Am proud to be here .. my first topic

Good day to every one here ..

am new member in your exciting side .. techexams.net ..

i wanna your advice plz ..

i have 16 global IP , if we include on it the network ip and broadcast ip it'll be 14 ..

I have PIX firewall CISCO 515E , and my private network is 192.168.2.0 255.255.254.0

and if we suppose our puplic IP is x.x.x.x ....

1) how i can configure one server and i wanna to permit the ftp service on it .

2) can i telnet to my PIX from my VPN .. and if yes how i can do it ...

3) how i can controll on my global ip .. for example if i wanna specify specific service to permit and other to deny .. like allow http but deny icmp for global x.x.x.x

regards for all ..

thanxs

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Mishra

Welcome to the forum. I'll bump your topic for a response.

networker050184

You can start with the Cisco PIX 515E Security Appliance Quick Start Guide.

Homam Faisal

Mishra wrote:

Welcome to the forum. I'll bump your topic for a response.

thanx

Homam Faisal

networker050184 wrote:

You can start with the Cisco PIX 515E Security Appliance Quick Start Guide.

I did , but nothing new

phantasm

Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

Pash

I always approach every task like this by thinking of it in a pseudo type manner. Break down your tasks and whats required, find how to implement it, ciscos website is awesome, use it. Then plan a testing and rollout schedule, testing scripts are very useful for this.

mikej412

phantasm wrote:

You should know how to do that, especially considering you have a CCNA

Actually, the CCNA may prepare someone to get into the command line interface of a PIX, but even with the changes to Version 7 and 8 that make the PIX more "IOS Like" -- it's still a strange and different animal.

tech-airman

phantasm wrote:

Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

phantasm,

The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.

phantasm

tech-airman wrote:

phantasm wrote:

Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

phantasm,

The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.

Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

Pash

phantasm wrote:

tech-airman wrote:

phantasm wrote:

Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

phantasm,

The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.

Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

You were being rude though is techairmans point, you suggested the OP had braindumped the certs in his profile. This isnt being helpful at all.

With my limited PIX exposure I would say it's a lot like juniper netscreens except with cisco ACL's inbedded. The OP needs to read ciscos white papers though!

dynamik

phantasm wrote:

Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

It sounds like he wants to permit FTP traffic to one server through the PIX. I think you misunderstood what he was asking.

hypnotoad

PIX is a beast. I avoid messing with ours at all costs.

1) you'll need to set a static NAT mapping and set up an ACL to allow the traffic from outside to inside for FTP.

2) telnet 192.168.2.0 255.255.254.0 inside
assuming inside is your nameif (interface name). I believe you'll need passwords set like normal IOS devices. I *think* this will work with VPN.

3) ACLs.

snadam

phantasm wrote:

Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

If you don't want a harsh reply, don't post a harsh, vague, inaccurate comment. Have a good day.

and yes, as Pash mentioned, cisco's whitepapers on PIX would be a good springboard.

welcome to the boards Homam Faisal!

phantasm

snadam wrote:

phantasm wrote:

Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

If you don't want a harsh reply, don't post a harsh, vague, inaccurate comment. Have a good day.

and yes, as Pash mentioned, cisco's whitepapers on PIX would be a good springboard.

welcome to the boards Homam Faisal!

I don't mind harsh replies.

Back on topic however, I'd look into Static NAT and configuring ACL's. That should help. SOme of the links posted above are very good reads as well.

AlexMR

Homam Faisal wrote:

...and my private network is 192.168.2.0 255.255.254.0

Isnt that one an invalid subnet mask for a class C network???

networker050184

IP Addressing and Subnetting for New Users

Read the sections on VLSM and CIDR.

aragoen_celtdra

Great! Just when my brain is being fried by all these subnetting lessons i've been poring over for the last 2 days (approx 8 hours in total so far) I was tempted to read on this VLSM thing. Needless to say, it only confused me more.

And yeah, i too was thinking that 192.168.2.0/23 is an invalid class C network. I was thinking how a network with 24bits on it's network field actually have less? But I guess once I'm done with CCNA studies, I'll come to understand why it can be possible. And maybe, I'll understand exactly what VLSM is..

At least what I got from it is that it allows one to use different masks for each subnet, supposedly to save address spaces.

Oh and welcome Homam Faisal. Happy learning to you all.

sprkymrk

A class C address space with a 255.255.254.0 mask (which is /23) is really just combining 2 contiguos class C networks into a single broadcast domain, so instead of 254 hosts, you have 508 or whatever.

Best used when you can't afford a router to seperate your 2 class C's.

korszo

I'm really missing something here...

How can you have a Class C address using a 255.255.254.0 mask? The first 24 bits for Class C are reserved for the network address, you use host bits to subnet, not network bits. I have never seen an example in subnetting, VLSM or CIDR using network bits within the class, it's always host bits.

How is it possible this is a valid class C mask? Can someone provide a link to back up their claim this is a valid mask?

RK

networker050184

Like sprkymrk stated, its really an aggregate of class C networks. Check out this information on CIDR.

dtlokee

korszo wrote:

I'm really missing something here...

How can you have a Class C address using a 255.255.254.0 mask? The first 24 bits for Class C are reserved for the network address, you use host bits to subnet, not network bits. I have never seen an example in subnetting, VLSM or CIDR using network bits within the class, it's always host bits.

How is it possible this is a valid class C mask? Can someone provide a link to back up their claim this is a valid mask?

RK

That is the point of CIDR, the mask is no longer tied to the class, it is valid to have a subnet mask that is shorter than the default classful network mask. This results in a block of networks or a supernet as Sprkymrk said. This is how allocations by the numbering registries are currently done, typically a block of class C addresses with a /19 mask resulting in a block of networks with 8190 host addresses (32 class C's)

korszo

dtlokee wrote:

That is the point of CIDR, the mask is no longer tied to the class, it is valid to have a subnet mask that is shorter than the default classful network mask. This results in a block of networks or a supernet as Sprkymrk said. This is how allocations by the numbering registries are currently done, typically a block of class C addresses with a /19 mask resulting in a block of networks with 8190 host addresses (32 class C's)

OK...

-Speaking in the context of routing, as in Classless Inter-Domain Routing, or route summarization, this is a valid mask.

-Speaking in context of IP addressing, Subnetting or VLSM, this mask is invalid.

Do I understand this correctly, and are the above statements correct? If not please educate me.

sprkymrk wrote:

A class C address space with a 255.255.254.0 mask (which is /23) is really just combining 2 contiguos class C networks into a single broadcast domain, so instead of 254 hosts, you have 508 or whatever.

Best used when you can't afford a router to seperate your 2 class C's.

Assuming my previous statements are true ... How can sprkymrk's statement be correct when it is in the context of IP addressing, not routing. If there are no routers, using this mask to combine two Class C networks is considered valid practice?

I don't understand, what am I missing?

RK

dtlokee

Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)

korszo

dtlokee wrote:

Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)

I can understand the concept, but obviously I have not worked with large networks in the real world and am studying at the CCNA level. In my current CCNA studies, I have not yet seen coverage of the "supernet" topic. So in my mind, at my current knowledge level and topics studied to date, this mask is incorrect. Although obviously the mask is correct using advanced IP addressing concepts.

Seems it's very important to understand at what level the topic is being discussed to derive the correct answer. As answers can vary depending on exactly what is being discussed.

Wow ... I'm almost confusing myself ... ;--}}}}}}

Thank you very much the reply.

RK

aragoen_celtdra

korszo wrote:

I can understand the concept, but obviously I have not worked with large networks in the real world and am studying at the CCNA level. In my current CCNA studies, I have not yet seen coverage of the "supernet" topic. So in my mind, at my current knowledge level and topics studied to date, this mask is incorrect. Although obviously the mask is correct using advanced IP addressing concepts.

Seems it's very important to understand at what level the topic is being discussed to derive the correct answer. As answers can vary depending on exactly what is being discussed.

Wow ... I'm almost confusing myself ... ;--}}}}}}

Thank you very much the reply.

RK

There's a term they use for people like us here, my friend - "Newbies" LOL

Although all those acronyms next to your screen name probably suggest that i'm much more of a newbie than yourself.

All kidding aside. This is a pretty exciting discussion because it is really forcing me to want to learn these new things. I too am learning subnetting right now and I'm really challenging myself to learn about this subject really well. In fact it's making me deviate from my study schedule just to read up on this topic even when it's not on the "need to learn" list on my CCNA studies.

Well, good luck on your studies bro. Hopefully you continue to post more of the experiences and challenges you go through as you study for the CCNA so people like us can also learn with you.

korszo

dtlokee wrote:

Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)

Today I went through and experimented with 192.168.2.0 255.255.254.0 using my lab equipment ... and indeed, I could address my routers and switches using this mask, along with verifying connectivity within the address range. On router IOS 12.3 / 12.4 no problem.

But ... on this one:

Router#show ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(28 ) RELEASE SOFTWARE (fc5)

~~~~~~~~~~~~~

Router(config-if)#ip address 192.168.2.1 255.255.254.0
Bad mask 0xFFFFFE00 for address 192.168.2.1

~~~~~~~~~~~~~

Interesting, only acceptable in later IOS versions ???

RK