Jump to content
Sadikhov IT Certification forums


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About nuaythebest

  • Rank
  1. nuaythebest

    Need confirmation with GNS and RIP

    GNS3 do support vlan via NM Module. I believe the problem is cause by L2. Please check "debug ip rip" and test L2 connection between SVI.
  2. nuaythebest

    RPVST+ at CORE and PVST at Access Switch

    It would be better if you can use full 802.1w on all SW for STP but 802.1w is backward compatible with PVST anyway. You can use feature like Uplink Fast and Backbone Fast to speed up STP convergence for 2950 which run PVST+.
  3. nuaythebest

    Stub Areas problem

    Stub area should create O IA (inter area route). If you get O E2 default route then it may come from 1. Redistribute 2. Default information-originate [always] command
  4. nuaythebest

    update-source in bgp

    Because by default, cisco router use the the ip address of the outgoing interface for the ip that you specify in neighbor x.x.x.x remote-as yy. So let say that you have >2 link for redundant of your bgp peer but when the outgoing interface went down, your bgp peer also down even with a redundant link. So in order to solve the problem cisco suggest you to use loopback interface as the peer neighbor and source. Loopback interfaace never down, so as long as have a redundant link and routing protocol run, your bgp peer will never torn down.
  5. nuaythebest

    CCIE Number

    It's like your own signature, which I think kinda cool , due to the low number of people who certified. The reason they won't do for CCNP because there are a lot who pass using just dump. Unless you want something like CCNP #543210 which I doubt you are.
  6. nuaythebest

    Has anyone

    Well ,unless you are really lucky (which I doubt that), you won't pass CCIE lab exam with just dump alone. I suggest you start from Basic, reading a book such as TCP/IP Vol1-2,CCIE Office exam Certificate PDF ect.. Then you practice on the real thing, maybe with rack rental. People expect you to be a really good and skilled engineer if you hold CCIE cert. , don't let them down knowing that you know nothing except what dump told you.
  7. nuaythebest

    RIPng redistribute connected

    Sorry , could you clarify your question a bit more? Like what do you want, and why do you think something went wrong?
  8. nuaythebest

    sham-link issue

    I think you have a problem with recursive loop. You should never permit shamlink loop back IP on the ospf, only in BGP(and in the correct VRF).
  9. I have set the VPN site to site between two ASA5510 and it work just fine. If another side interface is down, the vpn session will die, which is normal. The problem arise when the interface come up, the vpn session sometimes can not complete the ISAKMP exchange phase 2, eventhough the computer behind the ASA initiate a traffic to another side. I have to reboot one of the ASA in order to solve the problem. When I debug the isakmp it give me this error message Group = DefaultRAGroup, IP = xx, Error: Unable to remove PeerTblEntry Group = DefaultRAGroup, IP = xx , Removing peer from peer table failed, no match! And as I said before, sometimes it work(the tunnel is auto renegotiate and vpn session is established) and sometimes it doesn't. Thank you for every answer.
  10. Hello again everyone. I have more question regards the VPN site to site with asa. 1. My company want me to set the VPN site to site with asa. I have test it in my own lab and it work fine. However there is a problem for this type of VPN, it will initiate the tunnel if it found the ip address that match in the acl.Unfortunately, my company have many internal servers that require an internal DNS server to resolve their name into the IP address such as server01, hqserver02, ect (about 100-150). The problem is the branch sites use their own internet connection and they can't resolve these internal server ip address by themselves. How could I fix this problem? without putting a duplicate internal DNS server at every branch site. 2. I have alreay set the aaa mode for my asa and it working fine with the tacac+ server (Cisco ACS). The only problem is after I have log in with my username and password, it won't give me a privilege mode prompt(ASA#) but instead it give me a user mode command prompt(ASA>). I believe I did config the ACS correcly because I can log in to my 2821 router with # command prompt. Here is what I have done so far with the asa AAA mode. - aaa authentication ssh console tacac+name LOCAL (This command work fine) - aaa authorization ssh exec authentication-server (This command didn't work, it still give me user mode prompt (ASA>) everytime I log in) - I did check the box "exec shell prompt" in the cisco ACS - My 2821 router use the same tacac+ and ACS, however it give me a correct exec prompt (Router2821#). Thank you for very answer.
  11. I just add , the command *access-list name permit icmp any interface outside* and it work just fine!! It's like what billy said that I need to set the acl for in bound direction of an outside interface to allow ping echo reply.
  12. The problem has been solve , than you everyone.
  13. Hello everyone, my company have just bought asa 5505 recently. I have been give an order to set up this ASA 5505 and this is what my network look like Core Network <-> ASA 5505 <-> Gateway Router(Cisco 2514) Core Network to ASA 5505 use the network ASA 5505 to Gateway use the network It seem to be pretty simple, however when I tried to ping the outside interface ( and from an inside interface network (, it failed and vise versa. I was quite confuse because the inside interface(Security level 100) should have no restriction when it try to connect to outside interface(Security level 0). PS. I can ping from any pc in network but can not ping network . My gateway router can ping but can not ping Here is my configuration.
  14. I have a chance to use many cisco equipment during my master degree at university especially with cisco ASA and I am not that type of total no exp and just reading dump. I guess you don't read my post enough since I have clearly said that my job is good(Working with number one and the biggest oil company in my country and they are bigger than Exxon in my country). My problem is I want to be an CCIE secu. and I don't think that this company will support me for that. That's why I came here and ask you guys. And the last thing, why can't I take a CCSP exam if I feel that I have enough knowledge during my study in master degree?
  15. Hi there everyone, I am a fresh graduate with master degree in computer engineering - work experience = 0. I have a CCNA,CCSP and security+ . I always set my goal to become a CCIE secu. and work with CISCO partner company. However, after a 3 month after graduate I couldn't find any good network job with cisco partner company. One day I got a call from an oil company which is one of the biggest company in my country and they offer me a security assement/audit position. Everything seem to be ok, especially the salary they gave me. The problem is I didn't have a chance to work with the network equipment at all and the work is so fuc... boring. Should I find another company that let me work with the real cisco equipment or should I wait for 1-2 years? I am so confuse right now. Thank you in advance for anyone who answer this.