Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches
On 2/10/12 8:45 PM, Jared Mauch wrote: Personally, I'm also amazed cisco still sells non-gigabit switches in 2011/2012. I thought they were a technology company. There are many existing customers still willing to buy only FE switches, because of number of reasons - including existing cabling requirements or policy things. No matter how would you approach this from sanity point of view - it's their choice and a market to sell to. On the other side, Cisco policy to insert a product is always based on a life expectancy of 4-5 years at minimum. Given there are still customers willing to buy it (or forced to - see above) I don't see compelling reason to loose business being handed over to you on a plate. My 0.02c. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750
hey, 1000 for 3750 series. Plus *,G and S,G will be counted separate, so in reality it's 500 PIM ASM routes. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA NAT/PAT rpf-check
Hello, Having some trouble with an rpf-check on an ASA when doing pat to an internal web server. I have static nat working: network object laptop host 192.168.75.208 network object internet-75 host 100.1.1.75 nat (inside,outside) after-auto source dynamic laptop internet-75 No problems here, the client device gets out to the internet using the correct ip address. Now when I do this: network object laptop-pat host 192.168.75.208 object network laptop-pat nat (inside,outside) static internet-75 service tcp www 81 it adds this entry above the static nat entry and everything appears to look correct. The problem is when I do a packet-trace it shows this: fw# packet-tracer input outside tcp 222.222.222.222 1080 192.168.75.208 81 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit object http-81 any object laptop-pat Phase: 8 Type: NAT Subtype: rpf-check Result: DROP Config: nat (inside,outside) after-auto source dynamic laptop internet-75 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule For some reason it is not picking up the auto-nat entry for the secondary object I created with the same host name (laptop-pat) Any ideas why the firewall is always stopping at phase 8 with the rpf-check error? If so what do I need to do to fix this? Is there an easier or right way to do pat on this device? Thanks, Dan. 5520 - version 8.4 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA SSL VPN client communicating across IPsec tunnel
I have a customer who has a couple of ASA 5510s connected with a typical IPsec tunnel, and on one of them he has a 10 seat Anyconnect SSL license. He'd like for the Anyconnect VPN users to be able to communicate with the network on the other side of IPsec tunnel. In theory that would work, but I've found the ASAs to sometimes ignore theory. I updated the NAT exemption ACL (to include traffic from the VPN users to the remote network and vice versa), the split-tunnel ACL (to have it advertise the remote network in addition to the local), and the crypto map ACL (so that the VPN users are included in the ipsec sa). It didn't seem to work...I didn't have good access to test, but before I arrange for better access to really work with it, is this indeed possible? Any configuration tips? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA SSL VPN client communicating across IPsec tunnel
It's possible, try 'same-security intra-interface' Sent from handheld On Feb 12, 2012, at 6:20 PM, Andy Dills a...@xecu.net wrote: I have a customer who has a couple of ASA 5510s connected with a typical IPsec tunnel, and on one of them he has a 10 seat Anyconnect SSL license. He'd like for the Anyconnect VPN users to be able to communicate with the network on the other side of IPsec tunnel. In theory that would work, but I've found the ASAs to sometimes ignore theory. I updated the NAT exemption ACL (to include traffic from the VPN users to the remote network and vice versa), the split-tunnel ACL (to have it advertise the remote network in addition to the local), and the crypto map ACL (so that the VPN users are included in the ipsec sa). It didn't seem to work...I didn't have good access to test, but before I arrange for better access to really work with it, is this indeed possible? Any configuration tips? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
