• Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About TonyZ

  • Rank
  1. Hi: Can someone explain the differece between having a route-map statement in different places of an ip nat command? ip nat inside source route-map mymap interface fa0/0 overload I know that the above will nat packets that have a match in the route-map. But what about this statement? ip nat inside source static route-map mymap What does the route-map at the end of an ip nat statement do? Thanks, Tony
  2. Hi: I have a question about key length. When I type: R1#show crypto key mypubkey rsa, I see something like this: Key Data: 20819F3A 0D06092A 964886F7 0D010101 05070381 8D043081 89027181 00CB59B8 BA3A4A3B 56F965ED 26324D31 1135399E C420F061 158E31AF D6AEDEEA 2E4057AD DE7AEE90 9D0D5AE0 E771215A 240D2872 79284C60 27858B41 552DEA7F F3FECF77 34812ECD D56037FE F7DB7EA5 97C9AC90 6C023C0E E55FEBD0 EDEDA741 048A88D0 8866615E 446F4F01 11D808FD 163F7B23 F51336AE F32136A0 7B1B46E5 57020301 0001 How do I tell what key length is in use? I believe that each group is 32 bits. I see 8 groups across and 5 down. 32 X 8 X 5 = 1280, which does not seem like a common key length. Is the last 0001 part of the key? That would add an additional 16 bits, which still doesn't make sense. Thanks for your help. Thanks, Tony
  3. Hmmmm... I'm having problems getting this to work. I right click on the wire, and get Wireshark to start. But only an initial CDP packet or two show up. Nothing after that. Is there a trick to getting Wireshark to work with GNS3? (I still think GNS3 is amazing, by the way! :-) )
  4. >>Just right click on the wire and you will be launched to Wireshark (make sure you have proper installed Wireshark and then adjust the path in GNS). Wow! I had no idea you could do that. Thanks! Is GNS3 absolutely, incredibly amazing, or is it just fabulously, beyond amazing? Tony
  5. I'm running this in GNS3. Is there a way to sniff the traffic on the VPN with this topology?
  6. I'm running traceroute from a cisco router, through a bunch of routers, to another cisco router. Thanks for all the info! Obviously, I have much to learn about traceroute. I was unaware of all the different types.
  7. Can someone tell me how to allow only pings and traceroute out using a zone based firewall? This configuration does allow pings out, but no traceroute: class-map type inspect match-any inoutcmap match protocol icmp ! policy-map type inspect inoutpmap class type inspect inoutcmap inspect class class-default drop I also tried using an access-list instead, as shown below. Pings are allowed out, but still traceroutes are not. class-map type inspect match-any inoutcmap match access-group 100 ! policy-map type inspect inoutpmap class type inspect inoutcmap inspect class class-default drop ! access-list 100 permit icmp any any echo access-list 100 permit icmp any any traceroute Any ideas? Thanks, Tony
  8. The topology is attached to this post. Below is the running config of R2. (R1 is a mirror). The VPN works just fine with this config. I can ping from to Then I apply the following access list to fa1/0 of R2 inbound: access-list 101 permit ahp host host access-list 101 permit esp host host access-list 101 permit udp host host eq isakmp Now the VPN will not work. No pings get through. A ‘show access-list’ shows matches on esp: Extended IP access list 101 permit ahp host host permit esp host host (5 matches) permit udp host host eq isakmp But obviously, something else needs to be open to let this work. Any ideas what that might be? Thanks, Tony Current configuration : 900 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R2 ! ip subnet-zero ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key sillykey address ! crypto ipsec transform-set sillyset esp-3des esp-sha-hmac ! crypto map sillymap 10 ipsec-isakmp set peer set transform-set sillyset match address 100 ! call rsvp-sync ! interface FastEthernet0/0 ip address duplex auto speed auto ! interface FastEthernet1/0 ip address duplex auto speed auto crypto map sillymap ! ip classless ip route ip http server ! access-list 100 permit ip ! dial-peer cor custom ! line con 0 logging synchronous line aux 0 line vty 0 4 login ! end
  9. Hi: I'm creating IPSec tunnels between two routers. The CCNA-Sec. Exam Cram book says that the following access-list placed incoming on the router interface will allow the tunnel to function: permit ahp host host permit esp host host permid udp host host eq isakmp where and are the external IPs of the routers. I get the tunnel up and working, but when I apply the access list incoming to the outside interface of the router, traffic stops. What else needs to be open for this to work? Thanks, Tony
  10. Great. Thanks for the info.
  11. Hi: Can someone explain the difference batween an IPS signature file with the form: and IOS-S313-CLI.pkg? Are these different? When I login to my router via the SDM, it says it wants a file with the sigv5 format. Is the pkg format an older one? Thanks, Tony
  12. Aaaah, an access-class feature will cover all of those. Good to know. Thanks.
  13. I'm trying to go through the IPS exercises in the CCNA-Sec Lab Manual. I've got a router that supports IPS, but I don't have any signature or crypto key files. Is there any way to test this, a generic file of sorts available, or is the real deal from Cisco the only way? Thanks for your help, Tony
  14. Hi: When I try to add telnet to a class-map for outgoing inspection, I get the following error: 2651XM(config-cmap)#match protocol telnet %Protocol not supported for self-zone traffic inspection in policy-map pmap-self -pub on zone-pair zp-self-pub 2651XM(config-cmap)# Is there a way to inspect telnet from the self zone? Relevant config posted below. Thanks, Tony ! class-map type inspect match-any cmap-pub-self match access-group name acl-pub-self class-map type inspect match-any cmap-self-pub match protocol icmp class-map type inspect match-any cmap-priv-pub match protocol http match protocol icmp match protocol telnet ! ! policy-map type inspect pmap-priv-pub class type inspect cmap-priv-pub inspect class class-default drop policy-map type inspect pmap-pub-self class type inspect cmap-pub-self pass class class-default drop policy-map type inspect pmap-self-pub class type inspect cmap-self-pub inspect class class-default ! zone security publiczone zone security privatezone zone-pair security zp-priv-pub source privatezone destination publiczone service-policy type inspect pmap-priv-pub zone-pair security zp-pub-self source publiczone destination self service-policy type inspect pmap-pub-self zone-pair security zp-self-pub source self destination publiczone service-policy type inspect pmap-self-pub ! ! ip access-list extended acl-pub-self permit eigrp any any permit tcp any any eq telnet permit icmp any any
  15. Hi: I'm looking for a switch to help me practice the CCNA-Security stuff: dot1x port control, dhcp snooping, port security, private VLAN's, etc., etc. Will a 3550 let me do that, or are there others you would suggest? And is there a minimum IOS feature set I would need? Thanks for the info, Tony