Re: [OSL | CCIE_Security] Any connect IPSec client.
Dear Fawad , that is very good question, which I am also looking for answer what is the true replacement of the of legacy IPSec Client v5.0? regards Waleed CCIE 36851 (Security),CISSP,CCSP,CCNP,CCNA Date: Tue, 29 Jul 2014 20:12:36 +0200 From: pio...@ipexpert.com To: fawa...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Any connect IPSec client. Fawad It should be like you say but to be honest I am not quite sure - maybe at some point it will try to refresh the profile which would break connectivity. Regards, Piotr Kaluzny : Sr Instructor : iPexpertCCIE # 25665 :: Security :: World-Class Cisco Certification Training Direct: +1-810-326-1444 :: Free Videos :: Free Training / Product Offerings :: CCIE Blog :: Twitter On Tue, Jul 29, 2014 at 7:46 PM, Fawad Khan fawa...@gmail.com wrote: Thank you Piotr,In other words can we disable the webvpn, after the users have downloaded the profile? RegardsFawad Khan On Tuesday, July 29, 2014, Piotr Kaluzny pio...@ipexpert.com wrote: Hi Fawad SSL cert is needed so you can build a clientless tunnel with the ASA to download AnyConnect Profile. The Profile contains the settings for the AC client itself and it will also populate a list of servers along with a protocol to be used for the connection. So if you configured IPSec in the Profile, all subsequent connections should negotiate VPN using IKE/IPSec instead of SSL. Regards, Piotr Kaluzny : Sr Instructor : iPexpertCCIE # 25665 :: Security :: World-Class Cisco Certification Training Direct: +1-810-326-1444 :: Free Videos :: Free Training / Product Offerings :: CCIE Blog :: Twitter On Tue, Jul 29, 2014 at 12:19 AM, Fawad Khan fawa...@gmail.com wrote: I have a very stupid question. I hope I'll get an intelligent answer here. Does the Cisco Anyconnect IPSec client really need SSL cert to be installed on the firewall? If yes, then how does it remain a IPSec client only? In other case, what is the true replacement of the of legacy IPSec Client v5.0? Thank you in advance. RegardsFawad Khan -- Fawad KhanThis message is sent using a smartphone application , I apologize for any spelling or grammatical mistake also if the message is too short in length or description. Thank you. ___ Free CCIE RS, Collaboration, Data Center, Wireless Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc -- Fawad KhanThis message is sent using a smartphone application , I apologize for any spelling or grammatical mistake also if the message is too short in length or description. Thank you. ___ Free CCIE RS, Collaboration, Data Center, Wireless Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc ___ Free CCIE RS, Collaboration, Data Center, Wireless Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
[OSL | CCIE_Security] webvpn
how we can limit webvpn access to spicified source IP on ASA ? did any one try that ? With regards Waleed CCNA,CCNP,CCSP,CCIE 35914 (Security) ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] role based cli
actually it is just version issue Regards Date: Sun, 29 Jul 2012 18:19:07 +1000 From: nag...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] role based cli Hi All, i am doing a configuration on Role Based CLI here i am attaching the configuration also, i have some doubts 1) cli-view-naem=user1=== this we need to enable on the default group or in user1 profile on ACS 2) i am able to sucessfully configured the view but i thing its not working why 3) when i try to telnet from R3 i am able to telnet through the username and password, but when i see the show privi it is showing 15 regardskrishna ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] ips custom signature
but he say for linux and linux is case sensitive there is only netstat command on linux and no NETSTAT Regards From: eug...@koiossystems.com To: nag...@gmail.com; ccie_security@onlinestudylist.com Date: Tue, 17 Jul 2012 03:30:53 + Subject: Re: [OSL | CCIE_Security] ips custom signature See attached. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Krishna Nagam Sent: Sunday, July 15, 2012 8:09 AM To: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ips custom signature hi, can any one reply this one On Sat, Jul 14, 2012 at 11:03 PM, Krishna Nagam nag...@gmail.com wrote: Hi, i want to know did any body try this if tried please explain me how to configure this. IPS :- create new signature 60009 that prevent network attack on LINUX workstation that will prevent any netstat command, if it match with this command it should produce high alert and produce log and deny packet and deny attacker from any future attack. regards krishna ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] SVI Privae vlan
in private vlan , on primary vlan svi , did we need to assosciate the primary vlan ? like what cisco did here ? http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_44_se/configuration/guide/swpvlan.html#wp1042147 I assume that it must be mapped by default regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] storm-control action trap
actually with cisco you can expect any thing , may be you put random IP and they do not give marks with that Date: Thu, 12 Jul 2012 11:49:59 -0700 From: oszk...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] storm-control action trap If the task is to configure storm-control with the action trap but no IP is given where to send these traps, would you enable snmp-server on the switch and put a random IP as the trap destination? Thanks!Oszkar ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] tcp timeout
Hello all , can some one clarify diffrence between ip inspect tcp idle-time and ip inspect name TEST tcp timout regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] My dream comes true
well done kingsley , congratulations Date: Fri, 6 Jul 2012 07:02:56 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] My dream comes true Hi all 8 years dream and 5 years hard work comes true. Took my lab yesterday and just saw that I have cleared it. Thanks to all for your support. I love OSL. Special thanks to Tyson, who was always there for everyone. Thanks to Brandon for his support. With regards Kings CCNA, CCSP, CCNP, CCIP, CCIE#35914 ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Yusuf - Role-based access control
for me it is working fine I moved to # privilige mode , I think it is related to version Regards From: radim.jur...@gmail.com Date: Fri, 6 Jul 2012 23:08:11 +0200 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Yusuf - Role-based access control Hello,anybody working now on Yusuf's Configurations Practice Labs, question 5.2 Role-based access control? In Lab debrief, when testing the CLI view solution he connect directly into priv EXEC (#) but I think it should be in user EXEC () When I configure CLI View using parser feature it should be always in user EXEC, is it right? Thanx in advance, Radim ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Commands authorization
you have to check what you configured for commands authorization and for exec authorization , you will have this message % Invalid input detected at '^' marker. for not found command in this level From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Sat, 7 Jul 2012 03:30:26 + Subject: [OSL | CCIE_Security] Commands authorization Folks, I’m honing my skills in commands authorization and ran into something that put me on guard. I have a number of commands defined in a command authorization set and the router and TACACS user settings are configured for a particular privilege level. When I run the command that is not allowed the router says that command is not available, e.g. R3(config)#int Fa0/1 ^ % Invalid input detected at '^' marker. I remember previously I saw a different message when tried to execute a non-allowed command, namely, “Command authorization failed” Why do you think there’s a difference ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FTP
I think he must to tell type of ftp service passive or active Regards From: mike_c...@hotmail.com To: jo...@isc.co.za; ccie_security@onlinestudylist.com Date: Thu, 5 Jul 2012 10:56:05 -0600 Subject: Re: [OSL | CCIE_Security] FTP Johan, By default the ASA has the inspection for FTP configure, so the data port will open the data channel dynamically, hence you only need FTP. Mike From: jo...@isc.co.za To: ccie_security@onlinestudylist.com Date: Thu, 5 Jul 2012 08:02:04 +0200 Subject: [OSL | CCIE_Security] FTP Hi, When asked to allow ftp to a host. Do I allow ftp-data and ftp or only ftp. I see some solutions allow both others only ftp. Thanks Johan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Preventing icmp smurf attacks
I think in case of smurf reflecters network connected to router , we need scaling down echo on interface which recive the attack and for echo replay on interface connected to reflectors subnet Regards Date: Tue, 3 Jul 2012 11:49:09 -0600 From: ernesto...@gmail.com To: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Preventing icmp smurf attacks I had that same question Kings, and after going through several documents I came to the same conclusion you did. If we just rate-limit echo we will only prevent to be the reflector but not the ultimate target. Echo request storm - smurf reflector Echo-reply storm - smurf ultimate target Also it is always mention that ip direct-broadcast should be disable to prevent smurf attacks if not really required. Here are some of the documents I read and helped me get to that conclusion. Hope they help and we all agree. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml#topic3 http://www.pentics.net/denial-of-service/white-papers/smurf.cgi http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper09186a00801dbf61.html http://etutorials.org/Networking/Router+firewall+security/Part+III+Nonstateful+Filtering+Technologies/Chapter+7.+Basic+Access+Lists/Protection+Against+Attacks/ http://www.sans.org/reading_room/whitepapers/networkdevs/securing-ip-routing-remote-access-cisco-routers_234 -- Ernesto Gonzalez G. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IP dhcp snooping information option
I think they will mention in question type of DHCP if they want special config regards From: mike_c...@hotmail.com To: ccie_security@onlinestudylist.com Date: Mon, 2 Jul 2012 13:58:57 -0600 Subject: [OSL | CCIE_Security] IP dhcp snooping information option Hey Guys, Do you know if the fact that the IOS servers do not support the Giaddr in 0.0.0.0 with the dhcp snooping information option should be an issue within the test? I mean, shall we put it? I noticed that without this command, on regular scenarios with DHCP relay wont work, but in case of directly connected hosts, if I have it (with IOS DHCP server) the device wont get an address. Mike... ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Decreament TTL
I want confirmation regarding ASA alghorithm , did ASA decreament TTL for all IP packets passing through ASA ? or just for tracert UDP range and ICMP ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Decreament TTL
sorry I want to say do not decampment :) Date: Mon, 2 Jul 2012 08:22:47 +1000 From: alexei...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Decreament TTL ASA does not decrease TTL by default for any traffic, AFAIK. A. On 7/2/2012 6:54 AM, waleed ' wrote: I want confirmation regarding ASA alghorithm , did ASA decreament TTL for all IP packets passing through ASA ? or just for tracert UDP range and ICMP ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] DDOS Attack
you can configure threat detection http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.pdf Date: Sat, 30 Jun 2012 19:40:47 +0530 From: parvez.ahma...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] DDOS Attack Hi, A server has been compromised and sending malicious traffic towards the zombies (DDOS) Attack(Thousands of connection), This host is behind the ASA. Due to some constraint, The server can not be unpluged form the network. It is taking high CPU and RAM of ASA and legitimate connections getting delay. Adminstrator run the the below two commands to protect ASA/Drop the connection. 1. ShunIP Address of server.2. Deny ACL(Source- compromised host and destination- ANY) 3. MPF with Set connection Is there any way to protect the ASA infrastucture from this type of attack?If not, Let us know with method is best among the above 3 options. Regards,Parvez ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] outbound ACL
is there way to make interface outbound access-list affect router traffic ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] outbound ACL
why to use PBR , there is no difference if I sourced my traffic from loopback : R1---R2 R1: f0/0 10.0.0.1 lo0 1.1.1.1 R2: f0/0 10.0.0.2 lo0 2.2.2.2 and there is outbound access-list on R2: f0/0 and if I use access-list 120 deny ip any any as outbound on R2 f0/0 , I can ping from the R2 to R1 using lo0 as source . so can you please clarify the work of PBR here ? regards Date: Sun, 24 Jun 2012 12:57:45 +0530 Subject: Re: [OSL | CCIE_Security] outbound ACL From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Use local PBR and a loopback intf should do the trick. With regards Kings On Sun, Jun 24, 2012 at 12:41 PM, waleed ' walleed...@hotmail.com wrote: is there way to make interface outbound access-list affect router traffic ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] outbound ACL
so if we make cbac policy and configured to affect router traffic , and applied it inbound on the interface it will not affect the traffic sourced from the loopback (if we do not use PBR) right ? because it is not affected by the acl ? regards Date: Sun, 24 Jun 2012 13:26:02 +0530 Subject: Re: [OSL | CCIE_Security] outbound ACL From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com With PBR, it is routed from the loopback interface to the egress interface hence acl with process the traffic. But, if you ping sourced from loopback, it still considered as router self generated traffic With regards Kings On Sun, Jun 24, 2012 at 1:02 PM, waleed ' walleed...@hotmail.com wrote: why to use PBR , there is no difference if I sourced my traffic from loopback : R1---R2 R1: f0/0 10.0.0.1 lo0 1.1.1.1 R2: f0/0 10.0.0.2 lo0 2.2.2.2 and there is outbound access-list on R2: f0/0 and if I use access-list 120 deny ip any any as outbound on R2 f0/0 , I can ping from the R2 to R1 using lo0 as source . so can you please clarify the work of PBR here ? regards Date: Sun, 24 Jun 2012 12:57:45 +0530 Subject: Re: [OSL | CCIE_Security] outbound ACL From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Use local PBR and a loopback intf should do the trick. With regards Kings On Sun, Jun 24, 2012 at 12:41 PM, waleed ' walleed...@hotmail.com wrote: is there way to make interface outbound access-list affect router traffic ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3
if you are using GNS you have to regenerate keys after restart , the name for key will be there in config some times but the actual key is not found Regrads From: pi...@howto.pl To: veeduby...@gmail.com; oszk...@gmail.com Date: Sun, 24 Jun 2012 10:53:31 +0200 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Ben, This message “No Cert or pre-shared address key.” is there when you have no RSA keys on your router. Can you check this first? I know you have named keys assigned to the trustpoint but it seems like something isn’t right here. Regards, Piotr From: Ben Shaw Sent: Sunday, June 24, 2012 8:51 AM To: Imre Oszkar Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi All, I was under the impression that the application of the ISAKMP profile allows the trustpoint to be chosen and used to authenticate a peer based on the match commands configured in the profile. For this reason I had the understanding it was more about which trustpoint to compare a certificate received from an IPSec pair against, not for deciding which trustpoints ID certificate is to be sent to the peer when initiating an tunnel. Anyway, I have added the ISAKMP profile to the and still have the same issues. I first configured the following on R5 (which by the way is not the CA, the CA is another router - R1) R5(config)#crypto map cryptomap1 10 ipsec-isakmp R5(config-crypto-map)#set isakmp-profile isakmpprof1 The resulant configuration was as follows R5#show running-config Building configuration... Current configuration : 7300 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip domain name cisco.com ! frame-relay switching multilink bundle-name authenticated ! parameter-map type inspect SMTP sessions maximum 2147483647 parameter-map type regex EMAIL pattern j...@myemail.com ! crypto pki trustpoint myCA enrollment url http://10.1.1.1:80 fqdn R5.cisco.com ip-address 10.5.5.5 subject-name cn=R5 revocation-check none rsakeypair myCA-KEYS ! crypto pki certificate map certmap1 10 issuer-name co myca subject-name co asa2 ! crypto pki certificate chain myCA certificate 06 19311730 15060355 0403130E 6D794341 2E636973 636F2E63 6F6D301E 170D3132 quit certificate ca 01 3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 quit ! archive log config hidekeys ! crypto isakmp policy 11 encr aes group 5 crypto isakmp identity dn crypto isakmp profile isakmpprof1 self-identity fqdn ca trust-point myCA match certificate certmap1 ! crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac ! crypto map cryptomap1 local-address Loopback6 crypto map cryptomap1 10 ipsec-isakmp set peer 192.168.9.10 set transform-set aes-sha set isakmp-profile isakmpprof1 match address crypto1 ! ip tcp synwait-time 5 ! class-map type inspect match-all MAIL match protocol smtp class-map type inspect match-all ICMP match protocol icmp class-map type inspect match-all IP match access-group 100 class-map type inspect smtp match-any Large_Mail match data-length gt 1000 class-map type inspect match-all ALL class-map type inspect match-all WEB match protocol http class-map type inspect match-any other match protocol telnet match protocol ssh class-map type inspect http match-all HTTP_Misuse match request port-misuse any ! policy-map type inspect http HTTP_pol class type inspect http HTTP_Misuse reset policy-map type inspect smtp SMTP_pol class type inspect smtp Large_Mail reset policy-map type inspect central_remote class type inspect IP inspect class class-default policy-map type inspect remote_central class type inspect ICMP inspect class type inspect other inspect class type inspect WEB inspect service-policy http HTTP_pol class type inspect MAIL inspect service-policy smtp SMTP_pol class class-default ! zone security CENTRAL zone security REMOTE zone-pair security central_remote source CENTRAL destination REMOTE service-policy type inspect central_remote zone-pair security remote_central source REMOTE destination CENTRAL service-policy type inspect remote_central ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 ! interface Loopback5 ip address 10.55.55.55 255.255.255.255 ip nat inside ip virtual-reassembly ! interface Loopback6 ip address 192.168.55.5 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 192.168.35.5 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security REMOTE encapsulation ppp ip ospf network point-to-point no fair-queue clock rate
Re: [OSL | CCIE_Security] Finally...and it took a year
Congratulations you deserve it :) Date: Fri, 22 Jun 2012 14:59:20 +0800 From: depp3...@yahoo.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Finally...and it took a year Guys, Cleared the lab finally, in my 3rd attempt. Thanks for all the wonderful posts in here , which really helped in nailing the concepts. This mailer and the archives were an immense help to me. You guys are amazing. :-) ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] delete context
what is best way to delete context from cisco ASA multiple FW ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Role Based
can you please paste your aaa and line configuration regards From: mike_c...@hotmail.com To: ccie_security@onlinestudylist.com Date: Thu, 14 Jun 2012 21:06:33 -0600 Subject: [OSL | CCIE_Security] Role Based Hello, Is the user sign normal when configuring Role based access? Router1conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)? Configure commands: doTo run exec commands in config mode exit Exit from configure mode ipGlobal IP configuration subcommands Router1(config)ip ? Global IP configuration subcommands: http HTTP server configuration Router1(config)ip I have authorization applied on the line vty and the user privi is 15... ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Rekey address
how you checked that re key messages still recieved on GM's ?? Date: Wed, 13 Jun 2012 09:00:46 +0800 From: depp3...@yahoo.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Rekey address What is the significance of the 'address ipv4 x.x.x.x' in the gdoi group configuration. I was trying out a multicast rekey setup with the following rekey acl - access-list 150 permit udp any eq 848 host 239.0.1.2 eq 848. And i didnt have the local server address configured. So the Key server ID was displayed as 0.0.0.0, and everything worked. So i was wondering when you really need the KS address configured? And the traffic between the KS and the GM travels through an ASA context , and i havent done any kind of multicast configs on it. Still, the GM's receive the rekey requests. How does that work? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] ISAMKMP profile
when it is required to set isakmp profile under ipsec profile and when it is optional ? and when we need to use key number under interface tunnel ? regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] DVTI on Ezvpn Client
it is required only if you do not want to add static route to reach the remote network , if DVTI was there the route will be added automatically rehards Date: Sun, 10 Jun 2012 13:58:25 +0800 From: depp3...@yahoo.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] DVTI on Ezvpn Client Hi, Is a DVTI really required on the ezvpn client , and should it be referenced under 'crypto ipsec client' using virtual-interface 1 ? I noticed that even without it, it works. This is what i have on my client: crypto ipsec client ezvpn ez connect auto group ezvpn key cisco local-address FastEthernet0/0 mode client peer 192.168.2.2 username cisco password cisco xauth userid mode local interface Virtual-Template1 type tunnel no ip address ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding
if you want to test arp poisoning you can try cainadel tool regards Date: Thu, 7 Jun 2012 14:25:14 +1000 From: alexei...@gmail.com To: eug...@koiossystems.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding 1. I think he refers to man in the middle diverting your trafic via ARP attack and presenting you a bogus cert which you accept and all your encrypted traffic will be decrypted by the attacker. It has nothing to do with cracking SSL. A possible scenario is you are in an Internet cafe checking your Internet bank account and going https://mybestbank.com and all of a suddenyou are presented with a self-signed cert. It may well be one of the guys next cubicle launching an attack against you. :-) IT folks would probably drop that session but those of regular public may just click on accept and keep walking into the trap. :-) A. On 7 June 2012 12:11, Eugene Pefti eug...@koiossystems.com wrote: Nice info. Couple of moments. Don’t understand what ARP Attack tools have to do with SSH/SSL. See page 54. The general knowledge about RSA public/private key infrastructure is that the traffic between two hosts is encrypted and it is “unfeasible” to crack/brute force it. Second, I don’t know what switch platform was used by Yusuf (if it was Yusuf) to configure IPSG. On 3650 switch the interface command “ip verify source vlan dhcp-snooping” doesn’t exist. SW2(config-if)#ip verify source ? port-security port security cr SW2(config-if)#ip verify source vlan dhcp-snooping ^ % Invalid input detected at '^' marker. Eugene From: Alexei Monastyrnyi [mailto:alexei...@gmail.com] Sent: Wednesday, June 06, 2012 6:08 PM To: Eugene Pefti Cc: Kingsley Charles; Mike Rojas; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding There is a nice presentation on this put together by Yusuf. http://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_attacks_and_mitigation_t.pdf%20 check building the layers section A. On 7 June 2012 08:20, Eugene Pefti eug...@koiossystems.com wrote: I would say that IP source guard goes hand in hand with DHCP snooping. Cisco doc says (Catalyst 3650) “When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled on the access VLAN for that interface” And then they start configuring IPSG with DHCP snooping as part of it. I tested it and my findings are that even if you have “ip source binding .. vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX” it is not active without DHCP snooping: SW2#show ip ver source interface Fa0/6 Interface Filter-type Filter-mode IP-address Mac-addressVlan - --- --- --- - -- Fa0/6 ip inactive-no-snooping-vlan I had a host obtain an IP address from the DHCP server different from the IP address used in “ip source binding” and was able to communicate. Once I enabled DHCP snooping globally and for the specific VLAN the IPSG feature became active and the host wasn’t able to communicate with others: SW2#sh ip verif source inter fa0/6 Interface Filter-type Filter-mode IP-address Mac-addressVlan - --- --- --- - -- Fa0/6 ip active 174.1.255.2 102 Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley Charles Sent: Tuesday, June 05, 2012 9:01 PM To: Mike Rojas Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be used for DHCP snooping. Have you tested it? It can be only used for IPSG validation not DHCP packet validation. With regards Kings On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas mike_c...@hotmail.com wrote: I made that mistake on the test, the question clearly said, make sure it survives upon reload Mike Date: Tue, 5 Jun 2012 20:04:27 -0400 From: fawa...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding For the dhcp snooping I learned the hard way the difference between the two commands. The below command is done at exec level and binding will be removed afte a reload 3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3 The following is permenant and will not be removed from the config or binding database after reboot 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 Are you able to pick the difference between the two commands. Hope this helps. -- FNK ___
Re: [OSL | CCIE_Security] Pinging a multicast address through ASA.
it will not work with ICMP inspection because the issue of different replying address as you mention regards From: kar@gmail.com Date: Sun, 27 May 2012 15:56:44 +0530 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Pinging a multicast address through ASA. Hi, I have a basic inspection question - My Topology: R1-ASA--- R2 ASA is configured for stub-multicast routing. R1 is subscriber and R2 is the multicast router. Ping from R2 to 239.0.0.1 is not going through. But if i disable ICMP inspection on ASA, it works. Is it because source and destination ip pair for request and replies are different ? Or should it work even with ICMP inspection enabled? Regards,Karthik ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] last update
kindly send me last update membership ID : wall mempership password: wallsec1aj buyer name: MHD Zedan purchase date : 11 jan 2012 payment method : epay country : syria payment email: walleed...@hotmail.com exam date : 20/7/2012 exam center: dubai Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] last update
please delete this email sended by mistake and contain spicial info From: walleed...@hotmail.com To: ccie_security@onlinestudylist.com Subject: last update Date: Thu, 17 May 2012 07:37:36 + kindly send me last update membership ID : wall mempership password: wallsec1aj buyer name: MHD Zedan purchase date : 11 jan 2012 payment method : epay country : syria payment email: walleed...@hotmail.com exam date : 20/7/2012 exam center: dubai Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Does the IOS CA Server have a web interface for certificate creation
IOS CA use SCEP protocol if the client support this protocol for enrollment I think you can use it for non cisco devices Date: Thu, 26 Apr 2012 15:11:39 +1000 From: veeduby...@gmail.com To: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Does the IOS CA Server have a web interface for certificate creation Thanks Mike and good point Adil, maybe you are right. My memory seems to recall that it may only be usable for routers. Can anyone else confirm this? I was under the impression it is an IOS CA that we have been told we will need to use in the lab exam as opposed to an MS CA. This would be a rather large limitation for this CA if we were expected to use it to create certificates for remote access VPN. Ben On Thu, Apr 26, 2012 at 9:33 AM, Adil Pasha aspa...@gmail.com wrote: Can IOS CA server be used for non-Cisco devices such as desktops? Best Regards.__Adil S Pasha On Apr 25, 2012, at 2:45 PM, Mike Rojas wrote: Ben, Besides the GUI from the IDM, you are not going to be allowed to use any. (Exam purpose) but in regards of the real life scenario I have not seen any. Mike Date: Thu, 26 Apr 2012 01:42:30 +1000 From: veeduby...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Does the IOS CA Server have a web interface for certificate creation Hi All one of the things I like about the ASA CA server is that it has a web interface to be able to create certificate signing requests for client computers. There is also the ability to add these requests via the CLI wit the 'user-db' function. Consider I believe it will be an IOS CA we will be asked to create in the lan exam and not a CA on an ASA, have been looking to see if the IOS CA has the same feature in v12.4 so that a client computer can enrol with the CA and receive a certificate without needing to install the Cisco VPN Client to create the CSR or use some other convoluted method such as via IIS. Can anyone tell me if there is such a feature within the IOS CA that allows certificates to be created for client computers via the CLI like there is in the ASA CA? Thanks Ben ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] HTTP authentication to router
First thing be sure for routing between your router and acs using : telent 10.0.0.100 49 From: fawa...@gmail.com Date: Thu, 1 Mar 2012 00:31:41 -0500 To: allan.cas...@hp.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] HTTP authentication to router What does the ACS logs say ?FNK On Wed, Feb 29, 2012 at 11:34 PM, Castro, Allan allan.cas...@hp.com wrote: Hello, Question says to allow TACACS authentication to a router so here is my config but on the TEST PC I cannot authenticate as I get the prompt back. What could be wrong? aaa authentication login default group tacacs+ aaa authentication login console none ip http server ip http port 8080 ip http authentication aaa no ip http secure-server tacacs-server host 10.0.0.100 tacacs-server key CISCO ip tacacs source-interface Loopback0 line con 0 exec-timeout 0 0 privilege level 15 logging synchronous level 0 limit 20 login authentication console line aux 0 exec-timeout 0 0 privilege level 15 line vty 0 4 password cisco ACS config was pretty straight forward: Created username with it´s password Added the router as a ACS client (hostname, IP and key) Thanks ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] SNMP v3 link in doc
please can any one provide link to snmp v3 in cisco doc Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Posture Validation
in posture validation condition sets , is os-type = os name on windows ?? which we can see in the output of winmscd ? and is this attributes case sensitive ? Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Posture Validation
thanx I test it , it is same :) Date: Sun, 19 Feb 2012 20:29:09 +0100 Subject: Re: [OSL | CCIE_Security] Posture Validation From: marta.sokolow...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, if you create Posture Validation rule on ACS and you have to match Windows 2003 or Windows XP, the rule should look like this: Attribute: Cisco:PA:OS-Type Operator: contains Value: Windows 2003 I tested it and it works :-) But I don't remember if the value is case sensitive. I don't see it mentioned in ACS documentation. Marta Sokolowska. 2012/2/19 waleed ' walleed...@hotmail.com in posture validation condition sets , is os-type = os name on windows ?? which we can see in the output of winmscd ? and is this attributes case sensitive ? Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] RE : SNMP VERSION 3
if we asked to make view whoch include internet for example we have to make this : snmp-server view test internet.6.3 include or we have to supply the full path ? and can we get the path from : show snmp mib | include internet for example ? Date: Wed, 1 Feb 2012 20:50:01 +0530 Subject: Re: [OSL | CCIE_Security] RE : SNMP VERSION 3 From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: eug...@koiossystems.com; n.is...@cbi.ma; ccie_security@onlinestudylist.com Remember, the most used mib names and the corresponding OIDs. For internet, it's 1.3.6.1 and then below subtree under mgmt or cisco will be asked for. Play with ifEntry which is very important iso orgdodinternetmgmtmib-2privateenterprisescisco With regards Kings On Wed, Feb 1, 2012 at 5:45 PM, waleed ' walleed...@hotmail.com wrote: BTW , how we can find OID's in the exam ? is OID locater tool available ? Regards From: eug...@koiossystems.com To: walleed...@hotmail.com; n.is...@cbi.ma; kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] RE : SNMP VERSION 3 Date: Tue, 31 Jan 2012 01:08:33 + And yes, I’d rather do it without the priv, i.e. authnopriv. My config would look like this if the question explicitly mentions names of the views: snmp-server view CISCO cisco include snmp-server view INTERNET internet include snmp-server group GROUP1 v3 read auth read INTERNET write INTERNET snmp-server group GROUP2 v3 read auth read CISCO snmp-server user TEST1 GROUP1 v3 auth md5|sha CISCO123 snmp-server user TEST2 GROUP2 v3 auth md5|sha CISCO123 R2(config)#do sh snmp user User name: TEST1 Engine ID: 8009031BD44FE59C storage-type: nonvolatileactive Authentication Protocol: MD5 Privacy Protocol: None Group-name: GROUP1 User name: TEST2 Engine ID: 8009031BD44FE59C storage-type: nonvolatileactive Authentication Protocol: MD5 Privacy Protocol: None Group-name: GROUP2 The only problem with CISCO view is that when I try to discover the router with the above said SNMP settings from the SNMP management station I end up with a message that no object is discovered, i.e. Dart.Snmp.SimpleType.NoSuchObject As opposed to INTERNET view I end up with a fully discovered Cisco 1841 router. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of waleed ' Sent: 30 January 2012 02:11 To: n.is...@cbi.ma; kingsley.char...@gmail.com Cc: ccie security Subject: Re: [OSL | CCIE_Security] RE : SNMP VERSION 3 I think it is authnonprive , becuase encryption not required , by the way is mib locater tool available in the lab exam ? From: n.is...@cbi.ma To: kingsley.char...@gmail.com Date: Mon, 30 Jan 2012 09:36:46 + CC: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] RE : SNMP VERSION 3 Hi , the question is exactly Config on R5 Enable SNMPv3. USER1 user can read and write INTERNET and all snmp object in the sub-tree USER2 user only can read CISCO and all snmp object in the sub tree Those 2 users need to be authenticated Password is cisco in this case we need to configure authpriv or authnopriv ? Regsrds De : Kingsley Charles [kingsley.char...@gmail.com] Date d'envoi : lundi 30 janvier 2012 05:33 À : n.issam Cc : . Objet : Re: [OSL | CCIE_Security] SNMP VERSION 3 Your task are missing some informations - the user names and what security model should the Group be configured for - authpriv or authnopriv. snmp-server view ciscoview cisco included snmp-server view internetview internet included snmp-server group TEST1 v3 priv read internetview write internetview snmp-server group TEST2 v3 priv read ciscoview snmp-server user TEST2 v3 v3 auth sha CISCO123 priv 3des CISCO123 snmp-server user TEST1 TEST1 v3 auth sha CISCO123 priv 3des CISCO123 router2#sh snmp user User name: TEST1 Engine ID: 800903137F74CD30 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: 3DES Group-name: TEST1 User name: TEST2 Engine ID: 800903137F74CD30 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: 3DES Group-name: v3 With regards Kings On Mon, Jan 30, 2012 at 3:36 AM, n.issam n.is...@cbi.mamailto:n.is...@cbi.ma wrote: Hello All , I need your help to find solution the correct solution of this question : create 2 snmp mib INTERNET include all object in MIB internet mib CISCO include entire cisco MIB Enable SNMPv3. TEST1 user can read and write INTERNET and all snmp object in the sub-tree TEST2 user only can read cisco and all snmp object in the sub tree Those 2 users need to be authenticated Password is CISCO123 many thanks for your support
Re: [OSL | CCIE_Security] line vty
for sure we will not applay to the range from 0 to 988 Date: Tue, 14 Feb 2012 16:13:24 +0530 Subject: Re: [OSL | CCIE_Security] line vty From: kingsley.char...@gmail.com To: a@live.com CC: fawa...@gmail.com; walleed...@hotmail.com; ccie_security@onlinestudylist.com I guess, we should apply to all lines or apply to lines that has been created where 0-4 may be present and 5-15 has not. Use ? to find the total no of lines. router1(config)#line vty 0 ? 1-988 Last Line number With regards Kings On Tue, Feb 14, 2012 at 3:20 PM, HA Ali a@live.com wrote: Because I have heard that the exam is checked using a script , it would be best to ask the proctor during exam . Possible that the script expects line vty 0 4 OR line vty 0 15 from running config . From: fawa...@gmail.com Date: Mon, 13 Feb 2012 19:09:48 -0500 To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] line vty 15 is good. FNK On Mon, Feb 13, 2012 at 6:24 PM, waleed ' walleed...@hotmail.com wrote: if we asked in exam to apply aaa policy to line vty , what is range we have to apply to ? 0 4 only or 0 15 ?? Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] line vty
if we asked in exam to apply aaa policy to line vty , what is range we have to apply to ? 0 4 only or 0 15 ?? Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] ISAKMP VPN Client
Did you have pain with isakmp policy for VPNclient (windows,remote) ? every time I configure EZVPN I have pain with this , is there policy compination will work always ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] auth-proxy (tacacs) authorization failure.
for auth-proxy there is no need to check shell and to fill privilige level in ACS for that user , try it without From: kar@gmail.com Date: Sat, 11 Feb 2012 15:45:47 +0530 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] auth-proxy (tacacs) authorization failure. Hi All, I am trying to configure auth-proxy but for some reason getting authorization failure. I am not not able to figure out whats wrong in config ! I think i am missing something here. What am i doing wrong? Thanks in advance. Relevant part of config. == aaa authentication login default group tacacs+ localaaa authorization auth-proxy default group tacacs+ local ip auth-proxy max-nodata-conns 3 ip auth-proxy name APlan telnet inactivity-time 60ip auth-proxy name APlan telnet list APmatch !DMZ interfaceinterface FastEthernet1/0 ip address 172.16.1.1 255.255.255.0 ip nat inside ip virtual-reassembly !LAN interfaceinterface FastEthernet2/0 ip address 10.10.1.1 255.255.255.0 ip access-group ACLlanin in ip nat inside ip auth-proxy APlan ip virtual-reassembly ip access-list extended ACLlanin permit icmp any any deny ip any anyip access-list extended APmatch permit tcp any any eq telnet When tried to telnet from lan. =Firewall authenticationUsername:gokuPassword:Firewall authentication Failed.Please Retry Debug output ==R1#sh debug General OS: TACACS+ authentication debugging is on TACACS+ authorization debugging is on AAA Authentication debugging is on AAA Authorization debugging is on *Mar 1 00:39:16.543: AAA/BIND(0007): Bind i/f *Mar 1 00:39:16.547: AAA/AUTHEN/LOGIN (0007): Pick method list 'default' *Mar 1 00:39:16.555: TPLUS: Queuing AAA Authentication request 7 for processing*Mar 1 00:39:16.559: TPLUS: processing authentication start request id 7*Mar 1 00:39:16.563: TPLUS: Authentication start packet created for 7(goku) *Mar 1 00:39:16.567: TPLUS: Using server 172.16.1.2*Mar 1 00:39:16.575: TPLUS(0007)/0/NB_WAIT/64B254A4: Started 5 sec timeout*Mar 1 00:39:16.619: TPLUS(0007)/0/NB_WAIT: socket event 2 *Mar 1 00:39:16.623: TPLUS(0007)/0/NB_WAIT: wrote entire 39 bytes request*Mar 1 00:39:16.627: TPLUS(0007)/0/READ: socket event 1*Mar 1 00:39:16.627: TPLUS(0007)/0/READ: Would block while reading *Mar 1 00:39:16.639: TPLUS(0007)/0/READ: socket event 1*Mar 1 00:39:16.639: TPLUS(0007)/0/READ: read entire 12 header bytes (expect 16 bytes data)*Mar 1 00:39:16.643: TPLUS(0007)/0/READ: socket event 1 *Mar 1 00:39:16.643: TPLUS(0007)/0/READ: read entire 28 bytes response*Mar 1 00:39:16.647: TPLUS(0007)/0/64B254A4: Processing the reply packet*Mar 1 00:39:16.647: TPLUS: Received authen response status GET_PASSWORD (8) *Mar 1 00:39:16.655: TPLUS: Queuing AAA Authentication request 7 for processing*Mar 1 00:39:16.659: TPLUS: processing authentication continue request id 7*Mar 1 00:39:16.663: TPLUS: Authentication continue packet generated for 7 *Mar 1 00:39:16.667: TPLUS(0007)/0/WRITE/64B254A4: Started 5 sec timeout*Mar 1 00:39:16.671: TPLUS(0007)/0/WRITE: wrote entire 21 bytes request*Mar 1 00:39:17.103: TPLUS(0007)/0/READ: socket event 1 *Mar 1 00:39:17.103: TPLUS(0007)/0/READ: read entire 12 header bytes (expect 6 bytes data)*Mar 1 00:39:17.107: TPLUS(0007)/0/READ: socket event 1*Mar 1 00:39:17.107: TPLUS(0007)/0/READ: read entire 18 bytes response *Mar 1 00:39:17.111: TPLUS(0007)/0/64B254A4: Processing the reply packet*Mar 1 00:39:17.111: TPLUS: Received authen response status PASS (2)*Mar 1 00:39:17.123: AAA/AUTHOR (0x7): Pick method list 'default' *Mar 1 00:39:17.139: TPLUS: Queuing AAA Authorization request 7 for processing*Mar 1 00:39:17.143: TPLUS: processing authorization request id 7*Mar 1 00:39:17.147: TPLUS: Sending AV service=auth-proxy *Mar 1 00:39:17.151: TPLUS: Sending AV protocol=ip*Mar 1 00:39:17.151: TPLUS: Authorization request created for 7(goku)*Mar 1 00:39:17.151: TPLUS: using previously set server 172.16.1.2 from group tacacs+ *Mar 1 00:39:17.163: TPLUS(0007)/0/NB_WAIT/64B254A4: Started 5 sec timeout*Mar 1 00:39:17.215: TPLUS(0007)/0/NB_WAIT: socket event 2*Mar 1 00:39:17.219: TPLUS(0007)/0/NB_WAIT: wrote entire 70 bytes request *Mar 1 00:39:17.223: TPLUS(0007)/0/READ: socket event 1*Mar 1 00:39:17.223: TPLUS(0007)/0/READ: Would block while reading*Mar 1 00:39:17.243: TPLUS(0007)/0/READ: socket event 1 *Mar 1 00:39:17.243: TPLUS(0007)/0/READ: read entire 12 header bytes (expect 6 bytes data)*Mar 1 00:39:17.243: TPLUS(0007)/0/READ: socket event 1*Mar 1 00:39:17.243: TPLUS(0007)/0/READ: read entire 18 bytes response *Mar 1 00:39:17.243: TPLUS(0007)/0/64B254A4: Processing the reply packet*Mar 1 00:39:17.243: TPLUS: received authorization response for 7: FAIL ACS config Log on ACS server
Re: [OSL | CCIE_Security] proxy auth authentication faild
check the routing and reverify the network configuration on the ACS Date: Sat, 11 Feb 2012 21:41:13 +0300 From: salloum.a...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] proxy auth authentication faild Hello Guys , am having similar problem , getting the message authentication failure , but it seems that the router is not sending the request to the ACS server . because when i check the failed attempts on the ACS i don't see anything below is the router configuration aaa authentication login default group tacacs+ aaa authorization auth-proxy default group tacacs+ ip auth-proxy name myproxy http int fa0/0ip address 10.10.10.1 255.255.255.0 ip auth-proxy myproxy ip http server ip http authentication aaa tacacs-server host 20.20.20.240 key cisco123 anything else needs to be done in the router ?when i changed the authentication method to local it was authenticating successfullybut not with group tacacs + ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
so we do not get response for the case of nat exemption and idintify nat , for isakmp peers , is that detected as nat ? and we need to open 4500 ?? I will lab this today and get back to you From: walleed...@hotmail.com To: a@live.com; pi...@howto.pl Date: Tue, 31 Jan 2012 16:16:36 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp yes , I think the isue with easy vpn client is related to windows , becuase always the client ports range for all services must be more than 1025 From: a@live.com To: pi...@howto.pl; walleed...@hotmail.com CC: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Idintify nat and isakmp Date: Tue, 31 Jan 2012 18:19:57 +0500 I think I have heard Marvin Greenlee saying that with some vendors source and destination will be same aka UDP 500 while with some vendors source could be different . In Cisco I think when we do Site to Site IOS Source and destination is same but ezvpn is different From: pi...@howto.pl Date: Tue, 31 Jan 2012 13:57:54 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: a@live.com; kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Nope, this has been always like this. 2012/1/31 waleed ' walleed...@hotmail.com one more thing I see today is : when isakmp initiate from easy VPN client source port will be random not 500 , my client version is 5.x.x , is this general behavior for easy vpn client or it is related to version ? From: walleed...@hotmail.com To: a@live.com; kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 12:19:22 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp is there differences regarding isakmp if we use exemption ? From: a@live.com To: kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 15:03:40 +0500 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp identity nat or nat exemption are EXEMPTION to the nat-control command so there is no NAT happening . And thus the peers will establish connection without NAT . In case of Static identity NAT where one IP is mapped to the same ip on other interface NAT-T will come in use Date: Tue, 31 Jan 2012 15:22:34 +0530 From: kingsley.char...@gmail.com To: pi...@howto.pl CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp Piotr he is referring to Identity NAT. With regards Kings On Tue, Jan 31, 2012 at 2:30 PM, Piotr Matusiak pi...@howto.pl wrote: IPs are changed since you have NAT on ASA, right? 2012/1/31 waleed ' walleed...@hotmail.com but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
I test all cases with nat exempt and identity nat and static identity nat , and no nat traversal has been used only port 500 From: walleed...@hotmail.com To: a@live.com; pi...@howto.pl Date: Fri, 10 Feb 2012 13:08:30 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp so we do not get response for the case of nat exemption and idintify nat , for isakmp peers , is that detected as nat ? and we need to open 4500 ?? I will lab this today and get back to you From: walleed...@hotmail.com To: a@live.com; pi...@howto.pl Date: Tue, 31 Jan 2012 16:16:36 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp yes , I think the isue with easy vpn client is related to windows , becuase always the client ports range for all services must be more than 1025 From: a@live.com To: pi...@howto.pl; walleed...@hotmail.com CC: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Idintify nat and isakmp Date: Tue, 31 Jan 2012 18:19:57 +0500 I think I have heard Marvin Greenlee saying that with some vendors source and destination will be same aka UDP 500 while with some vendors source could be different . In Cisco I think when we do Site to Site IOS Source and destination is same but ezvpn is different From: pi...@howto.pl Date: Tue, 31 Jan 2012 13:57:54 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: a@live.com; kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Nope, this has been always like this. 2012/1/31 waleed ' walleed...@hotmail.com one more thing I see today is : when isakmp initiate from easy VPN client source port will be random not 500 , my client version is 5.x.x , is this general behavior for easy vpn client or it is related to version ? From: walleed...@hotmail.com To: a@live.com; kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 12:19:22 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp is there differences regarding isakmp if we use exemption ? From: a@live.com To: kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 15:03:40 +0500 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp identity nat or nat exemption are EXEMPTION to the nat-control command so there is no NAT happening . And thus the peers will establish connection without NAT . In case of Static identity NAT where one IP is mapped to the same ip on other interface NAT-T will come in use Date: Tue, 31 Jan 2012 15:22:34 +0530 From: kingsley.char...@gmail.com To: pi...@howto.pl CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp Piotr he is referring to Identity NAT. With regards Kings On Tue, Jan 31, 2012 at 2:30 PM, Piotr Matusiak pi...@howto.pl wrote: IPs are changed since you have NAT on ASA, right? 2012/1/31 waleed ' walleed...@hotmail.com but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] GET VPN multicast rekey
dear kings , R2 is not member of get vpn , only R3 and R4 , and I remove the crypto map from the server interface (it is my mistake) , but the important thing how to pass rekey traffic using multicast from multiple context ASA , did any one tried GRE ? Date: Sat, 28 Jan 2012 08:35:10 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I see mus-configurations. In the KS, the crypto map is configured and associated to the interface which is not required. On R2, I don't see crypto map configured to the interface. But definitely, this is beyond CCIE Security scope. With regards Kings On Sat, Jan 28, 2012 at 12:59 AM, waleed ' walleed...@hotmail.com wrote: hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 ip route 0.0.0.0 0.0.0.0 10.0.0.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! ip access-list extended CRYPTO_ACL permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 ! logging alarm informational access-list 199 permit udp host 10.0.0.1 eq 848 host 224.10.10.10 eq 848 ! ! ! route-map rmap permit 10 ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R2 config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto gdoi group mygroup identity number server address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel1 ip address 172.16.1.2 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.0.1 ! interface FastEthernet0/0 ip address 10.0.2.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.3.2 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network 10.0.2.0 0.0.0.255 area 0 network 10.0.3.0 0.0.0.255 area 0 default-information originate ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! logging alarm informational ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R3 config hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated
Re: [OSL | CCIE_Security] GET VPN multicast rekey
I will lab that and come back to you with my results Date: Fri, 10 Feb 2012 21:53:01 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I tried using tunnel interface it didn't work as expected. Check out the following link and Piotr has explained it. http://www.ccie1.com/?p=427 When you have two GMs, then either use two tunnel interfaces (point to point) on the KS for each GM or use single GRE tunnel interface in gre multiple mode on KS and use NHRP for the GMs to register with the KS. With regards Kings On Fri, Feb 10, 2012 at 7:43 PM, waleed ' walleed...@hotmail.com wrote: dear kings , R2 is not member of get vpn , only R3 and R4 , and I remove the crypto map from the server interface (it is my mistake) , but the important thing how to pass rekey traffic using multicast from multiple context ASA , did any one tried GRE ? Date: Sat, 28 Jan 2012 08:35:10 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I see mus-configurations. In the KS, the crypto map is configured and associated to the interface which is not required. On R2, I don't see crypto map configured to the interface. But definitely, this is beyond CCIE Security scope. With regards Kings On Sat, Jan 28, 2012 at 12:59 AM, waleed ' walleed...@hotmail.com wrote: hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 ip route 0.0.0.0 0.0.0.0 10.0.0.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! ip access-list extended CRYPTO_ACL permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 ! logging alarm informational access-list 199 permit udp host 10.0.0.1 eq 848 host 224.10.10.10 eq 848 ! ! ! route-map rmap permit 10 ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R2 config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto gdoi group mygroup identity number server address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel1 ip address 172.16.1.2 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.0.1 ! interface FastEthernet0/0 ip address 10.0.2.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.3.2 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! router
Re: [OSL | CCIE_Security] GET VPN multicast rekey
it is register through the asa , and I make the tunnel but the traffic source from the f0/0 and go to ASA and dropped there , did we have to make th gm register through tunnel to resolve this ? From: pi...@howto.pl Date: Fri, 10 Feb 2012 18:16:54 +0100 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey To: kingsley.char...@gmail.com CC: walleed...@hotmail.com; ccie_security@onlinestudylist.com Hi, All you need is to create a tunnel between KS and router on ASA outside.The tunnel is there just to carry mcast traffic through the ASA. From the router the mcast traffic can be routed using dynamic routing protocol like PIM. The more important question is how GMs register to KS: is it through the tunnel or through the ASA? Regards, Piotr 2012/2/10 Kingsley Charles kingsley.char...@gmail.com I tried using tunnel interface it didn't work as expected. Check out the following link and Piotr has explained it. http://www.ccie1.com/?p=427 When you have two GMs, then either use two tunnel interfaces (point to point) on the KS for each GM or use single GRE tunnel interface in gre multiple mode on KS and use NHRP for the GMs to register with the KS. With regards Kings On Fri, Feb 10, 2012 at 7:43 PM, waleed ' walleed...@hotmail.com wrote: dear kings , R2 is not member of get vpn , only R3 and R4 , and I remove the crypto map from the server interface (it is my mistake) , but the important thing how to pass rekey traffic using multicast from multiple context ASA , did any one tried GRE ? Date: Sat, 28 Jan 2012 08:35:10 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I see mus-configurations. In the KS, the crypto map is configured and associated to the interface which is not required. On R2, I don't see crypto map configured to the interface. But definitely, this is beyond CCIE Security scope. With regards Kings On Sat, Jan 28, 2012 at 12:59 AM, waleed ' walleed...@hotmail.com wrote: hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 ip route 0.0.0.0 0.0.0.0 10.0.0.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! ip access-list extended CRYPTO_ACL permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 ! logging alarm informational access-list 199 permit udp host 10.0.0.1 eq 848 host 224.10.10.10 eq 848 ! ! ! route-map rmap permit 10 ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R2 config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing
Re: [OSL | CCIE_Security] GET VPN multicast rekey
I tried with pim dense mode but not work , I think that the only diffrent with your config , I will try again From: pi...@howto.pl Date: Fri, 10 Feb 2012 18:50:48 +0100 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey To: walleed...@hotmail.com CC: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Guys, I've just spent 10 minutes on labbing. My topo was: R1 - ASA - R2 - R3 R1 is KS R3 is GM Configs: R1 ip multicast-routing ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 100.1.23.3 ! ! crypto ipsec transform-set GET esp-3des esp-md5-hmac ! crypto ipsec profile GET set transform-set GET ! crypto gdoi group GET identity number 123 server local rekey address ipv4 GET-REKEY rekey retransmit 10 number 2 rekey authentication mypubkey rsa KEYS sa ipsec 1 profile GET match address ipv4 GET-POLICY replay counter window-size 64 ! ! ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel12 ip address 172.16.12.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 100.2.2.2 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex full speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 12 network 1.1.1.1 0.0.0.0 network 172.16.12.1 0.0.0.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.1.1.10 no ip http server no ip http secure-server ! ! ip pim rp-address 1.1.1.1 ! ip access-list extended GET-POLICY permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip host 2.2.2.2 host 1.1.1.1 ip access-list extended GET-REKEY permit ip any host 239.1.2.3 R2 ip multicast-routing ! interface Tunnel12 ip address 172.16.12.2 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.1.1.1 ! interface FastEthernet0/0 ip address 100.2.2.2 255.255.255.0 duplex full speed auto ! interface FastEthernet0/1 ip address 100.1.23.2 255.255.255.0 ip pim sparse-mode duplex full speed auto ! interface FastEthernet1/0 ip address 10.1.222.2 255.255.255.0 duplex full speed auto ! interface FastEthernet1/1 no ip address shutdown duplex auto speed auto ! router eigrp 12 network 172.16.12.2 0.0.0.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 100.2.2.10 no ip http server no ip http secure-server ! ! ip pim rp-address 1.1.1.1 ! R3 ip multicast-routing ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 10.1.1.1 ! ! crypto gdoi group GET identity number 123 server address ipv4 10.1.1.1 ! ! crypto map GET 10 gdoi set group GET ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 100.1.23.3 255.255.255.0 ip pim sparse-mode duplex full speed auto crypto map GET ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 100.1.23.2 no ip http server no ip http secure-server ! ! ip pim rp-address 1.1.1.1 ! ASA ! interface Ethernet0/0 nameif outside security-level 0 ip address 100.2.2.10 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.1.1.10 255.255.255.0 ! access-list OUTSIDE_IN extended permit gre any any access-list OUTSIDE_IN extended permit udp any eq 848 any eq 848 access-list OUTSIDE_IN extended permit icmp any any Log: R1(config)#ip access-list extended GET-POLICY R1(config-ext-nacl)# per ip h 2.2.2.2 h 1.1.1.1 R1(config-ext-nacl)#^Z R1# R1# R1# R1# *Feb 10 18:45:38.931: %SYS-5-CONFIG_I: Configured from console by console *Feb 10 18:45:39.079: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey for group GET from address 0.0.0.0 to 239.1.2.3 with seq # 1 R1# R1# R3#sh cry gdo gm rek Group GET (Multicast) Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Rekey (KEK) SA information : dst src conn-id my-cookie his-cookie New : 239.1.2.3 0.0.0.0 1006 7C9B51F7 BE5F0922 Current : --- --- --------- Previous: --- --- --------- R3# R3# R3# *Feb 10 18:45:38.799: %GDOI-5-GM_RECV_REKEY: Received Rekey for group GET from 0.0.0.0 to 239.1.2.3 with seq # 1 R3#sh cry gdo gm rek Group GET (Multicast) Number of Rekeys received (cumulative) : 1 Number of Rekeys received after registration : 1 Rekey (KEK) SA information : dst src conn-id my-cookie his-cookie New : 239.1.2.3 0.0.0.0 1007 D9A50754 B67F8679 Current : --- --- --------- Previous: --- --- --------- HTH, Piotr 2012/2/10 waleed ' walleed
Re: [OSL | CCIE_Security] GET VPN multicast rekey
no but it is in pitor solution not like this , see 10.1.1.1 not reachable through tunnel interface :) , but the diffrence is the rp is reachable through tunnel and multicast traffic will come through it and the result the rekey not coming through as multicast through firewall From: a@live.com To: walleed...@hotmail.com; pi...@howto.pl; kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] GET VPN multicast rekey Date: Fri, 10 Feb 2012 23:24:50 +0500 When you put the ip address of Key Server in the GM make sure that is reachable through Tunnel ( using any protocol or static ) and not directly via ASA ( multi ) . This way ASA will be bypassed and you will be able to achieve what you require . From: walleed...@hotmail.com To: pi...@howto.pl; kingsley.char...@gmail.com Date: Fri, 10 Feb 2012 17:19:54 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey it is register through the asa , and I make the tunnel but the traffic source from the f0/0 and go to ASA and dropped there , did we have to make th gm register through tunnel to resolve this ? From: pi...@howto.pl Date: Fri, 10 Feb 2012 18:16:54 +0100 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey To: kingsley.char...@gmail.com CC: walleed...@hotmail.com; ccie_security@onlinestudylist.com Hi, All you need is to create a tunnel between KS and router on ASA outside.The tunnel is there just to carry mcast traffic through the ASA. From the router the mcast traffic can be routed using dynamic routing protocol like PIM. The more important question is how GMs register to KS: is it through the tunnel or through the ASA? Regards, Piotr 2012/2/10 Kingsley Charles kingsley.char...@gmail.com I tried using tunnel interface it didn't work as expected. Check out the following link and Piotr has explained it. http://www.ccie1.com/?p=427 When you have two GMs, then either use two tunnel interfaces (point to point) on the KS for each GM or use single GRE tunnel interface in gre multiple mode on KS and use NHRP for the GMs to register with the KS. With regards Kings On Fri, Feb 10, 2012 at 7:43 PM, waleed ' walleed...@hotmail.com wrote: dear kings , R2 is not member of get vpn , only R3 and R4 , and I remove the crypto map from the server interface (it is my mistake) , but the important thing how to pass rekey traffic using multicast from multiple context ASA , did any one tried GRE ? Date: Sat, 28 Jan 2012 08:35:10 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I see mus-configurations. In the KS, the crypto map is configured and associated to the interface which is not required. On R2, I don't see crypto map configured to the interface. But definitely, this is beyond CCIE Security scope. With regards Kings On Sat, Jan 28, 2012 at 12:59 AM, waleed ' walleed...@hotmail.com wrote: hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto
Re: [OSL | CCIE_Security] GET VPN multicast rekey
: dst src conn-id my-cookie his-cookie New : 239.1.2.3 0.0.0.0 1007 D9A50754 B67F8679 Current : --- --- --------- Previous: --- --- --------- HTH, Piotr 2012/2/10 waleed ' walleed...@hotmail.com I will lab that and come back to you with my results Date: Fri, 10 Feb 2012 21:53:01 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I tried using tunnel interface it didn't work as expected. Check out the following link and Piotr has explained it. http://www.ccie1.com/?p=427 When you have two GMs, then either use two tunnel interfaces (point to point) on the KS for each GM or use single GRE tunnel interface in gre multiple mode on KS and use NHRP for the GMs to register with the KS. With regards Kings On Fri, Feb 10, 2012 at 7:43 PM, waleed ' walleed...@hotmail.com wrote: dear kings , R2 is not member of get vpn , only R3 and R4 , and I remove the crypto map from the server interface (it is my mistake) , but the important thing how to pass rekey traffic using multicast from multiple context ASA , did any one tried GRE ? Date: Sat, 28 Jan 2012 08:35:10 +0530 Subject: Re: [OSL | CCIE_Security] GET VPN multicast rekey From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I see mus-configurations. In the KS, the crypto map is configured and associated to the interface which is not required. On R2, I don't see crypto map configured to the interface. But definitely, this is beyond CCIE Security scope. With regards Kings On Sat, Jan 28, 2012 at 12:59 AM, waleed ' walleed...@hotmail.com wrote: hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 ip route 0.0.0.0 0.0.0.0 10.0.0.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! ip access-list extended CRYPTO_ACL permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 ! logging alarm informational access-list 199 permit udp host 10.0.0.1 eq 848 host 224.10.10.10 eq 848 ! ! ! route-map rmap permit 10 ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R2 config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto gdoi group mygroup identity number server address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set
Re: [OSL | CCIE_Security] ACL and auth-proxy
to see the authenticated user you can use :show ip auth-proxy cache and please not if there is no acl applied on the interface no acl will be installed , and that is logical , because if there is no accesslist there then the downloaded acl will limit the open protocols and ports on time that is not the work of auth-proxy Regards From: a@live.com To: ccie_security@onlinestudylist.com Date: Thu, 9 Feb 2012 16:59:39 +0500 Subject: [OSL | CCIE_Security] ACL and auth-proxy While doing debugs I get following messages *Mar 1 00:40:26.271: TAC+: Received Attribute priv-lvl=15 *Mar 1 00:40:26.271: TAC+: Received Attribute proxyacl#1=permit tcp any any eq 80 *Mar 1 00:40:26.275: TAC+: Received Attribute proxyacl#2=permit icmp any any *Mar 1 00:40:26.275: AAA/AUTHOR (1909359833): Post authorization status = PASS_ADD and on the client end i see authentication sucessful . But on router when i do show ip access-list or show access-list I dont see any ACL . I remember in ASA the command was show uauth to check that , is there any different command to check these dynamic ACLs I cant remember of at the moment . On IOS when i do show ip auth-proxy cache , i can see the client ip address and username . ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] ACL and auth-proxy
the question is why in the some examples for auth proxy we use access-list to deny any any from access ho http server Date: Thu, 9 Feb 2012 18:37:54 +0530 From: kingsley.char...@gmail.com To: a@live.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ACL and auth-proxy You need to apply the access-list to the interface. With regards Kings On Thu, Feb 9, 2012 at 6:35 PM, HA Ali a@live.com wrote: Kings : Even when there is no access-group define on the interface as explained in the doc cd ? ( following is the copy and paste from it ) Date: Thu, 9 Feb 2012 18:32:59 +0530 Subject: Re: [OSL | CCIE_Security] ACL and auth-proxy From: kingsley.char...@gmail.com To: a@live.com CC: ccie_security@onlinestudylist.com sh access-list should show them. With regards Kings On Thu, Feb 9, 2012 at 5:29 PM, HA Ali a@live.com wrote: While doing debugs I get following messages *Mar 1 00:40:26.271: TAC+: Received Attribute priv-lvl=15 *Mar 1 00:40:26.271: TAC+: Received Attribute proxyacl#1=permit tcp any any eq 80 *Mar 1 00:40:26.275: TAC+: Received Attribute proxyacl#2=permit icmp any any *Mar 1 00:40:26.275: AAA/AUTHOR (1909359833): Post authorization status = PASS_ADD and on the client end i see authentication sucessful . But on router when i do show ip access-list or show access-list I dont see any ACL . I remember in ASA the command was show uauth to check that , is there any different command to check these dynamic ACLs I cant remember of at the moment . On IOS when i do show ip auth-proxy cache , i can see the client ip address and username . ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] auth-Proxy access-list
I configured auth-proxy with this access-list for user :priv-lvl=15proxyacl#1=permit icmp any anyproxyacl#2=permit tcp any anyproxyacl#3=permit udp any any but when the user authinticate , the downloaded ACL is:Extended IP access list 102 permit icmp host 10.10.10.200 any permit tcp host 10.10.10.200 any permit udp host 10.10.10.200 any10 deny ip any any (378 matches) so it is install entries only for the authenticated host , can we make it open for the whole subnet or let it the router install them as any any Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IOS SSL VPN IOS CA
is there conflict between IOS CA and SSL VPN if we enable the tow on same interface regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] ssl authenticate verify all
did any one know the purpose of command ssl authenticate verify all under ios ssl vpn context configuration ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Idintify nat and isakmp
if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
is there differences regarding isakmp if we use exemption ? From: a@live.com To: kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 15:03:40 +0500 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp identity nat or nat exemption are EXEMPTION to the nat-control command so there is no NAT happening . And thus the peers will establish connection without NAT . In case of Static identity NAT where one IP is mapped to the same ip on other interface NAT-T will come in use Date: Tue, 31 Jan 2012 15:22:34 +0530 From: kingsley.char...@gmail.com To: pi...@howto.pl CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp Piotr he is referring to Identity NAT. With regards Kings On Tue, Jan 31, 2012 at 2:30 PM, Piotr Matusiak pi...@howto.pl wrote: IPs are changed since you have NAT on ASA, right? 2012/1/31 waleed ' walleed...@hotmail.com but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
one more thing I see today is : when isakmp initiate from easy VPN client source port will be random not 500 , my client version is 5.x.x , is this general behavior for easy vpn client or it is related to version ? From: walleed...@hotmail.com To: a@live.com; kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 12:19:22 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp is there differences regarding isakmp if we use exemption ? From: a@live.com To: kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 15:03:40 +0500 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp identity nat or nat exemption are EXEMPTION to the nat-control command so there is no NAT happening . And thus the peers will establish connection without NAT . In case of Static identity NAT where one IP is mapped to the same ip on other interface NAT-T will come in use Date: Tue, 31 Jan 2012 15:22:34 +0530 From: kingsley.char...@gmail.com To: pi...@howto.pl CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp Piotr he is referring to Identity NAT. With regards Kings On Tue, Jan 31, 2012 at 2:30 PM, Piotr Matusiak pi...@howto.pl wrote: IPs are changed since you have NAT on ASA, right? 2012/1/31 waleed ' walleed...@hotmail.com but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Idintify nat and isakmp
yes , I think the isue with easy vpn client is related to windows , becuase always the client ports range for all services must be more than 1025 From: a@live.com To: pi...@howto.pl; walleed...@hotmail.com CC: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Idintify nat and isakmp Date: Tue, 31 Jan 2012 18:19:57 +0500 I think I have heard Marvin Greenlee saying that with some vendors source and destination will be same aka UDP 500 while with some vendors source could be different . In Cisco I think when we do Site to Site IOS Source and destination is same but ezvpn is different From: pi...@howto.pl Date: Tue, 31 Jan 2012 13:57:54 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: a@live.com; kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Nope, this has been always like this. 2012/1/31 waleed ' walleed...@hotmail.com one more thing I see today is : when isakmp initiate from easy VPN client source port will be random not 500 , my client version is 5.x.x , is this general behavior for easy vpn client or it is related to version ? From: walleed...@hotmail.com To: a@live.com; kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 12:19:22 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp is there differences regarding isakmp if we use exemption ? From: a@live.com To: kingsley.char...@gmail.com; pi...@howto.pl Date: Tue, 31 Jan 2012 15:03:40 +0500 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp identity nat or nat exemption are EXEMPTION to the nat-control command so there is no NAT happening . And thus the peers will establish connection without NAT . In case of Static identity NAT where one IP is mapped to the same ip on other interface NAT-T will come in use Date: Tue, 31 Jan 2012 15:22:34 +0530 From: kingsley.char...@gmail.com To: pi...@howto.pl CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp Piotr he is referring to Identity NAT. With regards Kings On Tue, Jan 31, 2012 at 2:30 PM, Piotr Matusiak pi...@howto.pl wrote: IPs are changed since you have NAT on ASA, right? 2012/1/31 waleed ' walleed...@hotmail.com but how nat detected ? if the ip and ports do not changed ? From: pi...@howto.pl Date: Tue, 31 Jan 2012 09:51:35 +0100 Subject: Re: [OSL | CCIE_Security] Idintify nat and isakmp To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Yes, when NAT is used there must be UDP/500 and UDP/4500 opened only. All is here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html Regards, Piotr 2012/1/31 waleed ' walleed...@hotmail.com if we have vpn client on outside interface of firewall and we have identify nat on the firewall , is it required to open udp 4500 for nat traversal and if answer is yes , why ? how can the tow peer detect nat where is there no nat ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] RE : SNMP VERSION 3
I think it is authnonprive , becuase encryption not required , by the way is mib locater tool available in the lab exam ? From: n.is...@cbi.ma To: kingsley.char...@gmail.com Date: Mon, 30 Jan 2012 09:36:46 + CC: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] RE : SNMP VERSION 3 Hi , the question is exactly Config on R5 Enable SNMPv3. USER1 user can read and write INTERNET and all snmp object in the sub-tree USER2 user only can read CISCO and all snmp object in the sub tree Those 2 users need to be authenticated Password is cisco in this case we need to configure authpriv or authnopriv ? Regsrds De : Kingsley Charles [kingsley.char...@gmail.com] Date d'envoi : lundi 30 janvier 2012 05:33 À : n.issam Cc : . Objet : Re: [OSL | CCIE_Security] SNMP VERSION 3 Your task are missing some informations - the user names and what security model should the Group be configured for - authpriv or authnopriv. snmp-server view ciscoview cisco included snmp-server view internetview internet included snmp-server group TEST1 v3 priv read internetview write internetview snmp-server group TEST2 v3 priv read ciscoview snmp-server user TEST2 v3 v3 auth sha CISCO123 priv 3des CISCO123 snmp-server user TEST1 TEST1 v3 auth sha CISCO123 priv 3des CISCO123 router2#sh snmp user User name: TEST1 Engine ID: 800903137F74CD30 storage-type: nonvolatileactive Authentication Protocol: SHA Privacy Protocol: 3DES Group-name: TEST1 User name: TEST2 Engine ID: 800903137F74CD30 storage-type: nonvolatileactive Authentication Protocol: SHA Privacy Protocol: 3DES Group-name: v3 With regards Kings On Mon, Jan 30, 2012 at 3:36 AM, n.issam n.is...@cbi.mamailto:n.is...@cbi.ma wrote: Hello All , I need your help to find solution the correct solution of this question : create 2 snmp mib INTERNET include all object in MIB internet mib CISCO include entire cisco MIB Enable SNMPv3. TEST1 user can read and write INTERNET and all snmp object in the sub-tree TEST2 user only can read cisco and all snmp object in the sub tree Those 2 users need to be authenticated Password is CISCO123 many thanks for your support Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.comhttp://www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.comhttp://www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] aaa attributes
no I am trying with tacacs , it will not work with radius? Date: Sat, 28 Jan 2012 08:45:57 +0530 Subject: Re: [OSL | CCIE_Security] aaa attributes From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I presume you are testing with radius. Does it work without shell? With regards Kings On Sat, Jan 28, 2012 at 3:47 AM, waleed ' walleed...@hotmail.com wrote: is there diffrence if we configure on acs the attribute directly without category , for example : shell:priv-lvl or priv-lvl i test that and it is worked fine ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] aaa attributes
it is just example , I mean in general is it required Date: Sat, 28 Jan 2012 20:33:15 +0530 Subject: Re: [OSL | CCIE_Security] aaa attributes From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Why do want to use that with TACACS, when you already have it pre-defined under the shell section. With regards Kings On Sat, Jan 28, 2012 at 5:21 PM, waleed ' walleed...@hotmail.com wrote: no I am trying with tacacs , it will not work with radius? Date: Sat, 28 Jan 2012 08:45:57 +0530 Subject: Re: [OSL | CCIE_Security] aaa attributes From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I presume you are testing with radius. Does it work without shell? With regards Kings On Sat, Jan 28, 2012 at 3:47 AM, waleed ' walleed...@hotmail.com wrote: is there diffrence if we configure on acs the attribute directly without category , for example : shell:priv-lvl or priv-lvl i test that and it is worked fine ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] aaa attributes
for example for auth proxy , if we do not define auth-proxy attribute , can we just use like in radius auth-proxy tag ? From: walleed...@hotmail.com To: kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] aaa attributes Date: Sat, 28 Jan 2012 15:05:48 + it is just example , I mean in general is it required Date: Sat, 28 Jan 2012 20:33:15 +0530 Subject: Re: [OSL | CCIE_Security] aaa attributes From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Why do want to use that with TACACS, when you already have it pre-defined under the shell section. With regards Kings On Sat, Jan 28, 2012 at 5:21 PM, waleed ' walleed...@hotmail.com wrote: no I am trying with tacacs , it will not work with radius? Date: Sat, 28 Jan 2012 08:45:57 +0530 Subject: Re: [OSL | CCIE_Security] aaa attributes From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com I presume you are testing with radius. Does it work without shell? With regards Kings On Sat, Jan 28, 2012 at 3:47 AM, waleed ' walleed...@hotmail.com wrote: is there diffrence if we configure on acs the attribute directly without category , for example : shell:priv-lvl or priv-lvl i test that and it is worked fine ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] GET VPN multicast rekey
hello , I am trying the multicast rekey case in this link http://www.ccie1.com/?p=427 scenario 7 where is the server on inside of multimode firewall my topology is : R1 (KS)ASA(multimode) __R2_R3(GM) | |_R4(GM) and I configured GRE tunnel between R2 and R1 and configured PIM sparse mode , and configured R1 as RP using its loopback , but still when the ks sent rekey send it across firewall which drop it , I can't find way to force it to send it through the tunnel , below my config : ###R1 config ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.3.3 crypto isakmp key cisco123 address 10.0.3.4 ! ! crypto ipsec transform-set GET_TRANS esp-3des esp-md5-hmac ! crypto ipsec profile GET_PROF set transform-set GET_TRANS ! crypto gdoi group mygroup identity number server local rekey algorithm aes 256 rekey address ipv4 199 rekey lifetime seconds 300 rekey retransmit 10 number 2 rekey authentication mypubkey rsa GET sa ipsec 1 profile GET_PROF match address ipv4 CRYPTO_ACL replay counter window-size 64 address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.2.2 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 ip route 0.0.0.0 0.0.0.0 10.0.0.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! ip access-list extended CRYPTO_ACL permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 ! logging alarm informational access-list 199 permit udp host 10.0.0.1 eq 848 host 224.10.10.10 eq 848 ! ! ! route-map rmap permit 10 ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R2 config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto gdoi group mygroup identity number server address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel1 ip address 172.16.1.2 255.255.255.0 ip pim sparse-mode tunnel source FastEthernet0/0 tunnel destination 10.0.0.1 ! interface FastEthernet0/0 ip address 10.0.2.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.3.2 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network 10.0.2.0 0.0.0.255 area 0 network 10.0.3.0 0.0.0.255 area 0 default-information originate ! ip route 0.0.0.0 0.0.0.0 10.0.2.12 no ip http server no ip http secure-server ! ! ip pim rp-address 10.0.0.1 ! logging alarm informational ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ###R3 config hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip multicast-routing ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 10.0.0.1 ! ! crypto gdoi group mygroup identity number server address ipv4 10.0.0.1 ! ! crypto map GET_MAP 10 gdoi set group mygroup ! ! ! ! ! interface Loopback1 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.3.3 255.255.255.0 duplex auto speed auto crypto map GET_MAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 0 network 10.0.3.0 0.0.0.255 area 0 ! no ip http server no ip http secure-server ! ! ! logging alarm informational ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty
Re: [OSL | CCIE_Security] Private VLANs granularity
if you are talking about using private vlan ,let us say B will be isolated private vlan , and A will be of type community , and c will be if type community , I think this will do it Regards From: bastien.mige...@gmail.com To: fawa...@gmail.com Date: Wed, 25 Jan 2012 13:21:46 +0100 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Private VLANs granularity Hi Fawad, This is just an example I’m just wondering if this feasible, at least I don’t see a way with Private VLANS. Let’s say there would be more than one user in each different Group, but I don’t think this matter. Regards,Bastien From: Fawad Khan [mailto:fawa...@gmail.com] Sent: Tuesday, January 24, 2012 23:16 To: Bastien Migette Cc: ccie security Subject: Re: [OSL | CCIE_Security] Private VLANs granularity Bastien Is that a corporate requirement of part of INE or ipexpert workbook Can you give more details, please. Like how many users per vlan. On Tuesday, January 24, 2012, Bastien Migette bastien.mige...@gmail.com wrote: Hi Folks, Do you see a way to achieve the following requirements, using private vlans or anything else: We have a SVI for VLAN 100 containing web servers We want three groups: A- vlan 200 - Regular users B- vlan 201 - Guest users C- vlan 202 - Corp servers We want A B having access to web servers Members of A can access each other, and access corp servers Members of B can't access each other and can't access Corp servers. ANy idea ? Thanks ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] aaa attributes
is there diffrence if we configure on acs the attribute directly without category , for example : shell:priv-lvl or priv-lvl i test that and it is worked fine ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] usage and general
I think for ca we want just general-purpose key and encryption key Date: Thu, 26 Jan 2012 14:59:54 +0530 From: kingsley.char...@gmail.com To: a@live.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] usage and general Why do we need usage keys for CA server? With regards Kings On Thu, Jan 26, 2012 at 1:26 PM, HA Ali a@live.com wrote: is there any case in workbooks etc where we need to make CA and use usage keys rather than general ? because by default it makes general ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] usage and general
I think Signature keys = Signature certs Date: Thu, 26 Jan 2012 22:56:24 +0530 Subject: Re: [OSL | CCIE_Security] usage and general From: kingsley.char...@gmail.com To: a@live.com CC: walleed...@hotmail.com; ccie_security@onlinestudylist.com Signature keys are used for RSA-SIG authentication method. Encryption keys are used for RSA-ENCR authentication method. Signature certs are used for identification. Encryption certs are used for encryption mostly in SSL/TLS connections. CA server needs only Identify cert for self identification. Even, if you use usage keys pre-defining in the trustpoint, you can see that the CA server has it's identity cert of type identity. With regards Kings On Thu, Jan 26, 2012 at 8:56 PM, HA Ali a@live.com wrote: where to use usage keys then ? From: walleed...@hotmail.com To: kingsley.char...@gmail.com; a@live.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] usage and general Date: Thu, 26 Jan 2012 11:17:01 + I think for ca we want just general-purpose key and encryption key Date: Thu, 26 Jan 2012 14:59:54 +0530 From: kingsley.char...@gmail.com To: a@live.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] usage and general Why do we need usage keys for CA server? With regards Kings On Thu, Jan 26, 2012 at 1:26 PM, HA Ali a@live.com wrote: is there any case in workbooks etc where we need to make CA and use usage keys rather than general ? because by default it makes general ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FPM
we can make many things ( I make all my practic scenarios ) using just class-map type access-control and policy map type access-control , so when the class-map type stack will be required and must ? From: a@live.com To: walleed...@hotmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM Date: Wed, 25 Jan 2012 17:18:30 +0500 i think the best will be to edit/remove policy-maps . mostly we match traffics in class-map which requires more commands than policy-maps , so if we need to re do these things we can easily create policy map and call the class there From: walleed...@hotmail.com To: ccie_security@onlinestudylist.com Date: Wed, 25 Jan 2012 11:42:40 + Subject: [OSL | CCIE_Security] FPM is it required every time we modify some thing in the class-map type access to remove the service policy from interface ? or from the policy-map type access ? and what is best practice to deal with ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Netflow Doubt
can you please show your netflow configuration Date: Wed, 25 Jan 2012 23:25:16 +0400 From: antonyice1.c...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Netflow Doubt Netflow Output Source 0.0.0.0 destination 0.0.0.0 8 0 Source 0.0.0.0 destination 0.0.0.0 8 0 The above is the output from the netflow configuration on the router interface. Please how can i replace the netflow configuration with a characterization ACL to get more logs. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IP options strange case
I was testing this case : R1--R2--R3 first thing I configure ip options drop on R2 , and try to ping from R1 to R3 with Timestamp option set and that not work ,I apply acl on the R2 interface which permit ip any any and ping with options not work too , then tried to open in access-list permit ip any any option timestamp , and ping not work , the strange issue on access-list do not make match on this line but make match always on last line permit ip any any , but when I remove the ip option drop it is make match on the acl options line see output below which come when ip options configured : R2#show access-lists Extended IP access list OPTIONS 9 permit ip any any option any-options 10 permit ip any any option timestamp 20 permit ip any any (5matches) after remove ip options R2#show access-lists Extended IP access list OPTIONS 9 permit ip any any option any-options (5 matches) 10 permit ip any any option timestamp 20 permit ip any any (27 matches) ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] RSA key on Flash
Why when i try to generate rsa key and make save location on flash I have this error ? (config)#$ble general-keys label mykey modulus 512 storage flash:The name for the keys will be: ciscoca % The key modulus size is 512 bitsDevice flash is not a valid storage location for for cryptographic keypairs crypto_lib_keypair_get failed to get ciscoca crypto_lib_keypair_get failed to get ciscoca so how can I save my rsa pair on flash ? did I have to export it ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] RSA key on Flash
GIT_Int4Mb#dir allDirectory of archive:/ No files in directory No space information availableDirectory of system:/ 15 dr-x 0no date fpm3 dr-x 0no date memory1 -rw-8802 no date running-config2 dr-x 0no date vfiles No space information availableDirectory of tmpsys:/ 6 drw- 0no date eem_lib_system5 drw- 0no date eem_lib_user4 drw- 0 no date eem_policy1 dr-x 0 no date lib No space information availableDirectory of nvram:/ 182 -rw-6244no date startup-config 183 3903no date private-config 184 -rw-6244 no date underlying-config1 -rw- 0 no date ifIndex-table2 36 no date persistent-data3 -rw- 32no date ca.git.ae.ser4 -rw- 517no date 1.crt5 -rw- 68no date 1.cnm6 -rw- 219 no date ca.git.ae.crl7 -rw-1722 no date ca.git.ae_1.pem9 -rw- 517no date cagitae#1CA.cer 10 -rw- 632no date 2.crt 11 -rw- 77no date 2.cnm 12 -rw- 639no date 3.crt 13 -rw- 84 no date 3.cnm 14 -rw- 634no date 4.crt 15 -rw- 79no date 4.cnm 16 -rw- 634no date 5.crt 17 -rw- 79 no date 5.cnm 18 -rw- 572no date 6.crt 19 -rw- 111no date 6.cnm 20 -rw- 638no date 7.crt 21 -rw- 83 no date 7.cnm 22 -rw- 637no date 8.crt 23 -rw- 82no date 8.cnm 24 -rw- 587no date IOS-Self-Sig#1.cer 25 -rw- 633 no date 9.crt 26 -rw- 78 no date 9.cnm 27 -rw- 637no date A.crt 28 -rw- 82no date A.cnm 29 -rw- 635 no date B.crt 30 -rw- 80 no date B.cnm 31 -rw- 637no date C.crt 32 -rw- 82no date C.cnm 196600 bytes total (153633 bytes free)Directory of flash:/ 1 -rw-22649648 Oct 17 2011 08:58:52 +04:00 c1841-advsecurityk9-mz.124-11.T.bin5 -rw-2444 Dec 18 2011 08:43:50 +04:00 tcp.phdf6 -rw- 954 Dec 19 2011 08:41:04 +04:00 ether.phdf3 drw- 0 Nov 28 2011 16:20:38 +04:00 webvpn7 -rw- 961 Dec 19 2011 08:41:20 +04:00 icmp.phdf8 -rw-2720 Dec 19 2011 08:41:36 +04:00 ip.phdf9 -rw-1115 Dec 19 2011 08:42:48 +04:00 udp.phdf 10 -rw-8162 Dec 29 2011 08:54:26 +04:00 -1 11 -rw-8162 Dec 29 2011 09:03:40 +04:00 -2 31932416 bytes total (4550656 bytes free)Date: Tue, 24 Jan 2012 07:01:46 -0500 Subject: Re: [OSL | CCIE_Security] RSA key on Flash From: fawa...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Is that a reAl router. Can you provide dir all On Tuesday, January 24, 2012, waleed ' walleed...@hotmail.com wrote: Why when i try to generate rsa key and make save location on flash I have this error ? (config)#$ble general-keys label mykey modulus 512 storage flash: The name for the keys will be: ciscoca % The key modulus size is 512 bits Device flash is not a valid storage location for for cryptographic keypairs crypto_lib_keypair_get failed to get ciscoca crypto_lib_keypair_get failed to get ciscoca so how can I save my rsa pair on flash ? did I have to export it ? -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Real Lab Routing
dir allDirectory of archive:/ No files in directory No space information availableDirectory of system:/ 15 dr-x 0no date fpm3 dr-x 0no date memory1 -rw-8802 no date running-config2 dr-x 0no date vfiles No space information availableDirectory of tmpsys:/ 6 drw- 0no date eem_lib_system5 drw- 0no date eem_lib_user4 drw- 0 no date eem_policy1 dr-x 0 no date lib No space information availableDirectory of nvram:/ 182 -rw-6244no date startup-config 183 3903no date private-config 184 -rw-6244 no date underlying-config1 -rw- 0 no date ifIndex-table2 36 no date persistent-data3 -rw- 32no date ca.git.ae.ser4 -rw- 517no date 1.crt5 -rw- 68no date 1.cnm6 -rw- 219 no date ca.git.ae.crl7 -rw-1722 no date ca.git.ae_1.pem9 -rw- 517no date cagitae#1CA.cer 10 -rw- 632no date 2.crt 11 -rw- 77no date 2.cnm 12 -rw- 639no date 3.crt 13 -rw- 84 no date 3.cnm 14 -rw- 634no date 4.crt 15 -rw- 79no date 4.cnm 16 -rw- 634no date 5.crt 17 -rw- 79 no date 5.cnm 18 -rw- 572no date 6.crt 19 -rw- 111no date 6.cnm 20 -rw- 638no date 7.crt 21 -rw- 83 no date 7.cnm 22 -rw- 637no date 8.crt 23 -rw- 82no date 8.cnm 24 -rw- 587no date IOS-Self-Sig#1.cer 25 -rw- 633 no date 9.crt 26 -rw- 78 no date 9.cnm 27 -rw- 637no date A.crt 28 -rw- 82no date A.cnm 29 -rw- 635 no date B.crt 30 -rw- 80 no date B.cnm 31 -rw- 637no date C.crt 32 -rw- 82no date C.cnm 196600 bytes total (153633 bytes free)Directory of flash:/ 1 -rw-22649648 Oct 17 2011 08:58:52 +04:00 c1841-advsecurityk9-mz.124-11.T.bin5 -rw-2444 Dec 18 2011 08:43:50 +04:00 tcp.phdf6 -rw- 954 Dec 19 2011 08:41:04 +04:00 ether.phdf3 drw- 0 Nov 28 2011 16:20:38 +04:00 webvpn7 -rw- 961 Dec 19 2011 08:41:20 +04:00 icmp.phdf8 -rw-2720 Dec 19 2011 08:41:36 +04:00 ip.phdf9 -rw-1115 Dec 19 2011 08:42:48 +04:00 udp.phdf 10 -rw-8162 Dec 29 2011 08:54:26 +04:00 -1 11 -rw-8162 Dec 29 2011 09:03:40 +04:00 -2 31932416 bytes total (4550656 bytes free) Date: Tue, 24 Jan 2012 07:03:00 -0500 Subject: Re: [OSL | CCIE_Security] Real Lab Routing From: fawa...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com You can add/delete static routes on routers/Asa/sw/pc based on the requirement. On Tuesday, January 24, 2012, waleed ' walleed...@hotmail.com wrote: in the real lab is not permitted to add static routes , is it permitted to add network to routing network ? or advertise default route using for example in ospf default information originate always Regards -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] RSA key on Flash
but if the key generated is marked as exportable we can export it to flash and encrypt the private key using des-3des Date: Tue, 24 Jan 2012 17:57:38 +0530 Subject: Re: [OSL | CCIE_Security] RSA key on Flash From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com RSA keys can't be stored on flash for security reasons, so that nobody can access the private key. It can stored in nvram or usb token. With regards Kings On Tue, Jan 24, 2012 at 5:01 PM, waleed ' walleed...@hotmail.com wrote: Why when i try to generate rsa key and make save location on flash I have this error ? (config)#$ble general-keys label mykey modulus 512 storage flash:The name for the keys will be: ciscoca % The key modulus size is 512 bitsDevice flash is not a valid storage location for for cryptographic keypairs crypto_lib_keypair_get failed to get ciscoca crypto_lib_keypair_get failed to get ciscoca so how can I save my rsa pair on flash ? did I have to export it ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IOS CA
I just have some doubt regarding rsa keys on IOS , my understand is (please correct me if I say something wrong) : 1-ssh use general-usage key (which will be used for encryption and authentication) , if we have multiple general key any one will choose ? 2-pki server need keys tow keys one for authentication or hashing ( general purpose key) and other for encryption 3-we can't specify the rsakey pairs for the pki server 4- when we run the pki server ( no shutdown) if there is general key available , it will use it and make new encryption rsa key named generalkeyname.server , and if there is no keys at all it will generate the tow , one named same ca name and the other will be named caname.server 5- rsa key name is uniqe on the router ( no tow general key and usagekey have same name for example) Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IOS CA
so if there is no key with .server , ssh will not work ? , and the crypto pki server need tow keys , how we can make tow keys with the name of server?? From: pi...@howto.pl Date: Tue, 24 Jan 2012 23:14:27 +0100 Subject: Re: [OSL | CCIE_Security] IOS CA To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Hi, You can create you own keys and make IOS CA use those keys. You just need to generate named keys and configure trustpoint with the same name as local CA server. Once enabled, the CA server will use those keys to generate self signed certificate. SSH uses keys with .server name and there will be only one key with that name even if you generate many keypairs. Regards, Piotr 2012/1/24 waleed ' walleed...@hotmail.com I just have some doubt regarding rsa keys on IOS , my understand is (please correct me if I say something wrong) : 1-ssh use general-usage key (which will be used for encryption and authentication) , if we have multiple general key any one will choose ? 2-pki server need keys tow keys one for authentication or hashing ( general purpose key) and other for encryption 3-we can't specify the rsakey pairs for the pki server 4- when we run the pki server ( no shutdown) if there is general key available , it will use it and make new encryption rsa key named generalkeyname.server , and if there is no keys at all it will generate the tow , one named same ca name and the other will be named caname.server 5- rsa key name is uniqe on the router ( no tow general key and usagekey have same name for example) Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] GETVPN rekey address
in get vpn rekey using multicast , in some examples we use extended access-list and other use just standard access-list which permit the multicast address , what is the more correct one ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] GETVPN rekey address
please delete the email , the question is not correct From: walleed...@hotmail.com To: ccie_security@onlinestudylist.com Subject: GETVPN rekey address Date: Mon, 23 Jan 2012 08:12:09 + in get vpn rekey using multicast , in some examples we use extended access-list and other use just standard access-list which permit the multicast address , what is the more correct one ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] multicast through transparent
is it required to configure acl entry permit the multicast traffic on inside interface in transparent firewall ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] multicast through transparent
so why this different behavior ? any one can explain Date: Mon, 23 Jan 2012 21:36:48 +0530 Subject: Re: [OSL | CCIE_Security] multicast through transparent From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com UDP multicast like RIP and DHCP are allowed from inside to outside without the need of ACL. You need lab this out and confirm. OSPF, EIGRP, PIM should be allowed explicitily using an ACL from inside to outside and outside to inside. With regards Kings On Mon, Jan 23, 2012 at 4:42 PM, waleed ' walleed...@hotmail.com wrote: is it required to configure acl entry permit the multicast traffic on inside interface in transparent firewall ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Real Lab Routing
in the real lab is not permitted to add static routes , is it permitted to add network to routing network ? or advertise default route using for example in ospf default information originate always Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] PVLAN question
can you please provide how you will route between vlan svi's or there is router on stick ? Date: Thu, 19 Jan 2012 19:43:47 +1100 From: mayd...@gmail.com To: vadim.li...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] PVLAN question Does it say anywhere that you _cant_ use SVI's ACLs? Cheers, Matt CCIE #22386 CCSI #31207 On 19 January 2012 18:49, Vadim Linev vadim.li...@gmail.com wrote: Hi folks! Can you please share your thoughts on how this can be implemented? On a switch we have: - Vlan 10 with 2 web servers - Vlan 101 with 2 email servers - Vlan 102 with 10 employee PCs - Vlan 103 with 2 guest PCs. Configure this switch to allow only the following connectivity: 1) Both guest and employees should be able to talk to web servers 2) Only employees should be able to talk to email servers 3) Guests should not be able to talk to employees PCs. I can see that VLAN 10 should be a primary one and web servers' ports should be configured as promiscuous. VLAN 103 with guest PCs should be configured as protected. VLAN 102 should be a community. But question is what should be done with employee's PC accessing email servers? They are in different VLANs, if we make VLAN 101 a community VLAN as well, then community 102 will not be able to talk to this community 101, right? So, what can be done here? What are your thoughts? Question does not say anything about SVIs and ACLs, so I assume this is supposed to be resolved by PVLAN feature alone. Cheers, Va ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Ccie 34000
Congratulation :) , tell your story and how the exam was ?Regards From: dcambron...@itsinfocom.com Date: Wed, 18 Jan 2012 02:52:58 -0600 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Ccie 34000 Hello, I just got my number 30 minutes ago. I want to thank everybody for the help. And I just noticed in the website that the ccie must be recertified every 24 months. Thanks again!!! ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Double tagging attack
let us assume the attacker is on port in native vlan and he send tagged packet , the access port will not remove the tag and on next trunk to other switch because it is in native , the switch will send it untagged and next switch will see the tag and forward to the victim vlan , i do not try that , I just suggest the logic regards Date: Thu, 8 Dec 2011 09:26:33 -0200 From: fedefal...@ig.com.br To: kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Double tagging attack Hi Kings, As I said I just tried with old 2950 switches and if I am not wrong old switches the vlan1 was the native vlan and the customer used to use the vlan1 to servers and management traffic at that time, anyway the attack was to be just a demonstration that a packet could arrive on the destination. Regards, --Fernando ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Virtual-template delete
any replay here ? From: walleed...@hotmail.com To: ccie_security@onlinestudylist.com Date: Sun, 4 Dec 2011 05:39:13 + Subject: [OSL | CCIE_Security] Virtual-template delete is there other way to delete virtual-template interface ? if you want to change int virtual-template type ,after u remove the interface virtual template using no , and issue int virtual-template 1 type tunnel u get the warning % Warning: cannot change vtemplate type , you have to reload the router to get this off , any other suggestion ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Smurf Attack - CAR vs MQC??
if your question is related to ccie lab I thibk the question will mention any way to use , for example may be tell do not use classes Regards Date: Tue, 29 Nov 2011 08:40:02 -0500 From: dj.lin...@gmail.com To: punitjethv...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Smurf Attack - CAR vs MQC?? http://www.wr-mem.com/?p=97 On Nov 29, 2011 12:52 AM, punit jethva punitjethv...@gmail.com wrote: ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] ASA ezVPN Server with RADIUS Authorization
I think there is mixing between : user-vpn-group which specify and lock the user to tunnel group and ou which just specify user policy , which if spicified and if it is (internal or external ) its attributes will be merged with other groups spiciefied on tunnel group and default group policy Regards Date: Sat, 17 Sep 2011 09:39:03 +0530 From: kingsley.char...@gmail.com To: msent...@googlemail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ASA ezVPN Server with RADIUS Authorization Why do you want to combine them? OU seems to do the subset work of user-vpn-group. With regards Kings On Sat, Sep 17, 2011 at 1:27 AM, Mark Senteza msent...@googlemail.com wrote: Can you combine them ? I've tried it and it doesnt fail to establish a VPN connection or get assigned to the right group. On Fri, Sep 16, 2011 at 3:57 AM, Kingsley Charles kingsley.char...@gmail.com wrote: So OU is not required when we use user-vpn-group and it works, But I have not seen any docs. In CCIE lab, I think it's safer to use OU With regards Kings On Fri, Sep 16, 2011 at 6:37 AM, Jim Terry jim0te...@gmail.com wrote: Hi Mark, OU- always puts a users in that group. user-vpn-group= if a user tries to login under the wrong group the connection is terminated. If he logs with the right group- he is allowed. JT On Wed, Sep 14, 2011 at 11:29 PM, Kingsley Charles kingsley.char...@gmail.com wrote: I think, it's better to lab and see what's happening. Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 User-VPN-Group The User-VPN-Group attribute is a replacement for the Group-Lock attribute. It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated. This feature works only with AAA RADIUS. Local Xauth authentication must still use the Group-Lock attribute. BTW, why are you using IOS Radius attribute for ASA authorization? With regards Kings On Thu, Sep 15, 2011 at 8:00 AM, Mark Senteza msent...@googlemail.com wrote: OK. So it really does do the same thing as the ipsec:user-vpn-group commands under the Cisco IOS/PIX Radius Attributes To me it seemed to do just that, but thought there might be a difference. On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry jim0te...@gmail.com wrote: It directly adds the user to the ASA group that the OU=xx; points to. JT On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza msent...@googlemail.com wrote: Jim, so you're saying that the [025] Class setting overrides the ipsec:user-vpn-group setting or directly adding the user to the group ? Is that right Mark On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry jim0te...@gmail.com wrote: Hi Mark, The OU on the ACS will override what is on the ASA- even if it is the same. A practical application is you put all vpn users into one tunnel group/group policy with no access. Then match them by OU and put them in a diff group policy on the ASA based on HR/Execs etc. JT On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza msent...@googlemail.com wrote: Kingsley, I did have the default-group-policy defined under the tunnel-group configuration. The config group-policy EZVPN external server-group RADIUS password cisco tunnel-group EZVPN type remote-access tunnel-group EZVPN general-attributes default-group-policy EZVPN On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles kingsley.char...@gmail.com wrote: When you don't have the default-group-policy configured under the tunnel general sub-mode, then ASA will not know which group policy to apply. In that case, you should add Radius AV 25 to the Xauth user account on ACS and that should be the external group policy name that you have configured on the ASA. With regards Kings On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza msent...@googlemail.com wrote: Hello all, I have my ASA setup as an EZVPN server, with an externally configured group-policy on the RADIUS server, like so: group-policy EZVPN external server-group RADIUS password cisco My group setup has the following: Group
Re: [OSL | CCIE_Security] TCP options
that will be available in lab exam ? From: niede...@hotmail.com To: schilling2...@gmail.com; walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] TCP options Date: Wed, 28 Dec 2011 20:59:14 -0800 Make sense as the ACE can manipulate TCP options :) T -Original Message- From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of schilling Sent: Wednesday, December 28, 2011 8:14 PM To: waleed ' Cc: ccie security Subject: Re: [OSL | CCIE_Security] TCP options Just digged it out today :-) cisco.com product and services application networking service application control engine ACE 4700 security guide There is a TCP option table On Sat, Dec 24, 2011 at 1:01 PM, waleed ' walleed...@hotmail.com wrote: hello all , can some one provide link in documentation for list of TCP options ? Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] EZVPN_SERVER RSA-SIG
why we need to enroll certificate from ca for ezvpn server which use rsa-sig authentication ? is not adding the ca as trust point enough to validate the client certificate ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection
I think it will not work this way try to request in url IP behiend the firewall and it will work From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Wed, 4 Jan 2012 08:02:24 + Subject: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection Hello everyone, I started the New year with my resolution to get back to CCIE studies and immediately I was challenged by the client of us asking to configure them network access controls with cut-through proxy authentication. Their particular task was to authentication the traffic that is not part of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would trigger authentication in the classic situation. They need to authenticate RDP and SSH traffic through the ASA and I followed this document published at Cisco support forum: https://supportforums.cisco.com/docs/DOC-14842 My intention was to have users open their web browser, connect to the ASA interface IP address via HTTPS, authenticate and voila, the RDP and SSH traffic defined in the authentication ACL would be authenticated. I.e. access-list CTP_AUTH extended permit tcp any any eq https access-list CTP_AUTH extended permit tcp any any eq 3389 access-list CTP_AUTH extended permit tcp any any eq ssh aaa authentication match CTP_AUTH inside LOCAL aaa authentication listener https inside port Then I go to https://192.168.1.200: (where 192.168.1.200 is the ASA inside IP address) to authentication against a local user database and it doesn't work. The ASA rewrites the URL and says File not found. I don't want to use virtual HTTP for the reasons described in the above said document. Am I missing something? Is it really an approvement or just a documentation defect misleading people ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] triky AAA group name
there is triky thing has take from my time 35 min today :if you make aaa server group and name it for example TAC of type tacacsthe ios will accept it and not give any error , but when u configure that name for any aaa purpose like accounting it will try to go to group tacacs+ , so my friends be carefull with aaa group names , and below is example of mistake configuration :aaa group server tacacs+ TAC server-private 177.1.125.100 port 49 key CISCO ip vrf forwarding vrf1 ip tacacs source-interface Loopback0 aaa accounting commands 15 default start-stop group TAC (will use tacacs) Regards ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] SLA Monitor
in sla monitor , what the meaning of threshold parameter ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Ipsec L2tp
did Windows client work only with tunnel group DefaultRAGroup ? I tried create diffrent group name and make it default but itis not work , can any one confirm this and explain why this behavior ? I see it strange issue ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Downloadable ACL
for ASA the only option for per user downloadable acl is radius , is this right ? and for IOS radius and TACACS is supported , please confirm ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] CBAC Audit trail
if it is required to generate audit trail for inspected sessions , is there diffrence between enabling aufit trail globaly using ip inspect audit-trail and applying it per ip inspect name TEST tcp audit trail ip inspect name TEST http audit trail ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Archive Command
On the practical exam , can we use archive command to take backup copy for all running configuration on the routers and switchs ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] TCP options
Dear piotr , I looking for this link in cisco documentation to use it in the exam thanx From: pi...@howto.pl Date: Mon, 26 Dec 2011 13:04:24 +0100 Subject: Re: [OSL | CCIE_Security] TCP options To: walleed...@hotmail.com CC: fawa...@gmail.com; ccie_security@onlinestudylist.com http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml 2011/12/25 waleed ' walleed...@hotmail.com any device ASA or IOS router Date: Sat, 24 Dec 2011 19:35:01 -0500 Subject: Re: [OSL | CCIE_Security] TCP options From: fawa...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Which device ? On Saturday, December 24, 2011, waleed ' walleed...@hotmail.com wrote: hello all , can some one provide link in documentation for list of TCP options ? Regards -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] GETVPN and NAT
that what I searching for , so at the end in get vpn we ca't use nat between the GM's From: pi...@howto.pl Date: Mon, 26 Dec 2011 12:59:26 +0100 To: dcambron...@itsinfocom.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] GETVPN and NAT Diego, All, There are two scenarios you must consider: (1) GDOI Registration - when GM registers itself to KS, it uses ISAKMP protocol with standard UDP/500. When there is a NAT between GM and KS (most likely KS is behind a firewall which statically translated KS' IP address), the NAT-T works as always, changes UDP/500 to UDP/4500. (2) GM-to-GM traffic - which uses ESP (IP Prot 50). If there is NAT between GM devices, the NAT device in between cannot handle that. In this case NAT is not supported. There is NO NAT-T used in this case!!! Hope this clears the confusion. Regards, Piotr 2011/12/26 Diego Cambronero dcambron...@itsinfocom.com Guys I am a little bit confused ESP is IP protocol 50 but it us encapsulated in port udp 4500 when there is a nat between the peers rigth? If there is a GM behind a nat device it uses udp 500 to start isakmp and then udp 4500 To encapsulate the trafic right? How is the comuniation between a device that is behind a nat and another that is not behind a nat? 4500---5004500---4500 Or what?? El 25/12/2011, a las 07:40 p.m., Fawad Khan fawa...@gmail.com escribió: ESP is a layer protocol itself with number 50 Nat-t is layer 4 UDp port number 4500 On Sunday, December 25, 2011, Piotr Matusiak pi...@howto.pl wrote: NAT-T uses UDP/4500 always. 2011/12/25 HA Ali a@live.com I have seen in cisco offical docs that GDOI works on 848 UDP and if NAT-T is enabled it works on 4500 UDP . But in simple vpn setup ( not getvpn ) we use 4500 for ESP . If GETVPN uses ESP and GDOI how will it work in a NAT-T case ? will both of them use UDP 4500 From: pi...@howto.pl Date: Sun, 25 Dec 2011 16:42:43 +0100 To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] GETVPN and NAT NAT-T is supported between GM and KS. NAT is not supported between GMs. The only option is to NAT before encryption. Regards, Piotr 2011/12/25 waleed ' walleed...@hotmail.com Dear all , in getvpn there is not nat-t becuase there is no isakmp between the peers , so how get vpn work if there is nat between tow peers ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] GETVPN and NAT
Dear all , in getvpn there is not nat-t becuase there is no isakmp between the peers , so how get vpn work if there is nat between tow peers ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
