Re: [nsp] REG: PIX Failover Bundle.

From: David Jirku (djirku@cisco.com)
Date: Fri Apr 20 2001 - 11:41:50 EDT


Ian,

Not true. You can disable NAT'ing of any internal networks:

  nat (inside) 0 0.0.0.0 0.0.0.0

would turn off ALL NAT'ing on the inside interface.

  nat (inside) 0 192.168.1.0 255.255.255.0

would turn off NAT'ing of only machines in the 192.168.1.0/24
network on the inside interface:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/commands.htm#23406

Note that Adaptive Security remains in effect when using the "nat 0"
command.

Cheers,

A Routerman wrote:
>
> It is my understanding that NAT is the basis for the PIX firewall and as such can't be "disabled". (This includes it's cousin PAT - port address translation and static NAT's).
>
> Here is a portion of the config for configuring failover:
>
> ip address outside x.x.x.1 255.255.255.0
> ip address inside y.y.y.1 255.255.255.0
> ip address crosslink z.z.z.1 255.255.255.0
> ip address backchannel w.w.w.1 255.255.255.0
>
> failover
> failover timeout 0:00:00
> failover ip address outside x.x.x.2
> failover ip address inside y.y.y.2
> failover ip address dmz-web z.z.z.2
> failover ip address dmz-auth w.w.w.2
> failover link inside
>
> Thanks,
>
> Ian
>
> -----Original Message-----
> From: Vinod Anthony Joseph Cherunni vac@dsqworld.com
> Sent: Fri, 20 Apr 2001 18:23:49 +0530
> To: routerman@visto.com
> CC: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] REG: PIX Failover Bundle.
>
> Hi,
>
> Thanks a lot for the advice. Just a couple of queries in mind.
>
> In a config as below -
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz-web security60
> nameif ethernet3 dmz-auth security3
>
> Assuming I am not using NAT on any interfaces, & need to disable it. How
> would I achieve the same on all my PIX interfaces.
>
> Secondly it would be great if you could send me a sample config for the
> PIX failover part.
>
> With kind regards,
> Vinod.
>
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.

-- 
     |          |         David Jirku, CCIE #5287
    :|:        :|:        Systems Engineer
   :|||:      :|||:       Bay Wellington Tower, BCE Place 
 .:|||||||:..:|||||||:.   181 Bay Street, Suite 3400, P.O. Box 802
C I S C O S Y S T E M S   Toronto, Ontario M5J 2T3
    "Empowering the       P: 416-306-7719 E: djirku@cisco.com
  Internet Generation"    F: 416-306-7099 Pager: 1-800-68-CISCO

From vac@dsqworld.coõÅ;atReceived: from someone claiming to be megrez.antarix.net (se2013.a01.antarix.net [210.4.8.12]) byõÅ;k. for <cisco-nsp@puck.nether.net>; Sat, 21 Apr 2001 03:29:46 -0400 (eõÅ;opReceived-Date: Sat, 21 Apr 2001 03:29:46 -0400 Received: from sirius.maa.antarix.net ([192.168.12õÅ;) with ESMTP id 2001042111440060:3072 ; SatõÅ; ATo: cisco-nsp@puck.nether.net Cc: routerman@visto.com, persiko@bvsd.k12.co.us, djirku@cisco.com SuõÅ;t:X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 From: "Vinod Anthony Joseph CõÅ;nnMessage-ID: <OFEFCD04F1.49D8FD88-ON65256A35.00206DAF@maa.antarix.net> Date: Sat, 21 Apr 2001 11:38:1õÅ;53 11:38:31, Serialize cõÅ;et Itemize by SMTP Server on MEGREZ/DSQworld(Release 5.0.7 |March 21, 2001) at 04/21/2001 11:44:0õÅ;, 01:03:09 PM, Serialize complete at õÅ;1/MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 0021B7F165256A35_="

This õÅ; m--=_alternative 0021B7F165256A35_= Content-Type: text/plain; charset="us-ascii"

Dear AllõÅ;haby Mr. Ian as below -

ip address outside x.x.x.õÅ; ip address inside y.y.y.1 255.255.255.0 ip address crosslink z.z.z.1 255.255.255.0 ip address backchaõÅ; w

failover failover timeout 0:00:00 failover ip address outside x.x.x.2 failover ip address inside y.yõÅ; ffailover ip address dmz-auth w.w.w.2 failover link inside

Can't the IP address of the õÅ;rfthe same for the primary, & secondary (failover) be the same, because otherwise hõÅ;ou(example insdie LAN) would be using the default gateway as the õÅ;ddoF the active PIX interface, & if that's down, then how would all the systems forward to the IP of the failover PIXõÅ;caaddresses on each system becomes a little complex.

Note that Adaptive Security remains in effect when õÅ;g command.

Can this explained to me pls. I am a little unclear about it.

Kindly provide your valuble suggestioõÅ; W

Vinod. --=_alternative 0021B7F165256A35_= Content-Type: text/html; charset="us-ascii"

<br><font size=õÅ;ce<br> <br><font size=2 face="Arial">Thank you everybody for all the valuble advice. As mentioned õÅ;he<br> <br><font size=2 face="Arial">ip address outside x.x.x.1 &nbsp; &nbsp; 255.255.õÅ;0<ip Address inside y.y.y.1 &nbsp; &nbsp; &nbsp;255.255.255.0<br> ip address crosslink z.z.z.1 &nbsp; 255.255.255.0<br> õÅ;dd<br> failover<br> failover timeout 0:00:00<br> failover ip address outside x.x.õÅ;brfailover ip address dmz-web z.z.z.2<br> failover ip address dmz-auth w.w.w.2<br> õÅ;ov<br> <br><font size=2 face="Arial">Can't the IP address of the interfaces belonging to a particular õÅ; b<br> <br><font size=2 face="Arial">Note that Adaptive Security remains in effectõÅ;n command.</font> <br> <br><font size=2 face="Arial">Can this explained to me pls. I am a liõÅ; u<br> <br><font size=2 face="Arial">Kindly provide your valuble suggestions.</font> <br> <br><font õÅ;=2<br> <br><font size=2 face="Arial">Vinod.</font> --=_alternative 0021B7F165256A35_=--

From dsinn@microsoftõÅ; Received: from someone claiming to be mail3.microsoft.com (mail3.microsoft.com [131.107.3.123])õÅ; p for <cisco-nsp@puck.nether.net>; Sat, 21 Apr 2001 03:43:34 -0400 õÅ;veReceived-Date: Sat, 21 Apr 2001 03:43:34 -0400 Received: from 157.54.1.52 by mail3.microsofõÅ;m Received: from RED-MSG-11.redmondõÅ;p. Thu, 19 õÅ;20X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-VõÅ;onCOntent-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: [nsp] a queõÅ;n Date: Thu, 19 Apr 2001 11:26:05 -0700 Message-ID: <AF9E69C4CBFA3C4AA40068F03A286145018170A5@RED-MSG-1õÅ;dmX-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [nsp] a question CRC error ThreaFrom: "David Sinn" <dsinn@microsoft.coX-OriginalArrivalTime: 19 Apr 2001 18:26:05.0202 (UTC) FILETIME=[31F8EF20:01C0C8FE]

The only õÅ; acase of half-duplex Ethernet link when a collision occurs. This õÅ;eqon the Ethernet network, not just routers.

David=20

õÅ;--From: Tatsuya Kawasaki [mailto:tatsuya@kivex.com] Sent: Thursday, April 19, 2001 3:52 AM To: David SõÅ;CcSubject: RE: [nsp] a question CRC error and resent

dave, I belive you are correct onf UDP paõÅ;. if CRC occur btwn routers.

Someone have any comment on this???

TatsõÅ;

Tatsuya Kawasaki =20 Allegiance Telecom Unlock the Power of the InterõÅ;htPhone 301.215.6777 Fax 301.215.5991 Affiliation given for identification not representation /_/_/_/_/_õÅ;/_

On Wed, 18 Apr 2001, David Sinn wrote:

> If you are seeing CRC's then the router wilõÅ;ve>=20 > If UDP was lost, then it is lost forever and it is up to the application > how to deal with thõÅ;>=> If> transmitted the packet to retransmit the packet basõÅ;n > aCknowledgment responses from the receiving end. The routers will never > retransmit transit packets (that is packeõÅ;as> that were not locally generated by the router). It will only ever > retransmit if it is one of õÅ;en>=20 > David=20 >=20 >=20 > -----Original Message----- > From: Tatsuya Kawasaki [mailto:tatsuya@kivõÅ;om> Sent: Wednesday, April 18, 2001 12:06 PM > To: cisco-nsp@puck.nether.net > Subject: [nsp] a question CRC error and õÅ;nt>20 >=20 > Hi you all, >=20 > I have a simple question for you. > connected to serial to serial via T1. > If you arõÅ;ei> another. > if you see CRC on the one site, does TCP request resent > request?õÅ; d> Does cisco has a way to checking such request? >=20 > the second thing is who "shõÅ;" > I thought ONLY the router in the other end is the one should respond > assuming there is no õÅ;r > btwn. >=20 > TIA, >=20 > Tatsuya > =20 >=20 > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/õÅ;_/> Tatsuya Kawasaki =20 > Allegiance Telecom > Unlock the Power of the Internet > http://www.kivex.com > PhonõÅ;1.> Affiliation given for identification not representation > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/>=20 >=20



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT