theterranaut

Forum Replies Created

Viewing 30 posts - 61 through 90 (of 111 total)
  • Author
    Posts
  • Avatar
    theterranaut
    Member
    in reply to: Map drives doesn’t work using VPN #285835

    Re: Map drives doesn’t work using VPN

    hi Amit,

    What kind of VPN are we talking about? PPTP, IPSEc…?

    what brings up the tunnel in your VPN? I mean: are you specifying an IP access-list, or are you using some TCP/UDP protocols?

    If its just an IP access-list, and you are satisfied you have full IP connectivity (Layer 3); ie, you can ping everything across both sides that you would expect to, I would have a look at the client settings and make sure all is well there.

    If its more restrictive- ie, TCP and UDP access-lists are used to ‘refine’ the interesting traffic, then you might have to expand things to permit the protocols needed for ‘map drives’ to work. I think this still uses NETBIOS- anyone else know?

    Why dont you grab your config, sanitise it and post it here? And a summary of your client settings would also help.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: netflow analyzer 5,working very slowly #285834

    Re: netflow analyzer 5,working very slowly

    Or use this app I’ve just found on Sourceforge: http://freemeter.meta-forge.com/

    Note: just NIC monitoring on this.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: MPLS for home lab? #285833

    Re: MPLS for home lab?

    Thanks David, much obliged to you as usual! Yep, its looking like I need to
    convince some poor unsuspecting telco to hire me…

    all the best,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: netflow analyzer 5,working very slowly #285832

    Re: netflow analyzer 5,working very slowly

    Hi Huseyin,
    as David has said, 5000 is a lot!
    You can check the NIC performance (and other things) on Windows by using Performance Monitor. Its very straightforward.

    Its difficult to tell exactly, but this sounds like potentially a lot of devices. Obviously the workstations will not have NF installed, but, depending on how busy the routers are you could just be overwhelming your server. I agree with David- use Perf Mon to get some stats from your server and see if there’s anything that looks way over the top.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Anybody worked on Cisco ASA ? #285831

    Re: Anybody worked on Cisco ASA ?

    hi david,

    yes, I’ve looked at that, but the Cisco website is unusually unhelpful on the AV, I found: specifically things like updates, annual costs, etc.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Anybody worked on Cisco ASA ? #285830

    Re: Anybody worked on Cisco ASA ?

    Hello Sco,

    Well, if you’ve used any of the larger PIXes with FOS 7.x, you’ve pretty much got the hang of the ASA OS- they are (in the main) the same. ASA is what Cisco will be moving to when they can the PIX line is the not too distant future.

    From my perspective, the ASA devices are good because of:

    -there’s some modularity built in that will allow for expansion. Already, there are plugins for things like antivirus- hardware modules that actually slot in.

    -they are built on more modern hardware so should scale better than the PIX can (ASA only)

    -they can use a more elaborate form of failover for redundancy (ASA only)

    -they introduce the concept of ‘virtual firewalls’- you can run multiple instances of (more basic) firewalls on the same hardware, and have each instance doing different things (ASA and PIX)

    -the application inspection function is deeper (but still very limited, IMHO) (ASA and PIX)

    -they can talk to MS AD servers for AAA out of the box. No RADIUS needed (ASA and PIX)

    There are some other, more minor advantages, but its definitely the way to go.
    btw- where I’ve said ASA and PIX- I mean that these features are from the FOS 7.x and aren’t hardware-specific.

    HTH-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Windows 2003 Server SBS R2 & Wireless #285829

    Re: Windows 2003 Server SBS R2 & Wireless

    Hi Sagcha,

    looks like you’ll need to get admin rights to make configuration changes.

    Sorry-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: netflow analyzer 5,working very slowly #285828

    Re: netflow analyzer 5,working very slowly

    Hello Huseyin.

    First, some questions:

    -what is the speed of the network connection the server is connected into?
    -is it into a backbone or edge switch?
    -can you check the utilisation on the NIC?
    -how many devices are you monitoring?
    -how much log space are you using up every day?

    Thanks-
    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: access-list problem #285827

    Re: access-list problem

    Glad to have been able to help, Efrenba. Ahmer will also be pleased to hear this.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285826

    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hmmm…

    IP_ADDRESS: 169.254.160.219
    IP_SUBNET_MASK: 255.255.0.0
    DEFAULT_GATEWAY: 169.254.160.255

    Would have been an auto-assigned address, hence your problem.

    Yes, it will doubtless overwrite your existing IOS, Chris. (I doubt the router has enough flash for 2 images.)
    If you just follow the standard upgrade procedure you should be fine. Dont bother wiping the flash in advance, theres not much point.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: student networking admin (need help with a project) VLSM #285825

    Re: student networking admin (need help with a project) VLSM

    Ahmer, further to David’s post, here’s a great- and free- resource for you:

    http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf

    I’ve recommended this to loads of people, I’ve often wondered why its free!

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285824

    Re: Newbie. Help setting up my routing/NAT/DHCP

    I think this is an IOS related issue, somehow. From what I can gather, 12.2 is the earliest version that supports DHCP on ethernet. I could be wrong, its very hard to tell.

    Chris, I dont know exactly how your ISP assigns them- is it a cable-based service (so cable modem) or some kind of bridge? Why not set a static IP, if they will give you one? If you want to support webs servers, etc, it will be much easier in the long run.

    IP address dhcp

    From the Cisco.com website (abridged):

    Usage Guidelines

    The ip address dhcp command allows any interface to dynamically learn its IP address by using the DHCP protocol. It is especially useful on Ethernet interfaces that dynamically connect to an Internet Service Provider (ISP). Once assigned a dynamic address, the interface can be used with the Port Address Translation (PAT) of Cisco IOS Network Address Translation (NAT) to provide Internet access to a privately addressed network attached to the router.

    Some ISPs require that the DHCPDISCOVER message have a specific host name and client identifier that is the MAC address of the interface. The most typical usage of the ip address dhcp client-id interface-name hostname host-name command is when interface-name is the Ethernet interface where the command is configured and host-name is the host name provided by the ISP.

    A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client identifier is an ASCII value. The client-id interface option overrides the default and forces the use of the hexadecimal MAC address of the named interface.

    Note Between 12.1(3)T and 12.2(3), the client-id optional keyword allowed the change of the fixed ASCII value for the client identifier. After 12.2(3), the optional client-id keyword forced the use of the hexadecimal MAC address of the named interface as the client identifier.

    If a Cisco router is configured to obtain its IP address from a DHCP server, it sends a DHCPDISCOVER message to provide information about itself to the DHCP server on the network.

    If you use the ip address dhcp command with or without any of the optional keywords, the DHCP option 12 field (host name option) is included in the DISCOVER message. By default, the host name specified in option 12 will be the globally configured host name of the router. However, you can use the ip address dhcp hostname host-name command to place a different name in the DHCP option 12 field than the globally configured host name of the router.

    The no ip address dhcp command deconfigures any IP address that was acquired, thus sending a DHCPRELEASE message.

    You might need to experiment with different configurations to determine the one required by your DHCP server. Table 12 shows the possible configuration methods and the information placed in the DISCOVER message for each method.

    Table 12 Configuration Method and Resulting Contents of the DISCOVER Message
    Configuration Method

    Contents of DISCOVER Messages

    ip address dhcp

    The DISCOVER message contains “cisco- mac-address -Eth1” in the client ID field. The mac-address is the media access control (MAC) address of the Ethernet 1 interface and contains the default host name of the router in the option 12 field.

    ip address dhcp hostname host-name

    The DISCOVER message contains “cisco- mac-address -Eth1” in the client ID field. The mac-address is the MAC address of the Ethernet 1 interface, and contains host-name in the option 12 field.

    ip address dhcp client-id ethernet 1

    The DISCOVER message contains the MAC address of the Ethernet 1 interface in the client ID field and contains the default host name of the router in the option 12 field.

    ip address dhcp client-id ethernet 1 hostname host-name

    The DISCOVER message contains the MAC address of the Ethernet 1 interface in the client ID field and contains host-name in the option 12 field.

    Examples

    In the examples that follow, the command ip address dhcp is entered for the Ethernet 1 interface. The DISCOVER message sent by a router configured as shown in the following example would contain “cisco- mac-address -Eth1” in the client-ID field, and the value fresno in the option 12 field.

    hostname fresno

    !

    interface Ethernet 1

    ip address dhcp

    The DISCOVER message sent by a router configured as shown in the following example would contain “cisco- mac-address -Eth1” in the client-ID field, and the value sanfran in the option 12 field.

    hostname fresno

    !

    interface Ethernet 1

    ip address dhcp hostname sanfran

    The DISCOVER message sent by a router configured as shown in the following example would contain the MAC address of the Ethernet 1 interface in the client-id field, and the value fresno in the option 12 field.

    hostname fresno

    !

    interface Ethernet 1

    ip address dhcp client-id Ethernet 1

    The DISCOVER message sent by a router configured as shown in the following example would contain the MAC address of the Ethernet 1 interface in the client-id field, and the value sanfran in the option 12 field.

    hostname fresno

    !

    interface Ethernet 1

    ip address dhcp client-id Ethernet 1 hostname sanfran



    Chris, I think it would still be useful to see your config. I’ve lost track of where we are with this, specifically acls, etc.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285823

    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hi Chris,

    Good to see that David is on the case! Just a thought: why not post your latest config here and we’ll take a look and see how its progressing? In between our
    suggestions, other forum member’s suggestions and your own work its kinda hard
    to track whats been done/what needs to be done.
    If you do- of course, please edit out any passwords (even if the IOS automatically encrypts them) and any external IP addresses (if applicable.)

    HTH-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285822

    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hello again Chris,

    There’s a whole bunch of stuff out there, and its homework time! (again)

    ‘Private’ IP addressing:

    http://en.wikipedia.org/wiki/Private_network

    All you ever wanted to know about IP addressing (famous one, this)

    http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf

    From this, the distinction between ‘classful’, ‘classless’, ‘public’ and ‘private’ addressing will (hopefully) be clear.

    have fun-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Running Apache behind a B-Focus 270 router #285821

    Re: Running Apache behind a B-Focus 270 router

    And me!

    Or: why not run Apache on a different port?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285820

    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hey, no worries. Glad to help.

    Watch that statement, btw: “classless”. Not meaning to be pedantic (ok, maybe I am) but I always find that if you get your semantics correct when you’re talking about this stuff then others catch on faster. Apologies if that sounds a bit lecturing, Chris.

    tt

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285819

    Re: Newbie. Help setting up my routing/NAT/DHCP

    No worries Chris, you’ve obviously been very busy! Apologies, I did mean to have a go earlier, but you had a lot of questions…



    IP Scheme = 192.168.5.0
    Subnet Mask = 255.255.255.0
    Domain Name = bartlett-family.net
    [tt]Looks okay. A ‘private’ RFC1918 set of addresses on the inside. Google for that. Good going!


    1. Various admin stuff.
    Passwords are set, including encryption.
    [tt]Excellent. Make them as strong as poss!

    Router(config)# service timestamps debug datetime msec localtime show-timezone – What does this do?

    [tt]this controls a ‘service’ (basically a daemon) that the router uses. You canset some incredibly detailed real-time logging on the router called ‘debug’ that can give you a wealth of information when you want to see exactly whats going on and when. This command controls the ‘timestamping’ of these debug logs. So, when you run a debug, you’ll get each entry timed and dated.

    Router(config)# service timestamps log datetime msec localtime show-timezone – What does this do?

    [tt]As for the above, but this time, for plain logging functions.

    Router(config)# clock timezone EST -5 – I think this is obvious, eh?

    [tt]Absolutely. We know where you live!

    Router(config)# clock summer-time EST recurring last Sat Mar 2:00 last Sat Oct 2:00 – I think this is obvious, eh?

    [tt]Indeed!

    Router(config)# ntp clock-period 17208286 – What does this do

    [tt]You can set a fair range of network devices to get their time from external, generally reliable sources, instead of using
    their own internal clock. I *believe* that after its set, the router uses its internal crystal-based timer to continue the
    timing. Basically- you dont need to mess with this! The number controls the number of oscillations, IIRC.

    Router(config)# ntp server 192.5.41.41 source e0/0 prefer – Doesn’t seem like it could be right with a 192.x.x.x address.

    Should I use Router(config)# ntp server ntp2.usno.navy.mil source e0/0 prefer instead?

    [tt]Not quite Chris, bone up on public/private IP address ranges- I’ll find a resource somewhere and post the link.
    I think what you mean is that you think this is a ‘private’ RFC1918 address, yes? Actually, for the addresses you are
    thinking about, these start at 192.168.0.0 and run through to 192.168.255.255.
    (Here’s a link here: http://www.duxcw.com/faq/network/privip.htm)
    192.5.41.41 is a perfectly valid, ‘routable’, public address.

    Router(config)#banner motd #
    ************************************ *
    *This is MY router, not yours. Go away! If you *
    *decide to stick around anyway, I’m warning you *
    *now that I am logging this stuff and will *
    *know what you do. I will use that knowledge *
    *to hunt you down and gouge your eyeballs out. *
    * *
    * Thanks for the visit *
    * But it’s time to go! *
    **************************************

    [tt]If this was just a test lab, Chris, I’d say fair enough. But- for any kind of production system (which this may be eventually?)you should really put something a bit more serious! Why? Well, if you ever need to prosecute (and who knows? it might happen) there’s usually a requirement, depending on where you are in the world, that you’ve actually warned an intruder that the system is private, and that, if they proceed, they will be prosecuted. Just imagine how it would read in court.

    2. Configure routing

    Router(config)# ip route 0.0.0.0 0.0.0.0 e0/0
    Router(config)# no ip source-route – What does this do?

    [tt]There’s a way that other routers can tell your router what specific paths their packets should take. (I forgot the actual details at present, will research.) This is generally regarded as being a bad idea these days- there’s a risk from a security standpoint that a rogue router could misuse this feature maliciously. This command turns this off, and is generally considered to be A Good Thing.

    Missing anything?

    [tt]Looks okay. Your ‘default’ route (ip route 0.0.0.0 0.0.0.0 e0/0) says: “if I dont know specifically where thispacket should go, just send it out e0” (this is connected to your internet service, yes?)
    An alternative to this is to set the ‘next hop’ address instead of e0.

    3. Configure e0/0 to get DHCP from ISP.

    Router(config)# int e0/0
    Router(config-if)# ip address dhcp

    Anything else I need to do on this interface for DHCP reception purposes?

    [tt]I think this should be okay. It really depends on your provider. Maybe another poster in your part of the world using the same provider could help here?

    4. Setting up int e0/1 to hand out addresses internally.

    Router(config)# ip domain name bartlett-family.net
    Router(config)# ip name-server 192.168.5.1
    Router(config)# ip dhcp pool bartlett – “bartlett” will be the name of the pool
    Router(dhcp-config)# network 192.168.5.0/24
    Router(dhcp-config)#domain-name bartlett-family.net
    Router(dhcp-config)#dns-server 192.168.5.1 – This is the IP address of my current linux server on which I run DNS (named).

    Will I have to do anything to this box to let DNS queries out through the 2611 or will the above default routing be good?

    [tt]This should be okay. It will really depend on how/if you’ve got NAT set up.

    Router(dhcp-config)#default-router 192.168.5.73

    [tt]I’m not sure…if you could draw a quick sketch of your network layout I can give you a definitive, but this looks okay.

    Router(dhcp-config)#lease 7
    Router(dhcp-config)#ip dhcp exclude 192.168.5.73 – Router’s e0/1 interface (default gateway)
    Router(dhcp-config)#ip dhcp exclude 192.168.5.3
    Router(dhcp-config)#ip dhcp exclude 192.168.5.7
    Router(dhcp-config)#ip dhcp exclude 192.168.5.27
    Router(dhcp-config)#ip dhcp exclude 192.168.5.33
    Router(dhcp-config)#ip dhcp exclude 192.168.5.1
    Router(dhcp-config)#no ip bootp server

    Am I missing anything?

    5. Configure NAT/ACL’s – I am struggling with this.

    … I had a whole mess of commands written up, but I got lost. Between my other conversation and my documentation, I’m quite
    confused. So I won’t bother. On my linux server (192.168.5.1), I run web service (port 80, http) and mail (port 25, smtp).
    Would you possibly be so kind as to write up ACL’s that would allow my LAN traffic out, and allow very little in (except for
    web and mail)? I also don’t mind pings (ICMP, right?) coming in because that allows me to test my home connection from
    anywhere.

    [tt]Cheeky monkey! ;)
    This is a wee bit trickier- try this:

    Step 1: General NAT
    First, you want to set up a general NAT rule to allow everything on your internal LAN out, and as we dont know what/if you’ve any static IP addressing on the ‘outside’ interface of your router, we’ll just have to use the interface’s own address and use PAT (port address translation) to allow you enough connections to get everyone on the inside outside when necessary. So, no pool of addresses will be created on the outside to allow connections outbound (google PAT if none of that made any sense.)

    #access-list 120 permit ip any any log
    [tt]Set up an access-list that defines the following:
    Allow ANY IP traffic FROM any TO any

    #ip nat inside source list 120 interface e0 overload
    [tt]nat from the ‘inside’ (we’ll define that in a moment) using anything caught by access-list 120 (defined above- your internal LAN) using the address provided on interface e0- and ‘overload’ this address- use tcp ports instead of IP addresses to give us enough connections:

    Step 2: Define what, from a NAT standpoint, is ‘inside’ and whats ‘outside’ (which determines what way round the translations occur, effectively)

    #interface e0
    #ip nat outside
    interface e1
    #ip nat inside

    Step 3: Specific/Static NAT: ‘forwarding’ ports in to IP addresses.
    The following is just an example, which ‘forwards’ tcp port 80 from the ‘outside’ (interface e0) to an IP
    address on the inside. Here’s your homework- work out the rest!

    #ip nat inside source static tcp 192.168.5.1 80 interface e0 80

    Have fun-

    theterranaut

    BTW- anyone else want to contribute to this to help Chris out?

    Avatar
    theterranaut
    Member
    in reply to: Newbie. Help setting up my routing/NAT/DHCP #285818

    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hi Chris!

    1. My 2611 has two interfaces: e0/0 and e0/1. My first question is really, really stupid because I think I know the answer. Being that these are ethernet, and not fast ethernet (well, to the best of my knowledge anyway), does this mean they’re only 10Mb, not 100Mb? And assuming they are only 10Mb interfaces, should I assume that if I VLAN my house (and therefore route between those VLAN’s), that my entire network would then slow down to 10Mb?

    A:
    Yes, they are only 10Mb. (Actually a bit slower in the real world.)

    “my entire network would then slow down to 10Mb?”
    Not necessarily. Any packets that need to be routed would be at 10Mb or less. But: any packets (frames, actually) that just need sent to and from machines on the same logical network would be sent/received at the speed of the slowest network port the machines use to talk to each other.

    2. Configure routing

    Router(config)# router rip
    Router(config-router)# network 192.168.5.0

    Missing anything?

    Actually…RIP is a routing protocol used to let routers tell each other about networks they know about. As you only have one router, you dont need RIP. You just need to assign addresses to the interfaces on your router; these will then appear as connected networks within the router’s routing table.
    Try this:

    -Console to the router (have you sussed this bit out yet?)
    -enable
    -configure terminal
    -interface ethernet0 (or 0/0, possibly)
    -ip address 10.10.10.1 255.255.255.0
    -no shut
    -interface ethernet1 (or 0/1, possibly)
    -ip address 10.10.20.1 255.255.255.0
    -no shut

    Power up your 2 switches. Connect one switch to one port (e0), one to the other (e1). Set up a PC on each side with an appropriate IP, mask and gateway (ie, IP 10.10.10.10, mask 255.255.255.0, gateway 10.10.10.1 on your e0 side) and cable it to the switch. You *should* now be able to ‘ping’ from one PC to another!!!!

    3. Now, since I have Comcast and they send out DHCP addresses, I obviously need to set e0 to recieve a DHCP address. I’ve found documents on the web and from what I can determine, it boils down to me doing:

    int e0/0
    ip address dhcp

    Probably…you might also have to issue a ‘no shut’ command while in the interface subconfiguration command mode:

    -enable
    -configure terminal
    -interface ethernet0 (or 0/0, possibly)
    -ip address dhcp
    -no shut

    When the interface ‘lights up’ (literally), issue this command:
    -show ip interface brief

    Is there an IP assigned to e0???

    More later!

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Connceting 2600 router #285817

    Re: Connceting 2600 router

    Hi Makhan,

    I think what Chris meant was: what PHYSICAL ports do your routers have? There’s a great variation in Cisco hardware. So, if you look on the back of them, there will be at least:

    -a power connector
    -a console connection
    -possibly an aux port

    But what else do you see? This is what we need to know, before we can tell you
    what cables & connectors you need to buy.

    “Configuration thing is easy to play around once everything is connected right and working.”

    How I wish this were true!:-?

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: access-list problem #285816

    Re: access-list problem

    Glad we agree on this, Ahmer.

    Have you had a chance to test yet, Efrenba?

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: access-list problem #285815

    Re: access-list problem

    No problem Efrenba, thank you for coming back!

    So: your lan is 10.10.10.0/24, your PC is 10.10.10.15 and your router is a Cisco 2500 series device.

    You want to:
    (1)permit access to yourself to Yahoo Messenger (tcp 5050):
    (2)deny access to everyone else to Yahoo Messenger (tcp 5050):
    (3)allow some other outbound traffic (examples given were http, telnet, ftp)

    So, an acl set to accomplish this could be:

    (1)access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
    (2)access-list 125 deny tcp any any eq 5050 log
    (3)access-list 125 permit tcp any any eq 80 log
    (4)access-list 125 permit tcp any any eq 23 log
    (5)access-list 125 permit tcp any any eq 21 log

    And finally, apply the access-group on an interface, in a direction:

    (6)interface serial1:
    (7)ip access-group 125 out

    Alternatively, you could just allow (1), deny (2), and permit everything else: this might be the best thing to do first until you know exactly all the applications you have running out there:

    (1)access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
    (2)access-list 125 deny tcp any any eq 5050 log
    (3)access-list 125 permit ip any any log
    (4)interface serial1:
    (5)ip access-group 125 out

    try these out and let me know how you get on,

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: access-list problem #285814

    Re: access-list problem

    Hi Efrenba,

    your logs show:

    %SEC-6-IPACCESSLOGP: list 125 permitted tcp 10.10.10.15(1652) -> 216.155.193.137(5050), 1 packet
    %SEC-6-IPACCESSLOGP: list 125 denied tcp 10.10.10.33(1524) -> 216.155.193.170(5050), 1 packet

    Summary:
    -10.10.10.15 is permitted out to 216.155.193.137 on 5050 (router source port was 1652)
    -10.10.10.33 is denied out to to 216.155.193.137 on 5050 (router source port was 1524)

    Based on what you’ve told us, isn’t this what you wanted to do? Bear in mind the following:

    -I’m not sure what application runs on 5050 (Yahoo Messenger, by any chance?). Is this definitely what you want to block? Are other ports needed for your application? Is the application failing because it maybe needs additional ports?
    -There is an ‘implicit deny’ at the end of every access-list. Unless you now add on a ‘permit’ at the end of your list, everything else will be dropped. So, in actual fact, your acl statement “access-list 125 deny tcp any any eq 5050 log” is not presently needed; an implicit deny would suffice.
    (is this what you meant when you said “I receive these logs in the router but I can’t connect me:”)?

    Can you maybe reply and let us know what you are trying to achieve generally?

    ie, “I want to block access to an application running on….”

    HTH-

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Basic Cisco PIX and Catalyst VLAN question #285813

    Re: Basic Cisco PIX and Catalyst VLAN question

    Hi Mike, thanks for coming back.

    I suppose it all depends what you want to do! (Apologies for how trite that sounds.) 100Mb isn’t as bad as its sounds, I think. Even a ‘bog standard’ router (Cisco), connected in to do intervlan routing, will probably only have a 100Mb interface which all traffic will have to share . But it all depends on clients, traffic, etc etc. Without really detailed traffic stats its hard to tell. My gut feeling is that you would be okay, though.

    Anyway:

    I wonder if you really need a firewall in the middle of everything, filtering traffic in detail. Could you live without it? If so, how about:

    Option 1
    -Building a box with (for example) Server 2000/2003.
    -Stick in as many nic’s as you’ll need for your networks. (100Mb at least.)
    -Divide up your switches into vlans, and your network into separate logical networks/subnets.
    -Address the nics separately with an IP address from each subnet.
    -Connect one nic per vlan/subnet.
    -Have the per-subnet-nic as the gateway for all clients in that subnet/network/vlan.

    See where I’m going with this? You’ve just set up a very basic router that will happily route between subnets/networks out of the box. No further config needed. Depending on the speed of the server, and whether or not you could get gigabit nics and gig ports on your switch, you might even end up with routing speeds >100 Mb per vlan. You would need to enable DHCP relay on the server, if there’s going to be a single DHCP server, but thats fairly straightforward.

    Option 2
    As for the above- but add in RRAS on Server 2000/2003. Now, you can set up (if needed) packet filtering to give you some limited but effective firewalling between subnets/networks/vlans. A bit more involved.

    Option 3
    Buy a router! :) Then go down the vlan/intervlan routing line. Less complex than the above, no overhead from your OS, etc, etc.

    I realise all of these options may involve additional outlay for you. In the first instance, it might be useful to try and build up a picture of your lan traffic to see where the heaviest usage is. You never know, 100Mb may be all you need!

    best regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Illegal subnet obtained from ISP? #285812

    Re: Illegal subnet obtained from ISP?

    I think Marcel and JeremyW have (as usual) hit the nail squarely on the head… you might just have coincidentally have ended up with an “x.x.x.0” network, and as he says, you’ll probably get a /30 or similar, giving you (possibly) 1 or more static IP addresses to play with. From this, you can calculate your mask, which will probably be 255.255.255.252 or similar.

    Shocking behaviour from that ISP- do they want your money? I agree that you may have to moan a bit to get someone who really understands whats what- but shouldn’t front-line staff from an ISP be able to comprehend an IP address?

    I don’t know, whats the world coming to? :(

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Illegal subnet obtained from ISP? #285811

    Re: Illegal subnet obtained from ISP?

    Hi Jonathan,

    no idea! But cant you just call your ISP and ask them what static address they’ve allocated to you? They should be able to provide this easily.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: changing metric in RIP #285810

    Re: changing metric in RIP

    Quote from DD:
    “theterranaut – I appreciate your posts, you are a smart guy so don’t worry about it.”

    :beer:
    Thanks David! Praise indeed. Glad to be able to help on occasion, and, fwiw, I learn a lot from your posts.

    regards,

    tt

    Avatar
    theterranaut
    Member
    in reply to: seeking similar sample pix 501 running config #285809

    Re: seeking similar sample pix 501 running config

    String, I should also have said:
    verify your vpn works by doing the following:

    -clear isakmp sa
    -clear ipsec sa

    This will tear down the tunnels (IKE & IPSec) used for the vpn.

    Then you want to ping from a core device to a remote site device. Are you getting a response from your ping? If so, your vpn is (probably) up, but if not you can test/ verify with:

    -sh isakmp sa

    Which will show the number of IKE/ISAKMP (Stage 1) tunnels operational

    then

    -sh ipsec sa

    Which will show IPSec (Stage 2) traffic. On 6.x PIX’es its quite obtuse; you can refine it by adding the ‘bar’ character (or pipe, if you prefer, looks like: |) and filtering results.

    Generally, if the tunnel shows packets being sent, received (encapsulated and decrypted) and the figures increment when you ping, then traffic is moving across the tunnel.

    The above is a general guide, of course, but 9 times out of 10 can show you if you have a problem. Ie- sh isakmp sa shows an active association, but sh ipsec sa shows nothing? Then stage 1 is good, so check your stage 2 settings carefully. I’m sure you get the idea.

    In the interests of completeness, I always do the above (clear then ping) from both sides, to make sure my proposals work bidirectionally. Pedantic or thorough, you choose!

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: VLANs #285808

    Re: VLANs

    Hi eenglish34,

    further to all thats been said already, another thing to consider is:

    If ‘internet access speeds’ are your problem, you may want to consider some measures like the below-

    -defining, creating, then policing policies for internet access (always involves input from management and/or faculty!)

    -and/or a proxy that can do caching. ISA2004 is absolutely spot on for this kind of thing, but there are others (I like ISA’s AD tie-in, if you are using AD.)

    Basically you want to get faculty buy-in on an acceptable use policy, let the users know whats /whats not acceptable, , install a device that can police and log this for you, and ensure those that have the power to do so come down like a ton of bricks on abusers. A proxy should also be able to tell you the kinds and amounts of traffic traversing your internet connection.

    my 0.02p!

    regards and good luck!

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: changing metric in RIP #285807

    Re: changing metric in RIP

    I stand corrected! (Although I am sitting down.)

    Thanks David-

    Avatar
    theterranaut
    Member

    Re: WAN, Routing and Switching: Internet Routing with Catalyst 3550

    Hi Elomis,

    I’m asssuming if you’ve managed to add routes to this device then its the EMI version?

    Just an observation, but if your public IP is 202.202.202.10, and your static (default) route points to the same IP, where is ‘internet’ traffic going to go? Shouldn’t you have a default route to your next hop instead?

    theterranaut

Viewing 30 posts - 61 through 90 (of 111 total)

Register for this Petri Webinar!

Software-Defined Unlimited Backup Storage

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By