Here’s my toplogy
R2 ( 136.1.121.2 ) (136.1.121.12 ) ASA 1 (136.1.122.12 ) -
(136.1.122.1 ) R1
Here is the ASA config :
--
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address
Hey Sumit,
Check this out, i think when you configure NAT and when you ping the NATTed
inside IP address from the outside, the traceroute command returns the IP
addres of the firewall as the NATted IP addrress
ex : In my configuration i added this line
#static (outside,inside) 136.1.121.2
, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
*From:* ccie_security-boun...@onlinestudylist.com [mailto:
ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Vybhav
Ramachandran
*Sent:* Tuesday
Along with Kings's questions, i also want to confirm that the IPS uses the
command and control interface to log into Blocking devices and execute
blocking/rate-limiting commands. Can someone please confirm this?
Thanks!
TacACK
___
For more information
for management / security traffic.
So, actually it would be a security risk to send snmp traps in the data
flow (because it's unencrypted and can contain senstive data).
HTH
Pieter-Jan
On May 16, 2010, at 2:02 PM, Vybhav Ramachandran wrote:
Along with Kings's questions, i also want
That's definitely something to keep in mind! :)
Thanks a lot for you help Pieter.
Cheers!
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hmmm , I have a feeling except
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_blocking.html#wp2205632
these
signatures, none of the signatures allow rate-limiting. But then why did
they even allow us to create/clone a rate-limiting signature.
I'll try this out too.
Hello Kings,
I agree with the reason behind creation. Just wondering why this doesn't
work. I'm going through the doc-cd to see if they mention something about
these signals not working...
Cheers,
TacACK
___
For more information regarding industry
Hello Kings,
I'm not sure if this is what you're looking for , but i'll try and explain
what i know :)
Suppose there are 2 guys performing UDP scan on 10 destinations . If you
have the UDP scanner signature active, and it has a scanner threshold
configured , then if the number of scans done by
I'm stumped.
just for fun, did you try configuring both the interfaces to the same name?
i.e making e0/0 Redundant2
Cheers,
TacACK
On Tue, May 18, 2010 at 11:17 AM, Kingsley Charles
kingsley.char...@gmail.com wrote:
Hi all
I have the following system config of an ASA as following:
Hello Jimmy,
I noticed the EIGRP process running on the hub and 2 spokes are identical?
router eigrp 256
network 10.9.122.0 0.0.0.255
network 192.168.1.0
no auto-summary
end
I'm guessing the subnet behind SPOKE1 and SPOKE2 would be different.
Please let me know :)
Cheers,
TacACK
Guys,
I've tried doing dot1x manytimes and it usually works. But this time , i'm
getting access-reject messages from the ACS. I don't understand why.
HERE IS MY SWX CONFIG
_
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log
Hello All,
I'm trying to understand the Workbook 1A configuration diagram. What is up
with ASA2 hiding behind ASA1?
Could someone please explain to me how the connections are done?
P.S : I'm on the rack right now!
Cheers,
TacACK
___
For more
Alright,
But which interfaces of the ASAs are to be connected to?
The firewall interfaces to be connected to are not mentioned in the diagram?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
Ok,
But which interfaces of the firewall do i connect to?
Cheers
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Jimmy,
Yeah i figured they'd thrown in failover somewhere..but they have not given
the basic connections. I don't see any interfaces on the ASA ? What
interfaces are being used. Even in task 1 the interfaces are not clearly
given?
It's sad i'm stuck at this level for 1 hour now.
TacACK
Hello Tyson,
What interfaces do i use on the ASA? Because i tried using some random
interfaces and the swx configuration might also change.
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
Hello Drew,
I have this diagram. It came along withe Vol 1 workbook. My question was
something else and i think Tyson understood what my confusion was.
Cheers and Thanks.
TacACK
___
For more information regarding industry leading CCIE Lab training,
website at www.ipexpert.com
*From:* ccie_security-boun...@onlinestudylist.com [mailto:
ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Vybhav
Ramachandran
*Sent:* Thursday, May 27, 2010 9:53 AM
*To:* OSL Security
*Subject:* Re: [OSL | CCIE_Security] Vol 1 , 1A
Hello Tyson,
What
Thanks!
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello all,
The doc-cd says that for NHRP to be NAT-T aware, we must use Transport mode.
Could someone please explain how NHRP benefits from using transport over
tunnel mode for NAT-T?
Thanks,
TacACK
___
For more information regarding industry leading
Hello all,
I'm able to setup a EZVPN remote session (NE + ) with an EZVPN server (IOS).
I see that an IP from the pool is assigned to the EZVPN client and the
inside subnet of the client router is getting added to the EZVPN server as a
static route through the virtual-access interface.
I can see
Hello all,
I'm able to setup a EZVPN remote session (NE + ) with an EZVPN server (IOS).
I see that an IP from the pool is assigned to the EZVPN client and the
inside subnet of the client router is getting added to the EZVPN server as a
static route through the virtual-access interface.
I can see
Hello Piotr ,
Thanks for the response.
So what the hub does is, if there is the spoke is getting NATted, and it's
configured to run in transport mode, the NHRP registration request that the
hub will look like this
*GRE Header*
GRE source IP : Natted-NBMA IP of the Spoke
GRE destination IP :
Hello Kings,
This document suggests that If the spokes are behind NAT, then TRANSPORT
mode should be used.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1039490
This is why i got the doubt.
Hello Kings,
So you're saying with tunnel protection, it doesn't matter if it's transport
or tunnel mode?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
Is that needed? The ezvpn connection comes up just fine and it works for
some seconds. After which, the tunnel goes down. ( refer debugs ).
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
Hello Tyson,
I've this lab configured at work. I'll get back to you tomorrow.
Thanks :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Jimmy,
Well i tried this config, for me, R1 automatically installed the route to
2.2.2.2 (using reverse-route) on the dynamic map.
I'm attaching the configs,
Cheers
TacACK
R2.cfg
Description: Binary data
R1.cfg
Description: Binary data
___
Thanks for the clarification Tyson. :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Jimmy,
Yeah it works with route-maps too :)
*ip access-list extended VPN_ACL*
* permit ip host 1.1.1.1 host 2.2.2.2*
*
*
*ip local-policy route-map VPN_ROUTE_MAP* ( To allow the route-map to
match locally generated traffic )
*route-map VPN_ROUTE permit 10*
* match ip address
Hello Jimmy,
I wish i knew the answer . I'm not a RS Guy either :( . I hope someone can
explain it to us here .
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello DMG,
This is a good link that i use,
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1101685
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
I had a doubt, won't the GDOI messages between the KS and the GMs be
protected by ISAKMP phase 1 ? In that case, do we have to permit udp 848 on
the ASA?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training,
It does? :/ Ok, i need to lab this :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
If i have an ASA between the KS and the GM , and the KS is on the inside
interface , what kinda nat do i have to enable on the ASA to trigger NAT-T ?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training,
Yeah, i remember reading that on CLND... I think Paul was also participating
in that discussion along with the Scott Morris.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
To your first question, i'm guessing that's the only difference. Both of
them need a wr to hardcode the IP address to the startup config.
Regarding question 2,i'm not sure. :/
Cheers,
TacACK
___
For more information regarding industry
Hello Kings,
You do? I've only seen those messages. I'll run a trace and check it out
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello kings,
I think the actual way the protocol exchange happens can be found here .
Please scroll down on the linked page to see the connection diagrams of
TACACS+ and RADIUS
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comparing
Cheers,
TacACK
Hello All,
I just faced a task which said , user X should not be allowed to join any
other webvpn context other than context CTX_A . This involved 2 commands *aaa
authentication domain @CTX_A* and *aaa authentication domain CTX_A*
I didn't understand the concept. Could someone please explain?
Hello Tolulope,
This is in the IOS .
Yep , i understand the concept in ASA, which is pretty straightforward ( i
mean, it's similar to how one would do group-lock in case of EZVPN ).
I hope someone can shed some light on this.
Cheers,
TacACK
___
For
Hello Asif,
Did you then associate the isakmp profile to the crypto map that you are
using? I think this might be required if you're trying to tell the IOS to
use the isakmp profile when initiating the connection.
#crypto map VPN isakmp-profile PROFILE
That's my understanding, please correct me
I did, but i was not sure what commands i'd used. I'll retest this and get
back to you.
Thanks Tyson and Tolulope!
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Tyson,
I tried it out. I followed this document -
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_white_paper0900aecd80512065.html
This is my config
#username us...@ctx_1 password cisco
#username us...@ctx_2 password cisco
#webvpn context WEBVPN_CONTEXT_1
I forgot to mention the main thing. It works!:)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello All,
In the lab, will we have a dedicated troubleshooting section or will the
troubleshooting questions be mixed in with the confioguration questions.
Also,i'm having problems with the (B) labs in the vol1 workbook. I am able
to identify the problems , but still soemtimes i'm unable to get
Hello Tolulope,
It's just that i'm spending a lot of time with the troubleshooting section.
When i fix it according to the DSG, it was still not working . Dunno why.
That's why i was asking if this is a major topic in the lab.
Cheers,
TacACK
___
For
Well,
I don't know how to start. I mean, the configs look ok. Everything looks
fine. But its not working. For Ex : i've this webvpn confriguration i've to
troubleshoot. It all looks fine and according to the DSG , there was only
one issue ( a filter acl ) which had to be removed. But even after
When i run a capture on the outside ASA interface, i don't see the https
requests come in at all!
When i ping the asa from the Test-PC, i see the icmp echo request packets on
the ASA interface , so routing is correct. I tried hitting http://ASA IP
instead of https://ASA IP and i even see those
Yep, they're on the same subnet. The Test-PC is directly connected to the
outside interface of the ASA.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
I found the solution. The problem was a VACL in the swx in between. I did
not see that coming at all.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Those are great tips Jimmy. That would save me a lot of time! :)
Thanks a lot for the tips. I think this is something that everyone should
follow.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello All,
I'm just wondering. Could you guys complete Lab 2A in 10 hours or earlier? I
just want to know where i'm placed.
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello All,
I'm trying out IOS NAT today. I couldn't understand the concept of adding
the reversible keyword to nat translations using route-maps. Can someone
please shed some light on this?
Thanks and cheers,
TacACK
___
For more information regarding
Thanks Kings!
So this must only apply to Dynamic NAT right?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Thanks Kings,
I saw this in the Doc-cd as description for the reversible command
Enables outside-to-inside initiated sessions to use route maps for
destination-based NAT.
Does this have any special meaning? Other than just allowing bi-directional
initiation?
Cheers,
TacACK
Congrats Bro! :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Did you try it with a route-map?
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
I'm having an RSPAN issue .
This is my config
SW1
Vlan 900
remote-span
int fa 0/21
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
exit
monitor session 1 source vlan 12 rx
monitor destination 1 remote 900 reflec fa 0/21
SW2
Vlan 900
remote-span
int fa 0/21
switchport
Hello Sumit,
Well, in that config, i can see the VLAN 34 traffic being sent to the IPS.
But the vlan 900 (rspan) traffic isnt going to the IPS.
ny issues in the config?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab
Hello Kings,
Actually my inital config was this
#monitor session 1 source vlan vlan 34 , 900 rx
But since that didn't work, i only included remote-vlan 900 to see how that
goes.
I'm using encaps dot1q , because i've an IDS attached to the SPAN port and
i'm trying to configure vlan groups.
Hello kings,
I was looking through my inbox and saw this email . Here's what i think.
Is the Threshold is for a port, protocol or IP address?
IMO , it's no of scans. Irrespective of port ,protocol or IP. Any scan will
increase the count by 1. Don't know if it's right though.
Ex : If the tcp
Hello Kings,
I tested this out with NAT using route-maps. It works just as expected.
Thanks!
Cheers
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello All,
Can someone please explain what the difference between these commands are
*monitor session 2 destination interface gigabitethernet0/2 encap
dot1q ingress vlan 6 *
*
monitor session 2 destination interface gigabitethernet0/2
encap dot1q
ingress dot1q vlan 6
monitor session 2
Thanks Kings, I'll check it out.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Guys,
The task asks for BGP to be configured such that the neighbor is not more
than 1 hop away.
So i'm thinking the command is
router bgp 100
neighbor 136.1.23.2 ttl-security hops 1
But the solution states
neighbor 136.1.23.2 ttl-security hops *2*
*
*
Can someone please explain why this is?
Hello Tyson,
Well, there are no loopbacks involved here. Here's the question :
Configure eBGP session between R1 and R2 and make both routers accept the
peer if it's no more than one hop away.
Use AS numbers 100 and 200 for R1 and R2 respectively.
The toplogy is
R1R3-R2
Hello Kings,
This is what i found in the Doc-CD
SNMP passwords are localized using the SNMP engine ID of the authoritative
SNMP engine. For informs, the authoritative SNMP agent is the remote agent.
You must configure the remote agent's SNMP engine ID in the SNMP database
before you can send
Hello All,
I'm a little confused . This is related to the mac-addresses used by the
firewalls during failover. What's the difference between
*PRIMARY F/W*
config#int e1
config-if#mac-address X standby Y
*SECONDARY F/W*
config#int e1
config-if#mac-address X standby Y
(and )
*PRIMARY F/W*
Thanks Tyson and Kings! :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
Guys found this good read on Traps v/s Informs in SNMP v3.
http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmptrap-v3.html
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
This is excellent kings! I'm definitely bookmarking this e-mail for further
reading.
Thanks a lot and Cheers!
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Jason,
I don't think we can access this. However if you want to memorize the IP
addresses to be blocked , check out Paul Stewarts blogpost on it. It's
pretty good.
http://packetu.com/content/view/52/1/
Cheers!
TacACK
___
For more information
I agree with Jimmy. There should be an After hours live-chat option
available. Us dudes in India can never reach the live chat if we have the
racks scheduled during the day.
It would be awesome if IPX also addressed the fact that many of it's
customers are not in the US time zones.
Hello Kings,
But why do we need to inspect the FTP traffic.Don't we just need to allow
hosts on the outside to access the FTP servers on the DMZ using an ACL. The
return traffic will be permitted. Please correct me if i'm wrong, but isn't
inspection needed if we are initiating the traffic from a
Thanks Tyson. That answers my questions :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello guys,
I've tried searching for a good article / doc-cd page on Virtual HTTP,telnet
and it's workings. Can someone please point me to one?
Also can someone please explain to me what the aaa authentication listener
command does? Again, i couldn't understand this aspect.
Cheers,
TacACK
Hello All,
I was going through the CBAC section of the doc-cd yesterday and i found
this :
(Other IP traffic, such as ICMP, cannot be inspected with CBAC and should
be filtered with basic access lists instead.)
I thought CBAC inspect icmp and i labbed it up. I found that ICMP traffic
I speak for all , when i say that we really appreciate all the valuable help
you render. It's so awesome to be able to ask questions to an instructor and
get replies in real-time. Thank you again.
___
For more information regarding industry leading CCIE
Hello True,
Check this out -
http://proctorlabs.com/index.cfm/product/sku/CCIE_Security_vRack_Online_Hardware_Rental_5sessions
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello All,
A couple of days back , a friend and I we were discussing about the
differences between Half-open , Half-closed and embryonic TCP connections :
We got a couple of confusing definitions :
1) From cisco
These half-open connections are TCP connections that have not completed the
Firstly, Good luck Jimmy! Kick some ass! :)
I don't know how you guys finish so fast..i take full 8 hours.. i must be
doing ssomething wrong. I take about 45 mins to 1 hour to draw the diagram,
skim through all the topics and get ready to start configuring. How long do
you take?
Cheers,
TacACK
Thanks Tyson,
So Half-open - RFC is correct.
How about half-closed?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
Yes, i follow the same approach that you do with regards to the diagrams.
I draw the diagram first ( about 10-15 mins ), then i go over the tasks
(30-40 mins) and i start marking stuff on the Diagram. I ensure that i mark
NAT , INSPECTION and VPN tunnels on the diagram. I don't mark
Hello All,
This is frustrating! I thought i'd figured out the technique to register the
VPN-client to an IOS CA. But it's not working now.
I've followed the guidelines that Kings stated
1) Make sure the time of the XP machine is ahead of the time of the IOS-CA
2) Make sure the domain-names
I tried registering another router, it works just fine. The confusing aspect
is, i want to know what i'm doing wrong and that seems to be a mystery :/
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Maybe Tyson can help out? I'm sure he must've seen this error before.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Found it . Thanks..
I tried setting both the CA and the XP machine to UTC and i set the time to
almost similar values ( i couldn't get the windows NTP to work with the IOS
). But still the same issue.
Next , i changed the time in the XP machine forward by 1 month. Still the
same.
Cheers,
That were the points i was referring to in my First mail. The 3 points that
you'd given earlier.
I tried them, i still get the 42 error. I'll try reloading the test-pc ,
router.
___
For more information regarding industry leading CCIE Lab training,
Funny, i tried it later on GNS3 and it worked just fine. :/
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello Kings,
With regards to ezvpn ( the regular method ) , here are the routes that get
added
1) In CLIENT mode
- A route is added in the server for the assigned ip of the client .
There is no route added on the client
2) In Network-extension mode
- A route is added in the server
Of course, i forgot the mention that i had reverse-route configured! :)
Thanks Segun.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Yep,
i've configured reverse-route under the dynamic crypto map. Now trying the
same with VTI
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Yep.. after adding the static route on the client , i did a
#ping server's subnet source loopback1
and i could see the counters increasing.
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Can you share your config Kings? I'll try doing the same here
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Hello all,
I've had this doubt for quite sometime now. Do the ACLs in the exam have to
specific ( even to the host level )
ex : Permit ntp from 2 hosts on the outside to an NTP server on the inside
The ideal solution would be to create an ACL with the exact IP addresses of
the NTP clients and
Hello Tyson,
Suppose it's not stated anywhere that i have to be strict with the ACLs, or
that i have to deny NTP traffic to other hosts, then can i use the loose
acls?
Cheers,
TacACK
___
For more information regarding industry leading CCIE Lab
Tighter the ACL , happier the proctor. :)
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Well, the issue is that the traffic that has to be RSPAN'ed from one switch
to another is not going across. I've configured it exactly like it's given
in the doc-cd. I've tried configuring this about 3-4 times and i've been
unsuccessful in all my attempts.
I'd really appreciate it if someone
1 - 100 of 383 matches
Mail list logo