Gday,
I had a look at this one, and drew up the ACL (for matching the
packets for MQC) using the NATed address of Lo0/R8 as the
destination, which is 7.56.0.1. The DSG has the address being the
real address of 10.7.8.8.
Extended IP access list T711out
10 permit ip host 7.7.7.7 host
Hi Kingsley,
Please correct me if I am wrong, but 10* will not be the answer for net 10.x,
am I correct?
10* will allow 101, 102 etc.
I just want to clarify the use of '*'.
Thanks.
Best Regards.
__
Adil
On Jul 8, 2012, at 1:37 AM, Kingsley Charles wrote:
Do as Yusuf
Hello all ,
can some one clarify diffrence between
ip inspect tcp idle-time
and
ip inspect name TEST tcp timout
regards
___
For more information regarding industry leading CCIE Lab training, please visit
diffrence between
ip inspect tcp idle-time
and
ip inspect name TEST tcp timout
regards
-- next part --
An HTML attachment was scrubbed...
URL:
/archives/ccie_security/attachments/20120708/85775601/attachment.html
End of CCIE_Security Digest, Vol 73, Issue 30
I did 10.* and it didnt work, I will try it again and let you know,
Thanks Kings.
Mike
Date: Sun, 8 Jul 2012 11:07:03 +0530
Subject: Re: [OSL | CCIE_Security] NAR explanation
From: kingsley.char...@gmail.com
To: mike_c...@hotmail.com
CC: ccie_security@onlinestudylist.com
Do as Yusuf as
Sorry for coming back to the same topic again.
Now I have a question if I can do a mix of the below said authorizations,
namely having certain commands available at a particular level, e.g. 10 and
authorizing commands with a shell command set on a TACACS server.
It looks like the command set
The command hostname is being denied on the tacacs?
This looks fine:
privilege configure level 10 hostname
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 show running-config
privilege exec level 10 show
Just add aaa authorization
Thanks, Mike,
Lots of show commands that are not allowed with shell authorization command set
are denied and I see it in the ACS Failed attempts:
Command denied: service=shell cmd=show privilege
But I'm still able to change the hostname. My AAA section on the router looks
like this:
aaa
Hi Mike,
Is it ASA to ASA lan2lan tunnel ? What's the tunnel-group name ?
Eugene
From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas
Sent: Saturday, July 07, 2012 4:12 PM
To: ccie_security@onlinestudylist.com
Subject: [OSL |
It worked for me when I used this regex string to match on 10.10.0.0/16
10\.10\.*
\. Is a way to match on dot and * was to match on everything else.
From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Adil Pasha
Sent: Sunday, July 08,
Hey,
It was L2L to IOS, the tunnel group was with the IP address but it had to land
there based on certificate maps, it only creeped me out that first none of the
profiles but that is one of the first checks that it does, later on it matches
the certificate map and it lands to the correct
I think it has to do with the order the ASA processes the incoming IPSec
connection.
AFAIK it first matches the tunnel-group name based on the peer IKE ID. It may
be the peer IP address, hostname or even a group name (in case of EzVPN)
Then goes OU field matching if the ISAKMP is configured for
Thanks. I will setup YB lab and get back to you.
Best Regards.
__
Adil
On Jul 8, 2012, at 2:35 PM, Eugene Pefti wrote:
It worked for me when I used this regex string to match on 10.10.0.0/16
10\.10\.*
\. Is a way to match on dot and * was to match on everything
Hi There,
I was wondering what the minumum IPS you needed for 6.1 for the lab was?
I was thinking of a 4215 but that only seems to go to 6.0 on CCO. Is
there that much of a difference? If I put 6.1 on it anyway, would the
thing work?
Cheers,
Matt
CCIE #22386
CCSI #31207
Hi Marta,
I did some more looking around and I did notice a few deficiencies,
another being the fact one cant run virtual sensors on the 4215.
One even greater thing I noticed was the box I was looking buying was
an IDS 4125, not an IPS 4215. Glad I didnt cough up for it!
Cheers,
Matt
CCIE
2012/7/9 Matt Hill mayd...@gmail.com
Hi Marta,
I did some more looking around and I did notice a few deficiencies,
another being the fact one cant run virtual sensors on the 4215.
Yes, indeed, on 4215 you can run only one virtual sensor, but it's the
problem of the hardware (IPS 4215), not
Can you guys confirm that we will have 3560/3750 switches in the lab and not
3550. I just hate to remember that we need a reflector port to setup a SPAN
session on 3550 switch
Eugene
___
For more information regarding industry leading CCIE Lab
It's all good... I just happened to have it opened in front of me.
Otherwise you would have been sent a link to lmgtfy.com ;)
As for your SPAN, I think rx is enough. Might be an IIDATP if it
comes up for you in the lab.
Cheers,
Matt
CCIE #22386
CCSI #31207
On 9 July 2012 10:38, Eugene Pefti
Hm...
Never used it before but it seemed to accept it, thanks, pal.
What about rx and both ?
And one more thing. I don't have any preference whether to use IDM or IME but
still want to be fully prepared. The blueprint says it is going to be and IDM
and Marta previously mentioned that IME is an
IME is another application that is installed on the machine itself that will
control the IPS, by default if you start a connection to the IPS it will open
you IDM, the application is on the OS of the IPS, there is no way to rip it
off.
Anyhow, whatever connection you start to the Device
Experts,
Yusuf Lab1 debrief for multiple context verification, when it says that you
need to check the show nameif, it appears like this:
ASA1/abc1(config)# sh nameif
InterfaceName Security
Ethernet0/3 inside100
Hi Mike.
I would mark it as ask the proctor question.
In task 1.1 they do say map physical interface names to logical names and
table 7.1 supports it. So I reckon your solution is correct (column 2).
HTH
A.
On 9 July 2012 12:43, Mike Rojas mike_c...@hotmail.com wrote:
Experts,
Yusuf Lab1
22 matches
Mail list logo