Hi,
Well, the interface has to be advertised to other devices using a routing
protocol or at least other devices should know where that loopback is located,
the rest of it, is just a matter of defining which protocols are allowed to be
done to that specific interface.
Mike
Date: Fri, 2
Does anybody has a good document that explains this topic? Maybe with a
topology and so on? The documents that I have found so far are either complex
and not related to VPN or the synatax is incomplete or incorrect.
I have been banging my head over this topic and I can seem to find a way to
://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html
This link has a lot of good examples provided which kind of IpSec aware VRF you
are using.
FNK
On Fri, Mar 2, 2012 at 5:36 PM, Mike Rojas mike_c...@hotmail.com wrote:
Does anybody has a good
Charles kingsley.char...@gmail.com
Date: Sat, 3 Mar 2012 12:30:03 +0530
To: Eugene Pefti eug...@koiossystems.com
Cc: Mike Rojas mike_c...@hotmail.com, fawa...@gmail.com
fawa...@gmail.com, ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware
You need to some good
Hello Eugene,
If the VPN server has the route of the VPN client connected on the routing
table, you should be able to redistributed to the router that is intended to be
the destination. I am not aware of the topology nor the task you are at, but if
the server has the route, is just a matter
@onlinestudylist.com
Mike, I'm not sure if I understand your question correctly, but to be able to
see TACACS settings in ACS Interface configuration section, you have to have
at least one network device added as a TACACS+ AAA Client (in Network
Configuration).
Marta Sokolowska.
2012/3/6 Mike Rojas mike_c
Hello Marta,
Let me give it a try tonight. I will let u know.
Mike Rojas
Security Technical Lead
Date: Wed, 7 Mar 2012 11:12:53 +0100
Subject: Re: [OSL | CCIE_Security] Per User TACACs settings
From: marta.sokolow...@gmail.com
To: mike_c...@hotmail.com
CC: ccie_security@onlinestudylist.com
When you finish the tunnel configuration... make sure that on the left you have
the tunnel IP and on the right you have the interface IP... thats when I know I
did it right :P...
From: pi...@howto.pl
Date: Fri, 16 Mar 2012 08:24:01 +0100
To: joeastorino1...@gmail.com
CC:
NO, wait wait
Admin context is from where you can manage your device... some sort of like the
management interface on a single context based ASA... where you actually assign
the resources in on the System context... dont mix them up.. .
Regarding to your question, yes indeed is needed to
Hi All,
This is something I just thought off, when you get an exercise that says
excempt loopback blah to trigger any action on the virtual sensor blah. I
do actually need to configure 2 action filters right? One from it being the
attacker and other one to be as the victim? Is this correct?
Hello,
Another question (I know getting a little bit annoying, but I guess some others
may have the same doubts) In regards of the configuration on the Blocking
device when using ssh, you either have to do a bunch of stuffs configuring
Authorization (in case you dont have an enable password)
So here is something else that I find really concerning.
There was an exercise that said... authorize user Blah and make you sure that
the user falls into privilege level 12. Do not change anything on the group. So
I figured that it has to do with the Cisco AV pair boxes under the ACS
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
: ccie_security@onlinestudylist.com
Hi MIke,
I just tested my volume 1 workbooks and they opened fine after the
usual authentication
On Sun, Mar 18, 2012 at 5:04 PM, Mike Rojas mike_c...@hotmail.com wrote:
___
For more information regarding industry
be OK, why does transport mode
suffer from IP fragmentation and reassumbly limitations? But
hm.Do I care that much today?! : )
On Sun, Mar 18, 2012 at 6:43 PM, Mike Rojas mike_c...@hotmail.com wrote:
Hello Joe,
Back on the SNRS version , yes, there is a new IP header inserted
Hi,
The GetVPN is able to connect without the IP address of the server
specified That was the trick, now the tricky part is that for redundancy
(if they asked you) you need to configure the IP address of the server in order
for the cluster to be up and then you remove it.
The output
What happened to me, (and the lab is still up) is the fact that it does work,
it does authenticate and dowloads the ACL fine, BUT, on the client itself,
authentication says it failed but it actually doesnt on the ASAWeird stuff..
Mike
From: eug...@koiossystems.com
To:
Hello All,
So this is something fun, check this out:
Router 1 (Hub) 172.1.0.1
|
172.1.0.2 |
Router2 (SpokeASA
|
|
IPS
In case you are interested :D
http://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
Mike
___
For more information regarding industry leading CCIE Lab training, please visit
Hi All,
I have a question, I configured the KS as GM but it is not working, it gives me
the following error:
*Apr 13 20:07:54.903: ISAKMP:(0): Invalid phase 1 SA response!
*Apr 13 20:07:54.903: ISAKMP:(0): phase 1 SA policy not acceptable! (local
192.168.6.6 remote 10.6.6.1)
*Apr 13
Nevermind,
I think Yusuf had a typo... cuz the on the output from the group members
appears the Loopback of another router and not router6 and the next question
requires those guys that you configured on the previous question to be part of
DMVPN.
Sorry for the spam.
Mike
From:
I have a big question with these kind of exercises, the Majority of questions
that I have seen (INE,IPexpert and Yusuf) they mostlikely want you to restrict
the traffic to a certain value, but in very few cases they ask you to configure
the BC TC and the other values.
I guess my question is,
You never know, and since they are hidden commands, I think you would like to
have the path to find the document:
HOMESUPPORTPRODUCT SUPPORTROUTERSCISCO 12000 SERIES ROUTERSTROUBLESHOOT AND
ALERTSTROUBLESHOOTING TECHNOTESUnderstanding Selective Packet Discard (SPD)
Cheers,
Mike
)
Cisco 12000 Series Routers
Understanding Selective Packet Discard
(SPD)http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml
FNK
On Mon, Apr 23, 2012 at 7:55 PM, Mike Rojas mike_c...@hotmail.com wrote:
You never know, and since they are hidden
They basically do the same but ip verify unicast reverse-path is going to be
deprecated and IOS will start using only erify unicast source reachable-via
where you can put any or rx or even an acl.
Mike
Date: Tue, 24 Apr 2012 01:57:54 +0100
From: stalker_t...@hotmail.com
To:
Hi All,
I have the following question,
Class Map type port-filter match-any CLOSED-PORTS (id 1)
Match not port tcp 3020
Match not port udp 3020
Match not port udp 3040
Match not port tcp 3040
Match closed-ports
Prot Local Address Foreign
[mailto:ccie_security-boun...@onlinestudylist.com]
On Behalf Of Mike Rojas
Sent: Tuesday, April 24, 2012 11:11 AM
To: fawa...@gmail.com
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Selective packet discard
Ohhh Yeah,
I am talking about the path, at the end in order
Ben,
Besides the GUI from the IDM, you are not going to be allowed to use any. (Exam
purpose) but in regards of the real life scenario I have not seen any.
Mike
Date: Thu, 26 Apr 2012 01:42:30 +1000
From: veeduby...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL |
Hi,
I have a couple of questions just starting lab 13 of IPexpert, In regards of
the failover Unit poll time, it says configure to be half of the default. The
solution says that the default is 1 second, which I tend to differ:
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface
interface (because the interface is
shared, all contexts benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface for
half of the configured hold time, it runs the following tests:
With regards
Kings
On Mon, Apr 30, 2012 at 10:58 PM, Mike Rojas mike_c
Matt,
You can find the most regular ones here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
Make sure you have cisco-av-pair enabled with
these attributes:
ipsec:key-exchange=ike
Eugene and all of the ones that have doubts about it:
This is the non partner document (which is the same I posted before to Matt)
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
If you follow the path on the Left, you will get there from
Hi Kings,
That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it
be multi-host? I finished the lab and I have to review over the solution but it
just said If authenticated, pleace it on vlan x. That is all I did.
Like I said, I have to compare both configs, but I
on the
configured violation action:
Shutdown—Errdisables the port; the default behavior on a port.
Restrict—The port state is unaffected. However the platform is notified to
restrict the traffic from offending MAC-address.
With regards
Kings
On Mon, May 7, 2012 at 7:56 AM, Mike Rojas mike_c
@onlinestudylist.com
Yes that was the solution Mike...
With regards
Kings
On Mon, May 7, 2012 at 5:46 PM, Mike Rojas mike_c...@hotmail.com wrote:
Kingsley,
Interesting, that is exactly what I was looking for:
multi-domain-Both a host and a voice device (like an IP phone, Cisco or
non-Cisco
Did you uploaded the key to the Router?
Mike
Date: Tue, 8 May 2012 15:02:48 -0300
From: carlos.jar...@cpmbraxis.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] IOS IPS bypassed
IOS IPS bypassed
Hi guys, I configured my IOS IPS the way Cisco mentioned but I
| CCIE_Security] IOS IPS bypassed
Yes I did, but no progress!
As I said, I see: Total Compiled Signatures: 0
-Original Message-
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Tue 8/5/2012 16:48
To: Carlos Alberto Campos Jardim; ccie_security@onlinestudylist.com
Subject: RE: [OSL
Hi,
I was doing lab 17 IPexpert. I did the configuration accordingly and I tried to
apply the crypto map for GETVPN on the same interface as the tunnel interface
on the spokes. Now, checking the solution, I dont see where they applied the
crypto map for the GETVPN.
Another thing that
Ohh Another question, it did said something about to not encrypt the multicast
rekey and they created an ACL on the spkes and applied a Match address. Would
it make any difference if I applied the denies for the multicast address on the
same IPsec rule as the one that is pushed from the KS?
Man, CONGRATS ! Excellent for you. I´m going May 25 Best wishes
from now on!!
Mike
Date: Thu, 10 May 2012 21:31:01 +0200
From: piotr.tokarzew...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] pass CCIE egzam
Hi all,
I've just passed CCIE Lab
Hi everyone,
I have the following question:
Service-policy access-control input: STACK
Class-map: TCP-80 (match-all)
15 packets, 2441 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 6 next TCP
Service-policy access-control : ACCESS
I think you can still do the written if you study hard. I mean is something
that can be done in 6-8 months... I dont think you may need to re-do the CCNP.
Just get the material from IPexpert, workbooks and the labs and I think that
would do it.
It covers all the info and to make sure, grab
Only how routing will function into it... Network types of OSPF something
on that fashion nothing too fancy I assume.
Mike
Date: Fri, 1 Jun 2012 03:35:00 +1000
From: veeduby...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Frame Relay in Lab
Hi All
As well it bounces from standard to extended for different types of features
inside of the IOS... in case of FPM, in some parts, it doesnt matter if you
establish the hex value or the decimal value, it will match either way.
Kingsley answer that for me couple of days ago.
Mike
From:
I just want to recall one of the Replies from Kingsley... BTW I failed the
test
http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html
Mike
___
For more information regarding
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
From: kingsley.char...@gmail.com
To: mike_c...@hotmail.com
Mike, did you fail in the CCIE lab? And is it due to the wrong solution of FPM?
With regards
Kings
On Sun, Jun 3, 2012 at 3:08 AM, Mike Rojas mike_c...@hotmail.com wrote:
I
You totally deserve it Congrats!
Mike
Date: Sun, 3 Jun 2012 08:34:11 -0400
From: fawa...@gmail.com
To: aspa...@gmail.com
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] And…
Thank you everyone. Those who are preparing I wish them best of luck. If there
is any
Hi Kings,
I took it over RTP. I got the visa rejected 1 time... but that is because I
didnt really have much time working for the company at the time I requested it.
I dont think it should be hard for you.. I am given the understanding that you
have a family already... so for the interview
I dont think it would work, if the attack corresponds to the local network
rate limiting can do the trick on this one...of the protocol... if the attack
comes to the router a rate limit to the protocol in question can mitigate the
attack... Either on the interface or the CoPP
Mike
From:
I made that mistake on the test, the question clearly said, make sure it
survives upon reload
Mike
Date: Tue, 5 Jun 2012 20:04:27 -0400
From: fawa...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding
For the dhcp
Correct,
The only difference is that when you match it against an access list, you can
specify the source and destinations and the rest of the traffic can be
continuously being inspected on regular port 25...
On the one at the bottom, no matter source or destination, will try to be
Hello All,
I have a mayor doubt in regards when you have to configure either CTP or
Auth-Proxy. I've seen the question formulated 10 thousand times, but they all
differ in the solution and on the methods to accomplish it. For example, when
they ask you to do things like:
1-Make sure that
, mostly that is the way it will be asked.
With regards
Kings
On Sun, Jun 10, 2012 at 6:52 AM, Mike Rojas mike_c...@hotmail.com wrote:
Hello All,
I have a mayor doubt in regards when you have to configure either CTP or
Auth-Proxy. I've seen the question formulated 10 thousand times
Hello All,
I have another question in regards when to use the menu command in exercises
referring to Authorizing commands. What if I just authorized the commands as
needed on the excercise instead of configuring the Menu? Is there a difference
between them?
Mike Rojas
Security Technical
Nope, a Server address is not needed when configuring GET, I guess Kings
already responded to this. Ill look for his e-mail
Date: Wed, 13 Jun 2012 08:48:08 -0400
From: fawa...@gmail.com
To: eug...@koiossystems.com
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Rekey
modes.
With regards
Kngs
On Wed, Jun 13, 2012 at 8:42 PM, Mike Rojas mike_c...@hotmail.com wrote:
Nope, a Server address is not needed when configuring GET, I guess Kings
already responded to this. Ill look for his e-mail
Date: Wed, 13 Jun 2012 08:48:08 -0400
From: fawa...@gmail.com
Well Done!!
Now the fun starts!! Enjoy!
Mike
Date: Thu, 14 Jun 2012 19:48:34 -0400
From: jasonlmayn...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Passed the Written
Time to start labbing
___
For more
Question,
What is the best option to drop ICMP unreachable on the switch itself? I saw
that one exercise they created an IP local policy and send it out to the Null 0
interface. What I did was to configure a vlan filter matching all ICMP
unreachable... Both work fine... It said because it
+
I think ip local policy is for the global setting not to send unreachables.
VLAN filter may address only specific VLANs
From: Mike Rojas mike_c...@hotmail.com
Date: Thursday, June 14, 2012 8:13 PM
To: ccie_security@onlinestudylist.com ccie_security@onlinestudylist.com
Subject
, then yes it's normal. It's dependent inwhere you
are applying the privilege 15 I.e at the privilege level box I the user profile
or through the aaa attribute priv-lvl=15?
On Thursday, June 14, 2012, Mike Rojas wrote:
Hello,
Is the user sign normal when configuring Role based access
What I do, (Prior compiling of course is retire all the signatures)
IP ips signature category
Category all
enable false
retire true
Compile the signautres
IP ips signature category
category ios_ips basic
enable true
retired false
If I dont remember wrong, on the old
Should Flexible netflow something that we should really focus in?
Mike
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking
I like it,
Very useful, although I dont know why the title Day 21 Time-Based ACLs on IOS
and ASA ;)
From: anthony.seque...@stormwind.com
To: ccie_security@onlinestudylist.com
Date: Mon, 18 Jun 2012 02:22:25 +
Subject: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks
:21:03 -0300
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Role Based
Hi Mike, did you configure the aaa authorizarion exec command and aaa
authorization command [level] ?
Br, Bruno Silva
Enviado via iPhone
Em 15/06/2012, às 16:40, Mike Rojas mike_c...@hotmail.com
This is a question in regards IP to IP tunnel matching on FPM.
class-map type stack match-all STACK
stack start l2-start
match field ETHER type eq 0x800 next IP
match layer 2 IP protocol eq 4 next IP
match layer 3 IP protocol eq 6 next TCP
First, what is the difference between the last
next TCP
Now a quiz ;)
How would we define the stack class-map for GRE.cap traffic (see example on the
same page)
Eugene
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Monday, June 18, 2012 6:44 PM
To: Eugene Pefti
Subject: RE: [OSL | CCIE_Security] FPM matching
Hey
percent sure myself because there’s no GRE
protocol phdf files loaded to say “match field IP protocol eq 0x2f next GRE”
;)))
Eugene
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Monday, June 18, 2012 9:26 PM
To: Eugene Pefti
Cc: ccie_security@onlinestudylist.com
Subject: RE: [OSL
field IP protocol eq 0x4 next IP
match field IP protocol eq 0x6 next TCP
Now a quiz ;)
How would we define the stack class-map for GRE.cap traffic (see example on the
same page)
Eugene
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Monday, June 18, 2012 6:44 PM
To: Eugene Pefti
mask (0x1) in the access-control class or IOS
automatically added it ?
Will it work without the mask?
From: Mike Rojas mike_c...@hotmail.com
Date: Monday, June 18, 2012 11:47 PM
To: Eugene Pefti eug...@koiossystems.com
Cc: ccie_security@onlinestudylist.com ccie_security@onlinestudylist.com
Oszkar,
You are right. I sent a clarification on this exercise it will drop any ICMP
message within GRE that has a code 0 on them. Seems that there is a problem
with FPM because it cannot match types correctly. If I match code 0 it will
drop both ICMP echo and echo reply because they both
reply.
And you are right, for some reason matching types for ICMP is not working in
this case.
On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas mike_c...@hotmail.com wrote:
Oszkar,
You are right. I sent a clarification on this exercise it will drop any ICMP
message within GRE that has a code 0
will drop much more than echo/echo reply.
And you are right, for some reason matching types for ICMP is not working in
this case.
On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas mike_c...@hotmail.com wrote:
Oszkar,
You are right. I sent a clarification on this exercise it will drop any ICMP
It has been removed:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1935301
Mike
From: jo...@isc.co.za
To: ccie_security@onlinestudylist.com
Date: Thu, 21 Jun 2012 04:37:52 +0200
Subject: [OSL | CCIE_Security] WEBVPN
I am looking for the functions command:
:07 PM, Mike Rojas mike_c...@hotmail.com wrote:
Hey,
Basically, If we want to be really specific into the protocol, we we will need
to create our own PHDF for GRE.. There are 16 bits for protocol type we would
mostlikely specify the next IP header (0x800) in order to match the stack
.
On Wed, Jun 20, 2012 at 11:59 PM, Mike Rojas mike_c...@hotmail.com wrote:
Something funny is happening to your class maps.. The stack does have a
match.. why would it match?
Mike
Date: Wed, 20 Jun 2012 23:51:40 -0700
Subject: Re: CCIE_Security Digest, Vol 72, Issue 75
From: oszk
Hey Eugene,
Are you familiar with proxyARP? Basically, the router will answer arp for any
address that is on its range assigned to a particular interface associated with
a NAT right? well, this command will stop the router so it doesnt do it
anymore.
Mike
From: eug...@koiossystems.com
To:
If R2 will stop responding to ARP requests sent to 163.1.132.113 how the whole
thing will work ?
Eugene
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Thursday, June 21, 2012 7:54 PM
To: Eugene Pefti; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Need help
Unfortunately it doesn’t make sense to me either because R2 runs in the routed
mode.
I believe it’s just the faulty solution in the first place. I’m not going to
point fingers who the solution provider is but it’s not IPExperts ;)
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Thursday, June 21
That is his question, why would it be needed, I mean the technical explanation.
Im sure if you run the debug, without having a crypto map applied on the host
facing interface, it will tell you no atts acceptable. I am assuming if this
has something to do with the identity or if the IP address
Souldnt it try to use its available trustpoints? The problem is that it does
not sees it.
Other thing, if we have the CA as a tunnel endpoint, what is the right
procedure? What I normally do is to create a different trustpoint and request a
certificate to itself.-..
Mike.
From:
You’re correct Mike. That’s why I asked if R5 is CA or not. If so, then you
must have two trustopoints configurad and I see only one in the command
output.
Regards,
Piotr
From: Mike Rojas
Sent: Saturday, June 23, 2012 8:58 PM
To: pi...@howto.pl ; veeduby...@gmail.com
Cc
In any case, it should be the PBR applied on the global configurion mode, that
is the one that affects the router traffic...Or cControl plane
Date: Sun, 24 Jun 2012 13:26:02 +0530
From: kingsley.char...@gmail.com
To: walleed...@hotmail.com
CC: ccie_security@onlinestudylist.com
Subject:
There is an offline support... have you tried that ?
Date: Fri, 29 Jun 2012 09:58:34 +1000
From: mayd...@gmail.com
To: ccie_security@onlinestudylist.com; ccie...@onlinestudylist.com
Subject: [OSL | CCIE_Security] Proctor Labs support
Hello,
I've emailed a whole bunch of people
Hey Guys,
Do you know if the fact that the IOS servers do not support the Giaddr in
0.0.0.0 with the dhcp snooping information option should be an issue within the
test? I mean, shall we put it? I noticed that without this command, on regular
scenarios with DHCP relay wont work, but in case
Ben,
You actually can do it with a port, however as you rightly mentioned it would
be for the source port. Static PAT is always for source port translations so
something like the following scenario should work fine.
Real Address 10.10.10.10
Translated Address 20.20.20.20
Port to be used 23
Correct,
Try with real traffic if it doesnt work, use NAT which is the second method
that the firewall uses for packet classification, a regular self translation
should do it.
Mike
Date: Wed, 4 Jul 2012 16:00:31 +0200
From: pio...@ipexpert.com
To: kingsley.char...@gmail.com
CC:
Johan,
By default the ASA has the inspection for FTP configure, so the data port will
open the data channel dynamically, hence you only need FTP.
Mike
From: jo...@isc.co.za
To: ccie_security@onlinestudylist.com
Date: Thu, 5 Jul 2012 08:02:04 +0200
Subject: [OSL | CCIE_Security] FTP
Hi,
Normally it will say which type of site is it. If it asks you for web traffic,
I will assume both.
Mike
Date: Thu, 5 Jul 2012 14:27:52 +0200
From: mohammed.ab...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Web traffic
Dears,
When we got a question
It aint matter. The ASA would open both.
Mike
From: walleed...@hotmail.com
To: mike_c...@hotmail.com; jo...@isc.co.za; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] FTP
Date: Thu, 5 Jul 2012 17:00:10 +
I think he must to tell type of ftp service passive or
I think I speak for all of us in OSL, you deserved it, you have helped a lot of
people over here and cleared your studies.
Congratulations man, and of course, best wishes in your future..
With regards,
Mike Rojas.
Date: Fri, 6 Jul 2012 07:02:56 +0530
From: kingsley.char...@gmail.com
:21:03 -0300
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Role Based
Hi Mike, did you configure the aaa authorizarion exec command and aaa
authorization command [level] ?
Br, Bruno Silva
Enviado via iPhone
Em 15/06/2012, às 16:40, Mike Rojas mike_c...@hotmail.com
That is true... We went to check for available dates and there are none as this
point
It took more than I thought.. but it finally did...
Date: Fri, 6 Jul 2012 20:51:48 -0400
From: fawa...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Lab dates
Recently a
Fawad,
Retaking this thread, If you save the database to flash, the ip dhcp snooping
binding will remain there after reload, actually until the lease expires. The
other, does not have a timeout, so that means it will remain there as well
(since it is a config command) after reload.
I
wanted to throw it out in case someone freaks out as well.
Mike Rojas
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking
Hello,
I need a brief explanation of NAR. The only one to make it work is using
asterisks. The documentation is no way near clear on how to put the permitted
addresses. This is because I need to permit a user coming from certain IP
addresses.
I think that what I dont understand is how to
as mentioned in his practice labs.
For example for any all 10.0.0.0/8 addresses, use 10.* or 10*
With regards
Kings
On Sun, Jul 8, 2012 at 9:06 AM, Mike Rojas mike_c...@hotmail.com wrote:
Hello,
I need a brief explanation of NAR. The only one to make it work is using
asterisks
The command hostname is being denied on the tacacs?
This looks fine:
privilege configure level 10 hostname
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 show running-config
privilege exec level 10 show
Just add aaa authorization
tunnel group.
Mike Rojas
Security Technical Lead
From: eug...@koiossystems.com
To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Certificate maps,
Date: Sun, 8 Jul 2012 18:31:09 +
Hi Mike,
Is it ASA to ASA lan2lan tunnel ? What’s the tunnel
to manage the IPS.
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Sunday, July 08, 2012 5:42 PM
To: Eugene Pefti; mayd...@gmail.com
Cc: ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Switches in the lab
It always does that, set it up as replicate
Mike
Experts,
Yusuf Lab1 debrief for multiple context verification, when it says that you
need to check the show nameif, it appears like this:
ASA1/abc1(config)# sh nameif
InterfaceName Security
Ethernet0/3 inside100
1 - 100 of 236 matches
Mail list logo
