Ok, thanks for the info. Without meaning to flog a dead horse ;) does that mean there is no way to configure this to provide any kind of switch redundancy? If one switch goes down i'm basically going to lose all the servers hanging off that switch?
Thanks again for the help.
In the same subnet? In what sense? They're uplinked through gig ethernet through a core switch, they're not directly cabled to each other in any way.
So what's the recommended way to connect teamed nics on servers then? Both nics go into the same switch and etherchannel? That gives you a...
Ok, it's been forever since I did any switch configuration. But we have two 3548XL switches, running IOS 12.0(5). We have a load of new servers, with two nics in each, and those nics are teamed to share an ip address.
Currently one nic from each server is plugged into one switch, and the other...
Is there a known bug or similar when using ssh to a PIX running 7.1, and trying to run crypto debugs?
I run debug crypto isakmp and debug crypto ipsec on this box, and basically get no output back, when I'd expect to see loads. I then turned on debugging of all the suboptions of ipsec and...
Cheers, but those are IOS commands. This is on a Catalyst core switch. I've remembered it now anyway, show cam dynamic [VLAN] gets me what I need.
Thanks for the thoughts though.
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
Ok, this should be easy, but it's been a long long time since I tried, and I can't seem to figure it out ...
I have a Cat core switch, with switching modules in it, and a routing module. I need to find out which physical port a specific ip address is connected to (eg, i know a server is at...
Yes, you can add a dmz of sorts using VLANS.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
Sorry, i meant icmp time-exceeded, not unreachables. Although you may also want to allow unreachables depending on your network design past the pix.
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
I'm not sure where you're getting port 512 from. But this will be o/s specific, depending what you're using to initiate the tracert (eg, windows uses only icmp, linux uses icmp and udp packets, as do different flavours of unix, but using different UDP ports)
The following link is a little...
The 501 has to initiate the connection, and you use a feature called Easy VPN, configuring the 506 as an Easy VPN server, and the 501 as an Easy VPN client.
Documentation on how to do this is available here...
It is not possible on PIX o/s version 6 or earlier, if both vpn tunnels terminate on the same interface (which is usually the outside interface) because the PIX will not redirect traffic back out the same interface it arrived on.
It is possible on version 7.
CCSP, CCNA, CCSA, MCSE, Cisco...
As an aside, you can get version 7 running on a 506, although it's not a supported configuration. There's still rumours that cisco will release an officially supported version that runs on the 506 at some point.
Just in case anyone wants to lab up version 7 for testing purposes, it can be done...
Your IpSec and PPTP clients should NOT be assigned an ip address from your local LAN range when they connect. So if you use 192.168.1.0/24 as your local range, use something else for your IpSec vpn client pool, eg 192.168.20.0/24, and another range again for your PPTP clients, eg...
I'm nowhere near a pix at the moment to check, but from memory I don't think you can "permit ip" for port based object groups. I suspect you need to create one object-group for your tcp ports, and a seperate one for your udp ports, and then use two access-list entries.
Eg,
access-list 200...
I would suggest to the vendor who wrote the web app to move their product to a different port number. There will be considerably more people using VoIP than this webservice, and they're only going to run into problems with various firewall vendors enforcing protocol checking on this port.
Fixup...
Post the output of the show version command. If it has a line saying "This pix has a Restricted (R) licence" then, well, it's self-explanatory.
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
Yes it's possible. The following docco should get you up and running. You need to install Internet Authentication Service, which comes on the windows cd, to act as a RADIUS server between your firewall and Active Directory.
Pretty straightforward, and works well...
It's necessary if you're using PAT-ed addresses. It is not necessary behind static NAT.
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.