|
Luigi Thirty posted:Thanks. I've got two 2524s and a 2501. I only paid $15 for the set so it's not like it's a big loss. Apparently all 2500's use the same IOS release. I'll give you a link in a bit gotta host it real quick.
|
#
?
Sep 23, 2008 05:05
|
|
|
|
| # ? Apr 27, 2024 15:59 |
|
|
Anyone going to NANOG in October?
|
|
#
?
Sep 23, 2008 06:46
|
|
|
I'm having a problem with a wireless connection between two buildings. I'm not a wireless expert (I'm just a CCNA working on BSCI atm) and our normal network engineer is out of town and is not able to help. I have a Cisco Aironet 1310 (12.4(10b)JA1)) at the top of a building (omni antenna), and a small building about 400 yards away has another one with another 1310 with a directional antenna that associates with it. The association between these two AP's goes down at least once or twice a day and the people at the smaller building (with the directional antenna) say they have to power cycle the AP to get it to come back up. I've taken a look at the config and 'show' info best I can, but since I've really had no experience with Cisco wireless I'm not quite sure what I'm looking for. Any help would be greatly appreciated. On the omni here is some info in the 'show logging': quote:Sep 19 14:15:05.899: %DOT11-4-MAXRETRIES: Packet to client 001f.6ca9.0390 reached max retries, removing the client Closer look at the associations on the omni (there is a second directional AP a few miles away that is connecting to this omni, seems to work fine): quote:pafomni#show dot11 statistics client-traffic Config for the omni: quote:version 12.4 Config for the directional: quote:version 12.4 para fucked around with this message at 15:34 on Sep 23, 2008 |
|
#
?
Sep 23, 2008 15:10
|
|
|
routenull0 posted:What DNS servers is the box you are looking up from using? Do you have a host entry in /etc/hosts (if *nix)? I use a local DNS cache which forwards to my ISPs nameservers, but it happens no matter which server I specify. /etc/hosts is empty except for 127.0.0.1. The same thing happens to a friend of mine, but he's using the same ISP and a similar router as well, so I guess it's possible that the ISP may be doing it. If that's so, though, how do their machines know about my internal network enough to re-map the DNS?
|
|
#
?
Sep 23, 2008 16:52
|
|
|
para posted:wireless stuff Here is some stuff from Cisco on the error you are seeing: quote:http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html I also suggest graphing up the SNR with Cacti or something as the problem seems to be periodic. nex fucked around with this message at 18:23 on Sep 23, 2008 |
|
#
?
Sep 23, 2008 18:20
|
|
|
Is it possible to generate interesting traffic from locally from the ASA console to test whether an IPSec VPN is configured correctly? As opposed to generating the traffic from a device behind the ASA. As long as said traffic matches the match list specified in the crypto map, of course.
|
|
#
?
Sep 24, 2008 17:49
|
|
|
Here's a dumb question. Is there a way to blank out all the settings for a particular interface on a 2600 series? I was messing around bringing up a lab t-1 and put a ton of wrong info on s0/0 so I just configured s0/1 and got it working, but all the wrong stuff is still on s0/0. Is there a way to just reset it to nothing/default without going in and typing in no <command>?
|
|
#
?
Sep 24, 2008 17:53
|
|
|
skipdogg posted:Here's a dumb question. Is there a way to blank out all the settings for a particular interface on a 2600 series? Yerp- default int se0/0
|
|
#
?
Sep 24, 2008 19:02
|
|
|
jwh posted:Yerp- default int se0/0 Thanks. You rock!
|
|
#
?
Sep 24, 2008 21:53
|
|
|
Here is the latest 2500 image (12.3-26). I figure its EoL so I shouldn't get in trouble for the link. http://pcrules.yourconsolesucks.com/c2500-is-l.123-26.bin I'll take it down in a few days.
|
|
#
?
Sep 25, 2008 04:32
|
|
|
jwh posted:Yerp- default int se0/0 Wow, I didn't know about that either so thanks for that info. Great thread!
|
|
#
?
Sep 25, 2008 12:57
|
|
|
I have a Cisco 2811 - running IOS version 12.4 20t - Call Manager Express version 7.0 What do I need in order for G.729 to work? Edit: Nevermind... I think it is resolved. Oversight in the configuration. Spotted it when I was about to post it here. Ha! Had a little bit of G.711 in there, edited out. Discovered that G.729 was a preferred mode, but would bump itself to the bottom of the list from the phone itself. This is when you run the call manager in transparent mode. If it is specified in the call manager, it isn't a problem. Schatten fucked around with this message at 17:45 on Sep 25, 2008 |
|
#
?
Sep 25, 2008 17:12
|
|
|
jwh posted:Yerp- default int se0/0 poo poo! I can't believe I didn't know or never bothered to look for this command. Thanks!
|
|
#
?
Sep 25, 2008 20:54
|
|
|
I'm currently looking at the ASA 5500 line (specifically the 5510 or 5520) and interested in the CSC-SSM module, which does "Content Security" (i.e. anti-spam, anti-virus, etc). Does anyone have experience with this module? Is it even worth getting? I'm sure rolling my own solution behind the ASA might be better, but I might end up doing both. However, I'm not entirely convinced about this module, thoughts?
|
|
#
?
Sep 26, 2008 00:20
|
|
|
The Beavis posted:I'm currently looking at the ASA 5500 line (specifically the 5510 or 5520) and interested in the CSC-SSM module, which does "Content Security" (i.e. anti-spam, anti-virus, etc). I compared this module + ASA to Websense + ASA and ended up going with the Websense combo. I like the trilogy of Websense + Antivirus + MXLogic for content security (and Cisco Secure Agent if youre all about data leakage). The rationale was future expansion in the 4ge expansion port, as well as licensing costs. Websense came ahead on $$.
|
|
#
?
Sep 26, 2008 01:10
|
|
|
jbusbysack posted:I compared this module + ASA to Websense + ASA and ended up going with the Websense combo. I like the trilogy of Websense + Antivirus + MXLogic for content security (and Cisco Secure Agent if youre all about data leakage). Thanks for the info. What sort of tests did you perform on the CSC-SSM? Cost aside, is it useful at all? It's not likely that I'll use the expansion port and the costs are well within my budget.
|
|
#
?
Sep 26, 2008 04:03
|
|
|
The Beavis posted:Thanks for the info. What sort of tests did you perform on the CSC-SSM? To be completely honest - if your target enterprise doesn't already have virus protection and spam protection, you already have bigger problems than which card to shove into your ASA. For testing we did none, the target implementation was a financial institution who was concerned about inbound virus/spam and data leakage/improper web surfing/protocol usage (IMs, https proxies etc). Post what you're trying to accomplish and in what industry/setting/executive mandate and we can all talk it over. CSC-SSM isn't completely useless, it just did not fit into the requirements I listed above.
|
|
#
?
Sep 26, 2008 06:34
|
|
|
Ugh, when did Cisco change the interface for downloading IOS? It looks like the menu tree system for lan switch code. Also that "default interface" command is nifty.
|
|
#
?
Sep 26, 2008 15:43
|
|
|
jbusbysack posted:To be completely honest - if your target enterprise doesn't already have virus protection and spam protection, you already have bigger problems than which card to shove into your ASA. We do have anti-virus on all desktops and servers, and anti-spam on the email server. My thinking was that an additional layer would help compound the effect. Spam is probably the one thing I would have wanted to target the most.
|
|
#
?
Sep 26, 2008 17:15
|
|
|
We are using the CSC-SSM with the plus license. It was entirely worth it. Having the edge device kill smtp connections based on reputation services has saved quite a bit in bandwidth usage. Which brings me to a question: I would desperately like some method of reporting on traffic in and out of the ASA (total usage in 24 hour period, top talkers, etc) but the ASA 5510 doesnt have netflow. My gut keeps telling me that syslog is the answer and I am dicking around with kiwi right now but Im still missing something. What piece of the puzzle would I need here to be able to put together a traffic analysis system for not much moola?
|
|
#
?
Sep 26, 2008 19:57
|
|
|
MRTG the switchports the ASA is plugged into. If there's a router interface close enough to an ASA to get relevant netflow stats, pull from that.
|
|
#
?
Sep 26, 2008 20:11
|
|
|
Syano posted:We are using the CSC-SSM with the plus license. It was entirely worth it. Having the edge device kill smtp connections based on reputation services has saved quite a bit in bandwidth usage. Thanks for sharing. That's definitely something that we need as the majority of our TCP connections are smtp spam.
|
|
#
?
Sep 26, 2008 20:59
|
|
|
Of course, you could also have your email go live in Postini world, and not even have to deal with rejecting the SYNs. Not sure if that's a viable option for you, or not, but if all you're really looking to do is avoid having to deal with disreputable SMTP inbound, it could be worth considering.
|
|
#
?
Sep 26, 2008 22:09
|
|
|
jwh posted:Of course, you could also have your email go live in Postini world, and not even have to deal with rejecting the SYNs. Not sure if that's a viable option for you, or not, but if all you're really looking to do is avoid having to deal with disreputable SMTP inbound, it could be worth considering. Was looking at Postini now, that actually might be a good solution as it will minimize bandwidth. Do you use it? I'm assuming it's been good for you? So that I'm not offtopic, anyone with experience with the AIP-SSM module?
|
|
#
?
Sep 26, 2008 23:48
|
|
|
The Beavis posted:Was looking at Postini now, that actually might be a good solution as it will minimize bandwidth. Do you use it? I'm assuming it's been good for you?
|
|
#
?
Sep 27, 2008 04:00
|
|
|
How can I put public IPs on machines on the inside interface of a PIX? It's not really NAT at that point, right?
|
|
#
?
Sep 29, 2008 20:42
|
|
|
CrazyLittle posted:How can I put public IPs on machines on the inside interface of a PIX? It's not really NAT at that point, right? I'm no PIX expert, but I think you need to trigger the NAT engine regardless- even if it's rewriting an address back to what it was originally.
|
|
#
?
Sep 29, 2008 20:50
|
|
|
jwh posted:I'm no PIX expert, but I think you need to trigger the NAT engine regardless- even if it's rewriting an address back to what it was originally. We are doing exactly this so I would say that is an affirmative
|
|
#
?
Sep 29, 2008 21:25
|
|
|
Syano posted:We are doing exactly this so I would say that is an affirmative Yeah, that's what I'm going to run with. Seems so clumsy to do it that way though.
|
|
#
?
Sep 29, 2008 22:09
|
|
|
CrazyLittle posted:How can I put public IPs on machines on the inside interface of a PIX? It's not really NAT at that point, right? Do you want to physically address the machines with public IPs or just static NAT them at the firewall?
|
|
#
?
Sep 29, 2008 23:56
|
|
|
jwh posted:I'm no PIX expert, but I think you need to trigger the NAT engine regardless- even if it's rewriting an address back to what it was originally. As it's been told to me, a PIX isn't a router. It has multiple interfaces, and it has a routing table, but it won't "route" traffic from one interface to another. Forwarding traffic between interfaces is accomplished via the nat translation statements, even if they aren't used to alter a source or destination address. But I'm no PIX expert either.
|
|
#
?
Sep 30, 2008 02:21
|
|
|
inignot posted:As it's been told to me, a PIX isn't a router. It has multiple interfaces, and it has a routing table, but it won't "route" traffic from one interface to another. Forwarding traffic between interfaces is accomplished via the nat translation statements, even if they aren't used to alter a source or destination address. You're half right. The device will route traffic, but it must also pass the ACL and NAT / security-level conditions as well. Edit: I'm approaching this from an ASA perspective, so apologies if pre-7 code PIX act differently.
|
|
#
?
Sep 30, 2008 02:32
|
|
|
My only PIX exposure has, tragically, been to 6.3 code. I didn't run them either, I just submitted rule changes for new applications.
|
|
#
?
Sep 30, 2008 12:18
|
|
|
Turns out my first hunch was also right - you can't have the same subnet on both sides of the PIX/ASA. So these guys have a /28 on the outside of their ASA, and they wanted to use some of the spare public addresses directly on some of the servers behind the firewall. The two possible answers (plus one bonus answer) end up being: 1) Plug in a secondary NIC with a public IP outside of the firewall 2) split the /28 into two /29's and then put one /29 inside and one outside the firewall. Wacky bonus answer) Tell the guy he's being retarded (in very nice terms) and have them use 1-to-1 NAT instead of directly assigning the IPs.
|
|
#
?
Sep 30, 2008 16:57
|
|
|
Oh. So you mean he wanted to actually assign the host itself a public IP and have that route through the ASA and have it translated to the same IP? Yeah thats goofy just use 1 to 1 NAT
|
|
#
?
Sep 30, 2008 18:00
|
|
|
Syano posted:Oh. So you mean he wanted to actually assign the host itself a public IP and have that route through the ASA and have it translated to the same IP? This. And then ACL up the IPs for security
|
|
#
?
Sep 30, 2008 18:25
|
|
|
CrazyLittle posted:Turns out my first hunch was also right - you can't have the same subnet on both sides of the PIX/ASA. So these guys have a /28 on the outside of their ASA, and they wanted to use some of the spare public addresses directly on some of the servers behind the firewall. The two possible answers (plus one bonus answer) end up being: I'd go with your wacky bonus of telling them to use 1-to-1 Or you could set it up in transparent mode (which in 8.0.2 and above can now perform NAT/PAT) : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
|
|
#
?
Sep 30, 2008 19:12
|
|
|
Halp guyz  I need to know how to change the timeout value on HTTP(s) on a Cisco PIX. I want to set it to 30 minutes. It is a 515e. For some background, here's a thread: http://forums.somethingawful.com/showthread.php?threadid=2971800 *edit: Got ahold of a Cisco guy. The command would be pix# config t pix(config)# timeout half-closed xxxxx Alfajor fucked around with this message at 19:12 on Oct 3, 2008 |
|
#
?
Oct 2, 2008 22:57
|
|
|
I'm trying to setup a ASA 5505 and I'm running into some issues. The quick rundown of our network structure is: T1 > Router/firewall supplied by ISP > Switches > Computers. Now, we have three IP's available to us, one is on the outside interface of the ISP's router/firewall, one is assigned to an IPRC card that is on the common network, and the third I am trying to use on the outside interface of the ASA. When I hook up the ASA to the common network with the outside on DHCP, it picks up an IP, and with the acl's I have setup I can access the internet. When I change the outside interface to the static IP, I can't get out to the internet. From the ASA I can ping my gateway, though. If I assign my computer on the same common network the IP info, I can get out on the internet just fine. What could be going on? I'm going to completely reset the ASA here in a minute and try this again, but, does anyone have any thoughts? I'm stumped. Edit: Nevermind, I hadn't set a default route to the outside. 
permanoob fucked around with this message at 21:01 on Oct 3, 2008 |
|
#
?
Oct 3, 2008 19:32
|
|
|
|
| # ? Apr 27, 2024 15:59 |
|
|
In the same vein as the previous post, I had an ASA 5505 preconfiged and shipped out to a remote site by a vendor. The device is responding to pings on its outside interface, the vpn back home is up, I can ssh in, I can talk to hosts on the inside of the ASA, however the ASA itself will not respond to my pings from its inside interface nor can I get into the ASDM. I can ssh into the outside interface but I am worthless once at the console. What should I be looking for?
|
|
#
?
Oct 4, 2008 00:50
|
|