gerg

Members
  • Content count

    326
  • Joined

  • Last visited

Community Reputation

-2 Poor

About gerg

  • Rank
    Advanced Member
  1. i am not sure if i explained it well enough i have icmp open on outside of a asa firewall, so outside interface is pingable from the internet i want to disable this but am afraid i will kill some tunnels, or they won't come up again, because of the ptmud story i read does this make any sense?
  2. is blocking icmp in it's entirety on an outside interface of a ipsec firewall really a problem these days? with regards to ipsec and overhead on mtu sizes, pmtud is standard on in newest code these days or?? i m looking for if ipsec sessions will be blocked if i block all icmp on outside interface
  3. same case with an asa icmp rules, outside interface is not pingable, also no rules to allow ping/and implicit deny at end still can ping it where do i need to change this?
  4. i have a pix 515 e with an outside interface i can ping this address from the internet strangely enough, i thought it was default behavior to block this anyways, my outside interface has a few rules to a webserver.. then a deny any any ip below that, and then the implicit deny still pings get through, what gives? under icmp rules i have nothing.. but still i thought it was default behavior to block access from outside im running 7.2(4) of course i can build an acl but i feel like i'm missing something in the configuration somewhere
  5. thanks guys i suppose i can still go for the 4.0 blueprint with 2x3550 as the labs / workbooks are based on 2x3550 and 2x3560 thanks for the input curious if my employer will report back if i can buy this shit
  6. wow i see, uk offers way cheaper prices! 3550 can be found here for pretty low price if i shop around, 3560 is a little higher thanks, i didn't want to buy the POE version anyway and of course i meant this one: Cisco Catalyst WS-C3550-24-SMI 24x 10/100 + 2 GBIC ports: SMI - 199 euro with regards to the EMI image, instead of 3750 thanks for your time
  7. can this sucker be converter to E image as well with just an enhanced ios? Cisco WS-C3750-24TS-S 24 port 10/100 +4x FSP
  8. will these models do? Cisco WS-C3550-24PWR-SMI 24X 10/100B-TX 2x GBIC - 229 euro Cisco Catalyst WS-C3550-24-SMI 24x 10/100 + 2 GBIC ports: SMI - 199 euro Cisco WS-C3550-12G Catalyst 12x 10/100/1000 10xGBIC/2xTX - 449 euro Cisco WS-C3750-24TS-S 24 port 10/100 +4x FSP - 599 euro
  9. netherlands what about the 3550 EMI still valid?
  10. hey guys for the lab setup i need 4 switches will 2x3550 and 2x3560 still suffice? if so, what models of these do i need specifically? i wanna start with the 3550s and build a lab, i think i might get enough funding from my employer to get at least one 3550 to start what's the difference between the 3550 and 3560 in capabilities specifically for the ccie lab? what price am i looking at, i might get a quote at a seller who sells refurbished material with one year garuantuee on it thanks
  11. solved with my prefix list i was actually allowing advertising of the 30 network with a /28 subnetmask, with no le 32 but the 30 network prefix was actually a /29 so there was no match on my prefix list i was banging my head on why it didn't get advertised to the provider i now use the network command with the mask under bgp configuration to advertise it to provider, with correct prefix list since the routes are in r1's routing table as ospf e2 routes, it is advertised out via the bgp network command
  12. router R1 is running BGP and OSPF R1 get's a route to the 30 network via OSPF (which was originated on R2 and R3 by "ip route vrf vrfname 30.0.10.0 255.255.255.248 60.0.0.1" and then redistributed within OSPF to R1 via "redistribute static subnets" On R1 i see this route in the routing table as an E2 route I want to redistribute this route into BGP on R1, so the customers behind the service provider can reach the 30 network Redistribution into BGP though isn't working, not via the network commmand, not via redistribute ospf vrf vrfname match external 2, not via a route map I have now created "ip route vrf vrfname 30.0.10.0 255.255.255.248 null0" and did a "redistribute static" under the bgp process on r1 to advertise this network to my provider at first the E2 route existed and remained in the routing table, now it is gone and "overwritten" by this static route so in essence, the provider can send packets to the 30 network to my router R1, but since i don't have an ACTUAL route anymore to the 30 network, i can not reach R2 and R3 anyone got a bright idea?
  13. if you made a vpn tunnel with the wizard do you NEED firewall rules on the security policy tab? as the ipsec section says protected traffic from this to that network if you do NOTHING on security policy tab, i.e. making access rules for this vpn, will it still be protected?
  14. can someone please explain how this works on fwsm? when using nat you have a static mapping.. with xlates how does this work if the address remains same on local and global? can i clear xlate from a single host and how do i know when to use global and local statements, and what's the difference between connection and xlate? confusing
  15. on a sub interface i wanna put an acl to match packets to see if they enter the router, before the router there is a firewall i see they enter the router if i apply this acl: int g0/0.123 ip access-group TEST_MATCH in ip access-list extended TEST_MATCH permit ip host 1.2.3.4 host 2.3.4.5 log permit ip any any as you can see i applied this to the inbound direction on the subinterface, as traffic from the firewall enters this interface i do see a match in the logging for host 1.2.3.4 so that's good but, if i apply this acl in the inbound direction, am i actually denying outgoing traffic on this interface (back to the firewall)? and do i need to make another ACL which permits ip any any and apply this to the same interface in the direction OUT? i don't think so but i was kinda concerned as i didn't see traffic back in the firewall further down the path