Jump to content
Sadikhov IT Certification forums

Yorel

Technical Experts
  • Content Count

    428
  • Joined

  • Last visited

  • Days Won

    6

Yorel last won the day on July 3 2012

Yorel had the most liked content!

Community Reputation

4 Neutral

About Yorel

  • Rank
    PIX/ASA/FWSM
  • Birthday 07/14/1977

Profile Information

  • Gender
    Male
  • Location
    Madrid
  1. Hello The answer is yes, the packet will arrive to Production interface because the destination packet is in that network. The source of the packet, when reaches the final equipment, will be either 192.168.3.x or 172.20.x.x. Regards
  2. Yorel

    A big change happening in my life

    Congrats Lethe!!!! I could guarantee you the moment you carry your baby in your arms for the first time will be absolutely amazing Cheers!!!
  3. Yorel

    problem in asa 5540

    Try packet-tracer input in order to simulate a packet from the LAN to internet, so you will know if ASA is droping the connection or not. See this link: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
  4. Yorel

    problem in asa 5540

    Hello The only traffic you allow from the LAN to outside is ping to outside interface, because of it the users cannot access internet. By the other hand, asa drops any icmp that go through itself. PCs only can do ping to inside interface, neither osutide nor dmz or other interface. Finally, you will need to do nat on asa if the router doesnt. Regards
  5. Hello! Yes, the command nat (inside) 0 ... is used for traffic you don't want to do nat. It's commonly used for VPN traffic and you don't need a global statment. The nat (inside) 1 command will do nat to the traffic and must match with a global command with the same id (global (outside) 1 interface). The name ouside_access_in is just a name to identify an access-list. When you create access-lists via ASDM, the appliance assigns this name automatically. In order to take effect in the interface you have to configure an access-group command on it. And you're right, that traffic refers to the packets from the outside to your network. Regards!
  6. Hello Nokia appliances are differents to CheckPoint machines. On Nokia you use IPSO as OS and, after you install the CheckPoint packager (R75 or whatever). On Nokia you have VRRP in order to configure the cluster, to access to IPSO section you must use the clish command and you can enter commands like 'show interfaces all', 'show asset hardware'. Summarizing, Nokia appliances have IPSO instead SPLAT, and Voyager is the WebUI to configure many options of the appliances. Regards!
  7. Yorel

    Can't ping pc from Pix 515

    Maybe firewall of Windows is blocking the ping?, all looks like well...
  8. Yorel

    Checkpoint

    Hello: Go to SmartDashboard and double-click on the firewall, Log and Masters->Log Servers. There you configure the Log Server that usually is your Security Management Server. Moreover, is highly recommended you configure a switchover of the logs everyday in Log and Masters section, 'Schedule log switch to' option. Regards!
  9. Yorel

    relation between 3 local network in CCNA

    I think no much people have CCNA Network Visualizer application. I recommend you to do a scheme in .jpg or bmp. From this way many of us could help you. Regards
  10. Yorel

    Fortigate 60B cannot connect to TFTP Server

    I think the problem is with TFTP server. On it, go File->Configure and enable the option "Rename existing files on conflict" on General Tab. Regards
  11. Yorel

    asa upgrade

    I recommend you to check out this useful document: http://www.cisco.com.../migrating.html By the way, take a look to this, it's possible you have to upgrade your memory before upgrading: http://www.cisco.com...4.html#wp321918 Regards
  12. Yorel

    DMZ to Inside traffic

    The document is OK, the reason is why the inside server has nat in order to the DMZ servers don't know its real IP address. The inside server (172.20.1.5) will be the IP 192.168.2.20. "This mapped address is an address that DMZ hosts can use to access the server on the inside without the need to know the real address of the server. This command maps the DMZ address 192.168.2.20 to the real inside address 172.20.1.5". Regards
  13. Yorel

    Global static rules

    Hello: Most important on this type of configuration is the ID of nat y global, that's the way the appliance could link them. Take a look to nat with ID 5: nat (inside) 5 172.16.0.5 255.255.255.255 Global (outside) 5 99.186.148.9 It means when the IP 172.16.0.5 starts traffic and that packet exits for the outside interface, the appliance will perform a source NAT to 99.186.148.9 The second NAT: nat (inside) 10 172.16.0.0 255.255.255.0 nat (inside) 10 172.17.0.0 255.255.255.0 Global (outside) 10 intreface It means all packets coming from that two networks with destination outside interface, the appliance will do a source NAT to outside's appliance interface. The statement left: nat (inside) 0 access-list no-nat_inside When you configure a nat 0 command means no nat will be done to that traffic. In this case to the traffic that belongs to the access-list called no-nat_inside. It's commonly used for VPN traffic. In summary, you need an number on nat command that will link with the global command with the same number (ID). You might configure several nat commands with the same number or a nat command with several global with the same number. Regards!
  14. Yorel

    Intra Interface Communication ASA - Help

    Hi! RPF-check means the appliance hasn't a route back for a specified host/network. As I can see in your configuration, I think you made a mistake with your defautl gateway, the appliance cannot reach it because that IP is not inside from the outside range. Outside interface: 210.210.210.1/24 Default Gateway: 200.200.200.2 I think that's the problem... Regards!
  15. Yorel

    telnet to router

    Hi: I also recommend you to use SSH instead of telnet because it's a very insecure protocol cause the password "travels" in plain text in the network. Remember you have to create a RSA key pair in order to use SSH, the command is: #crypto key generate rsa modulus modulus_size (1024 is a good size) After you have to enable the IP's are allowed to do SSH to the appliance: # ssh IP_address mask interface Regards!
×