|
The Fecal Jesus posted:I'm having some trouble with my PIX501, v6.3(5). We have a pretty small office here where I work and we use the pix501 as an outside router. Give your remote clients addresses on your same subnet instead of 192.168.5 addresses. Also PIXs often have alot of NAT-traversal issues, especially when you have clients behind a different PIX connecting into your pix. If you add this command to your config it will resolve those issues. code:
|
# ¿ May 10, 2007 23:41 |
|
|
# ¿ Apr 27, 2024 04:20 |
|
Mierdaan posted:Yeah - it didn't. The PIX is not a router. It will only forward traffic through it or deny traffic. It is impossible to redirect traffic out of a pix on the same port it comes in on.
|
# ¿ Jul 5, 2007 19:30 |
|
Mierdaan posted:Can you provide some documentation to back this up? It is my understanding that you cannot send traffic back out over the same physical interface it came in on, but we're talking about logical interfaces when it comes to vlans - not physical. It will forward to another logical interface. I should have read about your situation more closely. Anyways, it looks like you have a 255.255.0.0 subnet on your internal interface. Is that intentional?
|
# ¿ Jul 5, 2007 19:48 |
|
XakEp posted:1) How do you disable STP and why the hell would you do that? Wouldnt disabling it reduce your switch to a hub? What does a cisco switch use instead of STP if STP isnt in use? It's been a long time since I've disabled STP, but if I remember right you just add a "no span" command under the vlan interface. The only reason I've ever had to do it was due to problems with network timeout incompatablities with certain versions of Novell's client32 and 3c90x NICs. It's been a LONG time since I've seen a similar problem to that (about 8-9 years ago) quote:Does this sound like bullshit to anyone else? I'm responsible for signing off on this report, and its not making a whole lot of sense. It sounds reasonable to me, as long as he identified the source of the loop. A loop can take down a network pretty quick. quote:3) We've apparently had STP disabled for a long time now, why would we only just NOW suddenly develop a network loop that would take down our network? Well, something would have had to change to cause a loop. Like connecting an extra switch or WAP that looped back to your network. quote:4) How is it possible that only one switch would be effected by a network loop? If STP is disabled everywhere it would be odd that only one device was effected. Maybe you have one vlan that is only on that switch and it isolated the flood? Hard to say.
|
# ¿ Aug 1, 2007 19:45 |
|
delslo posted:I have 2 questions relating to my ASA5505 that I had posted earlier about getting. 1) Forward from the interface, like so: code:
code:
|
# ¿ Aug 13, 2007 15:41 |
|
Cidrick posted:I'm working on a really old Pix that I'm having trouble figuring out. I have a device inside the network with a static IP which is making an outbound VPN connection to a data center using OpenVPN. It's a rather standard setup - T1 goes into Pix, Pix feeds switches which feed the internal network. The box making the VPN connection works fine - it connects and traffic routes all over the place just fine. However, the issue is with routing. The PIX is not a router, it will only forward traffic through it or deny traffic on the same virtual interface. It is not possible to reroute traffic out of the same virtual interface on a PIX. dwarftosser fucked around with this message at 17:40 on Aug 31, 2007 |
# ¿ Aug 31, 2007 17:34 |
|
Cidrick posted:Crap. Yup, I found that out the hard way the first time I ever installed a Cisco VPN Concentrator. If you've got another device that can act as a router for your local network that might be the easiest solution, and then it can redirect traffic to the PIX or VPN from there.
|
# ¿ Aug 31, 2007 17:47 |
|
jwh posted:Can you put the refurbished switch under smartnet? If so, it sounds like it would be fine. You can for now, which makes it a great option. However I hear Cisco is going to limit what products you can and cannot get a smartnet on sometime in the near future to try to curb the massive explosion of Used / Refurbed dealers that seem to be around now.
|
# ¿ Sep 28, 2007 18:14 |
|
Tremblay posted:For what its worth I've heard no talk of this. Hopefully it's just speculation then, because I like buying used. I heard it from a friend I used to work with who is an SE3 in in Cisco's DoD division while we were golfing a few weeks ago.
|
# ¿ Sep 28, 2007 18:43 |
|
jbusbysack posted:Any opinions on ASA codebase 8.x versus 7.2.X? Lately the 7.2.X has been going nuts, but I'm not sure if the 8.X is stable enough for production usage. We've been running 8.x for a little over a month, it's been stable for us. I like the 6.x ASDM alot better, so I think it's worth the upgrade for that alone.
|
# ¿ Oct 9, 2007 04:13 |
|
casseopei posted:Awesome! Thanks. From what I had read I kind of figured that was what was wrong, and I tried permit tcp any any gt 1023 established and it wouldn't work, but I just had to take established out of there. Rock on. Your ACL needs to be for your outside address, not your inside. ie, permit tcp any host <outside ip> eq www Your NAT statement is already redirecting all your port 80 traffic to your internal address, so in your example there really is no functional or security difference between using the permit tcp any host or permit tcp any any command.
|
# ¿ Oct 19, 2007 17:39 |
|
Richard Noggin posted:I need to be able to have inbound access during a failover scenario. I don't know what they mean by "advanced networking skills", but in my mind, having the appropriate DNS entries, ACLs, and static NAT maps bound to the backup interface would provide what I'm looking for. Can anyone confirm/deny? Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured.
|
# ¿ Oct 22, 2007 19:05 |
|
|
# ¿ Apr 27, 2024 04:20 |
|
Richard Noggin posted:Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then? Sure will.
|
# ¿ Oct 23, 2007 16:31 |