I don't know for sure. Has anyone else tested this?
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, June 02, 2010 12:39 PM To: Tyson Scott Cc: Dnyaneshwar Gore; [email protected] Subject: Re: [OSL | CCIE_Security] Some general queries Hi Tyson GETVPN GMs just use the SAs sent from the KS. If we have NAT between the GMs, then ESP tunnel between the GMs will fail right as ESP can't be NATed. Since the ESP SAs are downloaded, Gms has no option for NAT-T. How do we handle this case of NAT being between the GMs in real time? With regards Kings On Wed, Jun 2, 2010 at 8:59 PM, Tyson Scott <[email protected]> wrote: Make sure you configure it for all line numbers that show up in the configuration. So check to see if they have changed the default values. If ICMP payload is 1000 bytes then the packet is actually at least 1020 bytes with the IP header. You should probably start at 980 or some number around there if not paying attention to headers. If no group members are behind the ASA then just UDP 848. If GM are behind the ASA then 848, ESP, and UDP 4500 if you have NAT enabled. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Dnyaneshwar Gore Sent: Wednesday, June 02, 2010 10:48 AM To: [email protected] Subject: [OSL | CCIE_Security] Some general queries Hi All, 1. Swith VTY line numbers = If question asks to implement aaa authentication on telnet lines on switch & router then which line numbers we should consider from exam point of view? Is it * VTY 0 4 * VTY 0 15 * VTY 0 807 2. Large ICMP IP Signature tuning = There are two separate questions on large ICMP signature * Configure a signature to fire if the size of an ICMP Packet is 5000 bytes. * Fire an alarm if the size of an ICMP packet is greater than 1000 bytes. We should configure "ICMP total length = 5000" for first question. And "IP payload length = 1000-65535" for second question. Is this solution correct? 3. What ports need to be opened for GET-VPN in ASA if KS is behind NAT device? Are they: udp 500, 4500 and 848? Regards, DMG No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2913 - Release Date: 06/02/10 05:57:00 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2913 - Release Date: 06/02/10 05:57:00
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
