show ip route from that switch plz. I think the switch is just doing the routing for you, which you don't want.
|
# ¿ Jul 6, 2007 01:13 |
|
jwh posted:You can proxy-arp to fake it (clients in 10.10/16 arp for what they think is local, gateway responds with it's own MAC), but I don't know if proxy-arp is enabled by default on pix interfaces. It probably is, because it's been like that on IOS devices forever, but I don't know for certain. If I had to guess, it's probably enabled by default, and isn't really the problem here. Proxy arp on PIX/ASA/FWSM function is based on your NAT config. Any IP address assigned to a physical, logical, or NAT address (nat (int) x.x.x.x) will cause the FW to proxy arp. Static NATs: static (real_interface,mapped_interface) mapped_address real_address Tells the FW to proxy arp for mapped_address on interface mapped_interface. Proxy arp can be disabled on a per interface basis as well (sysopt no-proxy-arp <int> [IIRC]).
|
# ¿ Jul 6, 2007 01:18 |
|
TheCaptain posted:Gateway of last resort is 192.168.99.1 to network 0.0.0.0 Yeah see how: C 192.168.0.0/24 is directly connected, Vlan20 C 192.168.100.0/24 is directly connected, Vlan120 Are connected? Thats bad. That means the switch is routing and not the ASA. Statefull firewalls don't like asymetric routing. Are hosts in the DMZ initiating traffic to the inside or is it only inside hosts initiating connections? Also fix your mask, I don't think you want to have a /16 on Vlan20. You'll need a static identity nat to get this going (and an ACL), I'm assuming you want the ASA to just route the DMZ and inside nets and not NAT? Assuming that is the case: static (inside,dmz) 192.168.99.0 192.168.99.0 mask 255.255.255.0 static (dmz,inside) 192.168.100.0 192.168.100.0 mask 255.255.255.0 See my above post on how proxy arp works in case I just reversed what you are trying to do. Tremblay fucked around with this message at 01:27 on Jul 6, 2007 |
# ¿ Jul 6, 2007 01:22 |
|
TheCaptain posted:I want the switch to do all the routing except for the DMZ Vlan. The server in the DMZ is an ISA server and needs to communicate with Exchange which is on the 20 Vlan so connections come in from the internet, to the DMZ through the ISA server which needs to talk to the 20 vlan to get to exchange. Also, I have subnet-zero enabled. That's why I have 192.168.0.0/24. Right, so what I am saying is, since you have a L3 vlan interface on the switch that resides in the DMZ subnet. The switch is currently routing between the .99 and .100 subnets and not the ASA. This is NOT what you want to happen.
|
# ¿ Jul 6, 2007 01:36 |
|
TheCaptain posted:Thanks. You need the static nats I posted above. ASA by default requires a NAT config to get traffic from one interface to another. So basically what we do is write NAT statements that essentially NAT traffic to their original IP addresses. The order of the interfaces is important since it controls which interface proxy ARPs for the subnet or host IP configured. If you flip the interface order you can wind up having the FW and hosts ARPing for the same addresses and that makes a headache. http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/index.htm I've got to head out but I'll check the thread when I get home. Tremblay fucked around with this message at 01:50 on Jul 6, 2007 |
# ¿ Jul 6, 2007 01:43 |
|
TheCaptain posted:This is fantastic, I didn't know i could use NAT to route traffic that way. I had to go for the day but I'll pick this up in the morning. I only saw half of your post before so I missed the static entries. Now that I'm home, I'm going to read up on this to speed things up tomorrow. Happy to help!
|
# ¿ Jul 6, 2007 03:22 |
|
Arkady posted:stuff Exactly what image are you running? Is this in production or in a test lab?
|
# ¿ Jul 12, 2007 18:21 |
|
TheCaptain posted:Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up. Hey, sorry I missed your previous IMs. It depends on the version of code. I think line numbers were introduced in 6.3. access-list foobar line X ... Depending on load and ACL size there could be a brief impact to traffic. This is due to ACL compilation which is an option in 6.3 and default in 7+. Mr. Fossey posted:I am looking to overhaul our firewall/VPN situation (as in we don't have one other than a W2K3 box serving pptp connections). It is one main office going through a cisco 1720 with a dozen servers and 100 users. Also we have 6 remote offices that we would like to have site to site vpn access that have no more than 20 users. We will also need mobile VPN for ~25 uses via radius or AD LDAP auth. I am leaning towards the ASA5510 w/ ASA5505s at the remote site. ASDM is pretty good. The biggest deal with any of this stuff is doing a little reading. For basic administration ASDM is pretty idiot proof. Do yourself a favor and pretend watchguard doesn't exist. I'd say do the same with sonicwall. Checkpoint, meh. I don't like the policy structure. I like PIX and ASA, but I work with them every day so familiarity and all that. Disclaimer, I work for Cisco. Is all of this traffic hub to spoke or do the spokes need to chat to one another? I'd think you'd want routers if its the latter, that way you can use DMVPN. You'd probably want something larger than a 5510 for your hub but work with some presales people. I don't do a whole hell of a lot of design work. Tremblay fucked around with this message at 05:54 on Aug 2, 2007 |
# ¿ Aug 2, 2007 05:35 |
|
GOOCHY posted:A furniture chain in my area is going out of business so I stopped over there with my wife to see what kind of discounts they had going on. On a table with misc. junk they had a Cisco PIX 501 and a Cisco 2600 series router with a 56K WIC in it. Neither had a price tag on them so I offered $20 for the PIX - and they took it!! Once they took the $20 for the PIX I figured I'd offer $10 for the 2600 - apparently my ultra low ball got the guy nervous and he said, "Oh, well - that's not supposed to be out on the table our IT guy was looking into that one so I can't sell it." Nice! Too bad you couldn't get the 2600 as well.
|
# ¿ Aug 4, 2007 22:28 |
|
CrazyLittle posted:Yes, but now you're stuck with a PIX 501. For home they are fine, and hey worst case he just spent $20 to have equipment to learn on.
|
# ¿ Aug 5, 2007 02:18 |
|
CrazyLittle posted:I kid. Mostly the thing that bugs me about the pix 501 is that the ASA 5500 is roughly the same price and isn't the neutered wanna-be firewall that the pix 501 is in comparison to the 506. Oh they are very weak, I agree completely. I have no idea what the list is on them, I think list was ~$1000 for the 5505s with base lic. Are we really selling 501s for that much?
|
# ¿ Aug 5, 2007 19:32 |
|
Ouch. Yeah, that makes it a pretty easy decision.
|
# ¿ Aug 5, 2007 19:45 |
|
inignot posted:I work with a federal agency that is running five year old pix 535's with 6.34 code. They still have CatOS on a couple of switches too. And they wonder why their gear can never support the latest hotshit feature they want, it's a special kind of dumb that I have no sympathy for. I hear you guys. To be fair 535s running 6.x code are fast. If you want 7/8.x features though then you really need ASA hardware. Prior to 8 we tried pretty hard for feature parity. Starting with 8.x you are going to see things change significantly. crazylittle posted:Please tell that to my customers who keep name dropping "PIX 501" like it's in style I had to do this awful ugly hack to rewrite the originating IP on a PIX 506 in order to make policy based routing work over a wimax + T1 configuration. I hope it wasn't too bad. PIX nat takes a bit of getting used to but I find it to be easier/more sensical than IOS nat. GOOCHY posted:The company I work for still deploys PIX firewalls like they're going out of style. We're about 5 years behind everybody else when it comes to updating hardware though. Maybe it's a Midwest thing - a lot of the technical contractors around here are still using them as well. The price difference between ASA and PIX HW is so negligible for 5510+/515e+ that I really don't understand why anyone would be PIX HW any more. It doesn't make a whole lot of sense to me. *shrug
|
# ¿ Aug 5, 2007 20:50 |
|
GOOCHY posted:tftp Are you resolving the PIX interface in ARP? I can't remember if ROMMON defaults to eth0 or eth1, so I'd set that manually as well. In ROMMON the PIX should respond to pings.
|
# ¿ Aug 6, 2007 16:38 |
|
GOOCHY posted:Yeah, it shows the IP address that the interface on the PIX is set to and the MAC address in the ARP table. I tried setting the interface manually to both 0 and 1 and they both react in the exact same manner - timeouts. I just saw that you set the gateway. Don't do that unless the TFTP server is on a different subnet. EDIT: Seriously, I know how stupid that sounds but since you don't set a subnet mask PIX assumes that since there is a gateway set that the TFTP server is on a different segment. Tremblay fucked around with this message at 18:17 on Aug 6, 2007 |
# ¿ Aug 6, 2007 17:03 |
|
Analog LED posted:Words. Do you really think you should be talking about this?
|
# ¿ Aug 10, 2007 04:00 |
|
Girdle Wax posted:Nothing he said there hasn't already been said on NANOG/C-NSP/Cisco Blog... Fair enough, some higher ups get tweaked over stupid poo poo. Thats all.
|
# ¿ Aug 10, 2007 07:28 |
|
delslo posted:I should have clarified, the Pix 515 I'm behind is set up for PPTP Passthrough to a Windows server running Routing and Remote Access. I know, I know, but that's how it's set up. There is a bug that was fixed in ASA code. Basically PPTP + PAT == no no in 7.x code. It does work in 6.x but it turned the nat tables into spaghetti. What version of code is on the PIX and what is the ASA running?
|
# ¿ Aug 14, 2007 03:47 |
|
sund posted:The small office I work for is replacing their WRT54G with a Cisco 1811W. It's fallen to me to help out after I finished the stuff I was working on. I'm using the web app to configure it, but I'm unable to get a basic NAT box up and running properly. I managed to configure one interface as the upstream link to the ISP, configured as a DHCP client. I can ping the outside world from the router. Any clients connected to the switch interfaces get configured properly from the DHCP server on the router. I can ping through the router to the uplink interface, but I'm unable to get any further than that. It says the firewall is off, do I need to turn it on and apply "allow any" rules or something? Is there some small, but vital detail I'm missing? I'd just like to get it up and running the way DD-WRT was before and handle the other features later. This is for SDM 2.3, but 2.4 is basically the same: http://cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a008065604a.html
|
# ¿ Aug 16, 2007 17:12 |
|
brent78 posted:I setup a VPN on a PIX 515e and connect with the Cisco VPN client software. It works great, however I'm no longer able to route to the Internet, just the private internal network. Is there a way to have it route ALL my traffic through the PIX. I know a split tunnel is possible, but I don't want to do that. I heard somewhere that a PIX can't route traffic out the same interface it comes in on, so what I'm asking may not be possible without a VPN concentrator or whatnot. Is the PIX running 6, 7, or 8? This is applicable to 7 and 8. If your are running 6 let me know and I can dig up that too. http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
|
# ¿ Sep 23, 2007 11:09 |
|
jwh posted:I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. 6k/7ks with VPN-SPAs I think. I understand you need VRF support but what other features are you looking to implement that IOS doesn't provide for RA? EDIT: I'm not a VPN eng but I'll do what I can to help.
|
# ¿ Sep 24, 2007 19:55 |
|
dwarftosser posted:You can for now, which makes it a great option. However I hear Cisco is going to limit what products you can and cannot get a smartnet on sometime in the near future to try to curb the massive explosion of Used / Refurbed dealers that seem to be around now. For what its worth I've heard no talk of this.
|
# ¿ Sep 28, 2007 18:35 |
|
ChimpyMonkey posted:Anyone here running 12.2(33)SXH on a Sup32? We were previously running SXF on the same box, upgraded to SXH a couple of days ago. Now we have no rate-limit or traffic-shape available to us. Possibly. I'll try to check this out today.
|
# ¿ Sep 28, 2007 18:35 |
|
Can you post this fw policy: ip inspect myfw
|
# ¿ Oct 16, 2007 21:59 |
|
Doh. Sorry I'm retarded I meant the guy having FTP issues. For your issue try pulling the ip nat outside off your internet facing interface and see if it works.
|
# ¿ Oct 17, 2007 04:43 |
|
ionn posted:I'm wondering a bit about the Cisco 1811 / 1812. How useful are those extra 8 ports, really? It's called an "8 port switch", but I've seen configs where they're referred to as FastEthernet 2-9. What can they actually do? Can you post what is silk screened on the card? The short answer is most of these expansion WICs are switchcards. You shouldn't have to physically cable the card to one of the routing ports though! You just create a BVI typically. edit: annd late.
|
# ¿ Nov 27, 2007 23:02 |
|
jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. Check your PMs.
|
# ¿ Dec 3, 2007 23:20 |
|
brent78 posted:I have a pair of stacked 3750's with a couple VLANs. One VLAN is used for Internet based traffic and the other is private SAN traffic. I'd like to use an mtu of 9000 for the second vlan, however from what I've read the mtu can only be set system wide and not per interface or vlan. How will having a sys mtu of 9000 affect internet traffic that upstreams to a pair of ASA's that have an mtu of 1500? http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/cr/cli2.htm#wp1949594 The SAN ports aren't routed (I assume) so you might be able to do system mtu jumbo. Also if you have path mtu discovery running it shouldn't be a big deal. jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. I haven't forgotten about you, the last few days have just royally sucked. Tremblay fucked around with this message at 05:58 on Dec 5, 2007 |
# ¿ Dec 5, 2007 05:54 |
|
jwh posted:I'm working through even more VPN client issues, and I'm being told from our systems people that we need our VPN connected clients to register themselves in DNS. It looks like you can do this with a concentrator. Not sure about ASA or IOS. Windows hosts have DDNS clients on them, why can't the host do it after the tunnel comes up?
|
# ¿ Dec 6, 2007 22:23 |
|
inignot posted:Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day. Well I think it was named EZ-VPN due to the minimal config needed on the client side. I agree with you completely that it is a pain in the rear end. And yes DMVPN/tunnel protect/anything is less convoluted.
|
# ¿ Dec 7, 2007 22:26 |
|
Filthy_McGreasy posted:Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started? Which track?
|
# ¿ Dec 9, 2007 17:59 |
|
code:
|
# ¿ Dec 10, 2007 01:11 |
|
Filthy_McGreasy posted:I am starting with routing/switching, but possibly exploring other options after I pass the test. I passed the security CCIE this past September. Most of it was OJT although I did have a study rack of equipment. For study guides I used IP Expert and Netmetric-Solutions. For security I thought Netmetric was better. For VOIP I know the IP Expert is excellent. Not sure for R&S. I completely agree with inignot. It seems like if there are two ways of accomplishing something, the most convoluted or assine method is the "right" method. Best thing to do is remember its just a test... Tremblay fucked around with this message at 02:01 on Dec 10, 2007 |
# ¿ Dec 10, 2007 01:23 |
|
Skip Dogg posted:What would cause computers to take forever to get a DHCP address? Take a packet capture from the host and the DHCP server end.
|
# ¿ Dec 10, 2007 02:02 |
|
MC Fruit Stripe posted:Lemme see if I can get it. Call manager is handled at the district level, so I'm trying to troubleshoot what I can locally. Definitely a weird one. Place a call to an ext. Once the other phone is off hook tap the ? mark button twice. Look at the packet sent/received counts. I'd guess you are sending but not receiving media. Any firewalls/ACLS/etc?
|
# ¿ Dec 10, 2007 22:30 |
|
|
# ¿ Apr 29, 2024 03:11 |
|
mamboman posted:I've got a weird VPN hairpinning problem on an ASA 5540. You need a nat (outside) statement to translate VPNC IPs to globals. ie. nat (outside) 1 <RA VPN Subnet> netmask <mask> also you say same sec intra is on the core PIX... It needs to be on this ASA since it is terminating the tunnels (unless I misread that bit).
|
# ¿ Dec 28, 2007 18:46 |