The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

The Fecal Jesus posted:

I'm having some trouble with my PIX501, v6.3(5). We have a pretty small office here where I work and we use the pix501 as an outside router.

It is a pretty simple config with the outside interface of the pix configured with our static IP from our ISP. The inside interface is 192.168.10.254, with our internal server that handles everything being 192.168.10.1

My problem is that we want people to be able to be able to be remote clients using pptp vpn dialin. I have everything configured so a client from the outside can dial in and connect no problem. Dialin users are given an ip from the pool of 192.168.5.10-192.168.5.25

The problem is, even though they can connect no problem, they can't go anywhere from there, cannot connect to our internal server(192.168.10.1) or anything.

I have tried a few things with access lists but I must be missing something easy I think.

Give your remote clients addresses on your same subnet instead of 192.168.5 addresses.

Also PIXs often have alot of NAT-traversal issues, especially when you have clients behind a different PIX connecting into your pix. If you add this command to your config it will resolve those issues.

code:

crypto isakmp nat-traversal 20

# ¿ May 10, 2007 23:41

Adbot: ADBOT LOVES YOU

# ¿ Apr 27, 2024 04:20

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Mierdaan posted:

Yeah - it didn't.

The PIX should be able to do the layer3 routing, so I'm trying to avoid hacking this together as much as possible.

The PIX is not a router. It will only forward traffic through it or deny traffic. It is impossible to redirect traffic out of a pix on the same port it comes in on.

# ¿ Jul 5, 2007 19:30

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Mierdaan posted:

Can you provide some documentation to back this up? It is my understanding that you cannot send traffic back out over the same physical interface it came in on, but we're talking about logical interfaces when it comes to vlans - not physical.

It will forward to another logical interface. I should have read about your situation more closely.

Anyways, it looks like you have a 255.255.0.0 subnet on your internal interface. Is that intentional?

# ¿ Jul 5, 2007 19:48

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

XakEp posted:

1) How do you disable STP and why the hell would you do that? Wouldnt disabling it reduce your switch to a hub? What does a cisco switch use instead of STP if STP isnt in use?

It's been a long time since I've disabled STP, but if I remember right you just add a "no span" command under the vlan interface. The only reason I've ever had to do it was due to problems with network timeout incompatablities with certain versions of Novell's client32 and 3c90x NICs. It's been a LONG time since I've seen a similar problem to that (about 8-9 years ago)

quote:

Does this sound like bullshit to anyone else? I'm responsible for signing off on this report, and its not making a whole lot of sense.

It sounds reasonable to me, as long as he identified the source of the loop. A loop can take down a network pretty quick.

quote:

3) We've apparently had STP disabled for a long time now, why would we only just NOW suddenly develop a network loop that would take down our network?

Well, something would have had to change to cause a loop. Like connecting an extra switch or WAP that looped back to your network.

quote:

4) How is it possible that only one switch would be effected by a network loop?

If STP is disabled everywhere it would be odd that only one device was effected. Maybe you have one vlan that is only on that switch and it isolated the flood? Hard to say.

# ¿ Aug 1, 2007 19:45

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

delslo posted:

I have 2 questions relating to my ASA5505 that I had posted earlier about getting.

1) Comcast gives me a DHCP public IP, they said they won't offer static to home users. Is there a way/trick/whatever to get port forwarding to work with a dynamic IP on the outside interface? I already have a dyndns.org hostname pointing to the correct IP (updating using the windows client). The guy who was helping me had no clue how to do it because he couldn't just plug the outside IP in. For two examples, I'd like to forward:
Port 3389 to 10.0.1.99
Port 22 to 10.0.1.22

2) I set up VPN using the wizard, installed the OS X client on my Macbook Pro, everything works GREAT. Split tunneling is very nice, 3DES is also nice, the whole thing connects very quickly and access to internal resources is nice and snappy. However, at one of my clients, I'm behind a Pix 515 firewall that has PPTP passthrough enabled and is the endpoint for a handful of site-to-site VPN connections. The issue is this: I can connect to my home VPN from behind the Pix, but I cannot access any resources (ping/RDC/shares/etc.). Any idea where the issue is or what needs to be fixed?

Thanks!

edit: I'd post my running config, but thanks to #2, I can't access the config from here.

1) Forward from the interface, like so:

code:

static (inside,outside) tcp interface 3389 10.0.1.99 3389 netmask 255.255.255.255

2) This is a nat traversal issue. Add this command to both the PIX and ASA.

code:

crypto isakmp nat-traversal  20

# ¿ Aug 13, 2007 15:41

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Cidrick posted:

I'm working on a really old Pix that I'm having trouble figuring out. I have a device inside the network with a static IP which is making an outbound VPN connection to a data center using OpenVPN. It's a rather standard setup - T1 goes into Pix, Pix feeds switches which feed the internal network. The box making the VPN connection works fine - it connects and traffic routes all over the place just fine. However, the issue is with routing.

Here's the setup:

Pix: 192.168.41.1
VPN Box: 192.168.41.4
Remote Network: 192.168.208.x

Now, everything on the .41.x subnet has the Pix as its default gateway. I have set up routes on the Pix to point traffic to the .208.x subnet to use .41.4 as the gateway. The VPN box forwards all traffic to .208.x to go over the VPN interface. If I set up static routes on individual machines inside the .41.x subnet to use .41.4 as the gateway for all .208.x traffic, it works. Of course, this is a horrible way to do things and I want the Pix to handle it all.

The kicker is, I added the routes on the Pix to go to the .208.x subnet and it works just fine from the Pix. If I'm logged into the Pix I can ping anything on the .208.x subnet just fine. However, it doesn't seem to be properly routing traffic from anything on the inside network to use .41.4 as its gateway.

Here's the routes
code:
pix# sh route
        outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 OTHER static
        inside 192.168.41.0 255.255.255.0 192.168.41.1 1 CONNECT static
        inside 192.168.208.0 255.255.255.0 192.168.41.4 1 OTHER static
        outside xxx.xxx.xxx.xxx 255.255.255.248 xxx.xxx.xxx.xxx 1 CONNECT static
Do I need an access list or something? Is there a better way to go about this? I'd rather have the Pix handle the VPN but almost all our stuff uses Linux-based networking tools like Quagga and OpenVPN which would most likely be a nightmare to get it working on the Pix.

Thanks. I rather suck at Cisco stuff so this is probably a pretty easy question.

The PIX is not a router, it will only forward traffic through it or deny traffic on the same virtual interface. It is not possible to reroute traffic out of the same virtual interface on a PIX.

dwarftosser fucked around with this message at 17:40 on Aug 31, 2007

# ¿ Aug 31, 2007 17:34

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Cidrick posted:

Crap.

Guess I'll have to figure out how to make the Pix the VPN endpoint then.

Yup, I found that out the hard way the first time I ever installed a Cisco VPN Concentrator. If you've got another device that can act as a router for your local network that might be the easiest solution, and then it can redirect traffic to the PIX or VPN from there.

# ¿ Aug 31, 2007 17:47

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

jwh posted:

Can you put the refurbished switch under smartnet? If so, it sounds like it would be fine.

You can for now, which makes it a great option. However I hear Cisco is going to limit what products you can and cannot get a smartnet on sometime in the near future to try to curb the massive explosion of Used / Refurbed dealers that seem to be around now.

# ¿ Sep 28, 2007 18:14

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Tremblay posted:

For what its worth I've heard no talk of this.

Hopefully it's just speculation then, because I like buying used.

I heard it from a friend I used to work with who is an SE3 in in Cisco's DoD division while we were golfing a few weeks ago.

# ¿ Sep 28, 2007 18:43

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

jbusbysack posted:

Any opinions on ASA codebase 8.x versus 7.2.X? Lately the 7.2.X has been going nuts, but I'm not sure if the 8.X is stable enough for production usage.

We've been running 8.x for a little over a month, it's been stable for us. I like the 6.x ASDM alot better, so I think it's worth the upgrade for that alone.

# ¿ Oct 9, 2007 04:13

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

casseopei posted:

Awesome! Thanks. From what I had read I kind of figured that was what was wrong, and I tried permit tcp any any gt 1023 established and it wouldn't work, but I just had to take established out of there. Rock on.

As an additional question, if (for example, whatever, it applies to everything)

permit tcp any any eq www

works, but

permit tcp any host 192.168.1.237 [that's the computer it's going to] eq www

doesn't work, what would you guess the issue is? In this example, I'm using

ip nat inside source static tcp 192.168.1.237 80 interface FastEthernet0/0 80

to get traffic to the computer.. am I doing something horribly wrong or just missing something?

Thank you again.

Your ACL needs to be for your outside address, not your inside.

ie, permit tcp any host <outside ip> eq www

Your NAT statement is already redirecting all your port 80 traffic to your internal address, so in your example there really is no functional or security difference between using the permit tcp any host or permit tcp any any command.

# ¿ Oct 19, 2007 17:39

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Richard Noggin posted:

I need to be able to have inbound access during a failover scenario. I don't know what they mean by "advanced networking skills", but in my mind, having the appropriate DNS entries, ACLs, and static NAT maps bound to the backup interface would provide what I'm looking for. Can anyone confirm/deny?

Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured.

# ¿ Oct 22, 2007 19:05

Adbot: ADBOT LOVES YOU

# ¿ Apr 27, 2024 04:20

dwarftosser: Sep 3, 2002; PLEASE LET ME SUCK YOUR COCK, BRETT!

Richard Noggin posted:

Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then?

Sure will.

# ¿ Oct 23, 2007 16:31

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)