Jump to content
Sadikhov IT Certification forums

meffisto

Members
  • Content Count

    36
  • Joined

  • Last visited

Community Reputation

0 Neutral

About meffisto

  • Rank
    Newbie
  1. Shawn, That's the reason why i wrote this: - Configure and verify NAT, dynamic routing, and switching on security appliances - Configure and verify application layer protocol inspection and modular policy for security appliances - Configure and verify secure connectivity using IPsec VPNs - Configure and verify secure connectivity using SSL VPNs - Configure and verify AIP-SSM and CSC-SSM modules I hope it's clear enough btw. i used following material : ASDM 6.0 User Guide Cisco ASA 5500 Series Configuration Guide using the CLI 8.2 you can find both of them on cisco web CBT: Cisco Firewall Video Mentor The exam is focused mainly on Modular policy & VPNs. There was only one question about NAT
  2. Hi, Yes, i have passed SNAA today with 987/1000 here the sections (with my performance score) : - Configure and verify NAT, dynamic routing, and switching on security appliances 100% - Configure and verify application layer protocol inspection and modular policy for security appliances 87% - Configure and verify secure connectivity using IPsec VPNs 100% - Configure and verify secure connectivity using SSL VPNs 100% - Configure and verify AIP-SSM and CSC-SSM modules 100% The exam isn't hard...it has one ASDM simlet with modular policy One to go and i'm CCSP
  3. i did not checked the config, but you can maybe say some more info about how the issue was solved
  4. meffisto

    SNAF vs SNPA - Opinions?

    here the url http://ieclass.internetworkexpert.com/p95047727/ @ 0:21:00 and listen
  5. hi, yes you can do the "old" one CCNA Security is equal to CCNA + SND so dont worry
  6. meffisto

    SNAF vs SNPA - Opinions?

    If you have passed the SNPA, i would recommend to you continue with the SNAA. Im on same way...i have passed SND, i got SNPA exam this week and i plan to continue with SNRS, SNAA and IPS. after passing SNAF and SNAA you can get the Cisco ASA Specialist certificate, but i think CCSP should be enough
  7. meffisto

    ASA and ISA

    with 5510 you can have up to 25 VLANs (depends on license) - regarding the interface failover, you will be able to configure the thing similar to NIC teaming lets say, you want to have the ISA on outside, and the ISA will have two nics connected to "outside" of ASA directly or through some switch (does not matter). the commands on ASA are: interface Redundant1 member-interface Ethernet0 member-interface Ethernet1 nameif outside security-level 0 ==== with this you will create one new (virtual interface) with 2 redundant physical interfaces and you can use it in ASA like any other physical interface now (if one physical interface goes down, another one will take over. And the ASA is just great for user authentication for http/s access, as you can use ASA cut-through proxy feature with some free radius server. your users will be on inside, isa on outside...clients can have IP and port of ISA configured in PAC file, or manualy in web browser as proxy. this is what you need to configure on ASA from authentication point of view: aaa-server MY_AUTHSERVER protocol radius aaa-server MY_AUTHSERVER host {IP_of_your_radius_server} key {optional_radius_server_to_client_authentication_key_string} access-list 100 extended permit tcp {your_client_accessing_internet_ip_mask} host {ip_of_isa_server} eq {port_on_which_isa_is_listening} aaa authentication match 100 inside MY_AUTHSERVER Note, you need to deny direct access to internet on ASA, and permit access to ISA for the users and bind this access-list to inside interface, as traffic from inside to outside is permitted on ASA by default. btw. i like the combination of ISA and ASA or ASA + BlueCoat proxy, as its good solution. it could look like this in high level
  8. meffisto

    AVAST 4 home edition ...suspicious icmp

    Thank you
  9. Hey guys, I have installed AVAST 4 home edition antivirus (downloaded from avast.com) some days ago, and i have noticed some suspicious behaviour. It looks my machine is sending icmp to some avast owned IPs (as per who.is) Here what i have captured on my cisco router Oct 7 17:37:12.377: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:38:12.373: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.246.130 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:39:12.329: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.226 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:39:12.329: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 74.55.74.74 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:40:12.375: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.194 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:41:12.342: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.188.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:41:12.342: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.191.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:42:12.280: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.186.82 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:43:12.287: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 74.55.73.250 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:43:12.291: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.188.242 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:44:12.271: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:45:12.242: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.246.130 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:46:12.254: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.226 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:46:12.254: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 74.55.74.74 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:47:12.254: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.194 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:48:12.186: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.188.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:48:12.186: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.191.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:49:12.179: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.186.82 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:50:12.171: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 74.55.73.250 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:50:12.171: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.188.242 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:51:12.164: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.2 -> 85.216.217.23 (0/0), 1 packet Oct 7 17:52:12.157: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.246.130 -> 85.216.217.23 (0/0), 1 packet .Oct 7 17:53:11.908: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.226 -> 85.216.217.23 (0/0), 1 packet .Oct 7 17:53:11.908: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 74.55.74.74 -> 85.216.217.23 (0/0), 1 packet .Oct 7 17:54:11.904: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.223.194 -> 85.216.217.23 (0/0), 1 packet .Oct 7 17:55:11.900: %SEC-6-IPACCESSLOGDP: list wan_in denied icmp 75.125.188.2 -> 85.216.217.23 (0/0), 1 packet those are icmp replies, my machine is sending requests Is this normal ? i dont think so...what it is then ? Thanks
  10. meffisto

    Sdm Issues

    the subnetting is still not good, and thats also probably the reason, why the data are not forwarded trough the correct interface. are you able to open the telnet to 10.10.1.1 from the multilayer switch? - i dont think its possible
  11. meffisto

    Cisco

    as far i know, ASA supports only dot1q trunk what kind of problem you mean?..what kind of device is on other side of trunk?
  12. meffisto

    SMTP and POP3

    should be static (Inside,Outside) tcp 1.2.3.4 smtp 10.0.0.10 smtp netmask 255.255.255.255 as long as you put the ACL on outside inbound its OK
  13. meffisto

    Pix Problem

    Are you using PIX emulation or real hardware? if you are trying with GNS3, try diferent version. if its real HW run ‘logging enable’ ‘logging mon 7′ ’debug icmp trace’ ‘term mon’ just to see if the packets are getting to the Pix. Try the following commands in config mode: icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo inside icmp permit any echo-reply inside also do packet capture.
  14. meffisto

    Firewall Module On Cat6506

    Hi, try to include a nat rule to your configuration. how??? but i didnt need any nat no NAT control or NAT exemption, you need to tell FWSM that. even if you dont want to NAT, this node has to know that.
  15. meffisto

    10gbe Lan Test

    hey guys, we are implementing something and we need to test the capacity of the 10gigabit Ethernet link in non-live environment. How we can do this? - we have got idea to use a loop, as there is nothing on site at this moment what can generate so huge amount of traffic. Do you have some idea, or experience with something similar?
×