Am proud to be here .. my first topic

Homam FaisalHomam Faisal Member Posts: 3 ■□□□□□□□□□
Good day to every one here ..

am new member in your exciting side .. techexams.net ..

i wanna your advice plz ..

i have 16 global IP , if we include on it the network ip and broadcast ip it'll be 14 ..

I have PIX firewall CISCO 515E , and my private network is 192.168.2.0 255.255.254.0

and if we suppose our puplic IP is x.x.x.x ....

1) how i can configure one server and i wanna to permit the ftp service on it .

2) can i telnet to my PIX from my VPN .. and if yes how i can do it ...

3) how i can controll on my global ip .. for example if i wanna specify specific service to permit and other to deny .. like allow http but deny icmp for global x.x.x.x

icon_rolleyes.gif

regards for all ..

thanxs
eng. HOMAM

Comments

  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Welcome to the forum. I'll bump your topic for a response.
    My blog http://www.calegp.com

    You may learn something!
  • networker050184networker050184 Mod Posts: 11,962 Mod
    An expert is a man who has made all the mistakes which can be made.
  • Homam FaisalHomam Faisal Member Posts: 3 ■□□□□□□□□□
    Mishra wrote:
    Welcome to the forum. I'll bump your topic for a response.



    thanx
    eng. HOMAM
  • Homam FaisalHomam Faisal Member Posts: 3 ■□□□□□□□□□

    I did , but nothing new icon_sad.gif
    eng. HOMAM
  • phantasmphantasm Member Posts: 995
    Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I always approach every task like this by thinking of it in a pseudo type manner. Break down your tasks and whats required, find how to implement it, ciscos website is awesome, use it. Then plan a testing and rollout schedule, testing scripts are very useful for this.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    phantasm wrote:
    You should know how to do that, especially considering you have a CCNA
    Actually, the CCNA may prepare someone to get into the command line interface of a PIX, but even with the changes to Version 7 and 8 that make the PIX more "IOS Like" -- it's still a strange and different animal.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • tech-airmantech-airman Member Posts: 953
    phantasm wrote:
    Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

    phantasm,

    The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.
  • phantasmphantasm Member Posts: 995
    phantasm wrote:
    Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

    phantasm,

    The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.

    Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    phantasm wrote:
    phantasm wrote:
    Not to be rude, but did you brain **** your certs? You should know how to do that, especially considering you have a CCNA, MCSE and a CWNA. Something doesn't sound right.

    phantasm,

    The Cisco PIX 515E isn't on the CCNA exams. The Cisco PIX 515E isn't in any Microsoft exam. The Cisco PIX 515E isn't on the CWNA exam either. Even though you attempted to use a disclaimer of "not to be rude," unless you know for a fact that the Cisco PIX 515E is on any of the exam materials required for the CCNA, MCSE, and CWNA, you are actually being rude.

    Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

    You were being rude though is techairmans point, you suggested the OP had braindumped the certs in his profile. This isnt being helpful at all.

    With my limited PIX exposure I would say it's a lot like juniper netscreens except with cisco ACL's inbedded. The OP needs to read ciscos white papers though!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    phantasm wrote:
    Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

    It sounds like he wants to permit FTP traffic to one server through the PIX. I think you misunderstood what he was asking.
  • hypnotoadhypnotoad Banned Posts: 915
    PIX is a beast. I avoid messing with ours at all costs.

    1) you'll need to set a static NAT mapping and set up an ACL to allow the traffic from outside to inside for FTP.

    2) telnet 192.168.2.0 255.255.254.0 inside
    assuming inside is your nameif (interface name). I believe you'll need passwords set like normal IOS devices. I *think* this will work with VPN.

    3) ACLs.
  • snadamsnadam Member Posts: 2,234 ■■■■□□□□□□
    phantasm wrote:
    Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

    If you don't want a harsh reply, don't post a harsh, vague, inaccurate comment. Have a good day.


    and yes, as Pash mentioned, cisco's whitepapers on PIX would be a good springboard.

    welcome to the boards Homam Faisal!
    **** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine

    :study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
  • phantasmphantasm Member Posts: 995
    snadam wrote:
    phantasm wrote:
    Don't assume what I do or do not know. I'm aware the PIX isn't on the CCNA exams. My comment was more directed toward setting up his FTP server and configuring the access for that. So you, are also being rude for assuming you are aware of what I know. Have a good day.

    If you don't want a harsh reply, don't post a harsh, vague, inaccurate comment. Have a good day.


    and yes, as Pash mentioned, cisco's whitepapers on PIX would be a good springboard.

    welcome to the boards Homam Faisal!

    I don't mind harsh replies.

    Back on topic however, I'd look into Static NAT and configuring ACL's. That should help. SOme of the links posted above are very good reads as well.
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • AlexMRAlexMR Member Posts: 275
    ...and my private network is 192.168.2.0 255.255.254.0

    Isnt that one an invalid subnet mask for a class C network???
    Training/Studying for....CCNP (BSCI) and some MS.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    IP Addressing and Subnetting for New Users

    Read the sections on VLSM and CIDR.
    An expert is a man who has made all the mistakes which can be made.
  • aragoen_celtdraaragoen_celtdra Member Posts: 246
    Great! Just when my brain is being fried by all these subnetting lessons i've been poring over for the last 2 days (approx 8 hours in total so far) I was tempted to read on this VLSM thing. Needless to say, it only confused me more. icon_evil.gif

    And yeah, i too was thinking that 192.168.2.0/23 is an invalid class C network. I was thinking how a network with 24bits on it's network field actually have less? But I guess once I'm done with CCNA studies, I'll come to understand why it can be possible. And maybe, I'll understand exactly what VLSM is.. icon_wink.gif At least what I got from it is that it allows one to use different masks for each subnet, supposedly to save address spaces.

    Oh and welcome Homam Faisal. Happy learning to you all. icon_cool.gif
    CCIE Wr: In Progress...
    Hours CCIE Wr Prep: 309:03:52
    Follow my study progress at Route My World!
    My CCIE Thread
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    A class C address space with a 255.255.254.0 mask (which is /23) is really just combining 2 contiguos class C networks into a single broadcast domain, so instead of 254 hosts, you have 508 or whatever.

    Best used when you can't afford a router to seperate your 2 class C's.
    All things are possible, only believe.
  • korszokorszo Member Posts: 31 ■■□□□□□□□□
    I'm really missing something here...

    How can you have a Class C address using a 255.255.254.0 mask? The first 24 bits for Class C are reserved for the network address, you use host bits to subnet, not network bits. I have never seen an example in subnetting, VLSM or CIDR using network bits within the class, it's always host bits.

    How is it possible this is a valid class C mask? Can someone provide a link to back up their claim this is a valid mask?

    RK
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Like sprkymrk stated, its really an aggregate of class C networks. Check out this information on CIDR.
    An expert is a man who has made all the mistakes which can be made.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    korszo wrote:
    I'm really missing something here...

    How can you have a Class C address using a 255.255.254.0 mask? The first 24 bits for Class C are reserved for the network address, you use host bits to subnet, not network bits. I have never seen an example in subnetting, VLSM or CIDR using network bits within the class, it's always host bits.

    How is it possible this is a valid class C mask? Can someone provide a link to back up their claim this is a valid mask?

    RK

    That is the point of CIDR, the mask is no longer tied to the class, it is valid to have a subnet mask that is shorter than the default classful network mask. This results in a block of networks or a supernet as Sprkymrk said. This is how allocations by the numbering registries are currently done, typically a block of class C addresses with a /19 mask resulting in a block of networks with 8190 host addresses (32 class C's)
    The only easy day was yesterday!
  • korszokorszo Member Posts: 31 ■■□□□□□□□□
    dtlokee wrote:
    That is the point of CIDR, the mask is no longer tied to the class, it is valid to have a subnet mask that is shorter than the default classful network mask. This results in a block of networks or a supernet as Sprkymrk said. This is how allocations by the numbering registries are currently done, typically a block of class C addresses with a /19 mask resulting in a block of networks with 8190 host addresses (32 class C's)
    OK...

    -Speaking in the context of routing, as in Classless Inter-Domain Routing, or route summarization, this is a valid mask.

    -Speaking in context of IP addressing, Subnetting or VLSM, this mask is invalid.

    Do I understand this correctly, and are the above statements correct? If not please educate me.
    sprkymrk wrote:
    A class C address space with a 255.255.254.0 mask (which is /23) is really just combining 2 contiguos class C networks into a single broadcast domain, so instead of 254 hosts, you have 508 or whatever.

    Best used when you can't afford a router to seperate your 2 class C's.

    Assuming my previous statements are true ... How can sprkymrk's statement be correct when it is in the context of IP addressing, not routing. If there are no routers, using this mask to combine two Class C networks is considered valid practice?

    I don't understand, what am I missing?

    RK
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

    As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)
    The only easy day was yesterday!
  • korszokorszo Member Posts: 31 ■■□□□□□□□□
    dtlokee wrote:
    Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

    As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)
    I can understand the concept, but obviously I have not worked with large networks in the real world and am studying at the CCNA level. In my current CCNA studies, I have not yet seen coverage of the "supernet" topic. So in my mind, at my current knowledge level and topics studied to date, this mask is incorrect. Although obviously the mask is correct using advanced IP addressing concepts.

    Seems it's very important to understand at what level the topic is being discussed to derive the correct answer. As answers can vary depending on exactly what is being discussed.

    Wow ... I'm almost confusing myself ... ;--}}}}}}

    Thank you very much the reply.

    RK
  • aragoen_celtdraaragoen_celtdra Member Posts: 246
    korszo wrote:
    I can understand the concept, but obviously I have not worked with large networks in the real world and am studying at the CCNA level. In my current CCNA studies, I have not yet seen coverage of the "supernet" topic. So in my mind, at my current knowledge level and topics studied to date, this mask is incorrect. Although obviously the mask is correct using advanced IP addressing concepts.

    Seems it's very important to understand at what level the topic is being discussed to derive the correct answer. As answers can vary depending on exactly what is being discussed.

    Wow ... I'm almost confusing myself ... ;--}}}}}}

    Thank you very much the reply.

    RK
    There's a term they use for people like us here, my friend - "Newbies" LOL icon_lol.gif Although all those acronyms next to your screen name probably suggest that i'm much more of a newbie than yourself.

    All kidding aside. This is a pretty exciting discussion because it is really forcing me to want to learn these new things. I too am learning subnetting right now and I'm really challenging myself to learn about this subject really well. In fact it's making me deviate from my study schedule just to read up on this topic even when it's not on the "need to learn" list on my CCNA studies.

    Well, good luck on your studies bro. Hopefully you continue to post more of the experiences and challenges you go through as you study for the CCNA so people like us can also learn with you. icon_wink.gif
    CCIE Wr: In Progress...
    Hours CCIE Wr Prep: 309:03:52
    Follow my study progress at Route My World!
    My CCIE Thread
  • korszokorszo Member Posts: 31 ■■□□□□□□□□
    dtlokee wrote:
    Check out rfc 1519, it defines CIDR and what it's all about. Since it was introduced in 1993 it is commonly implemented on all infrastructure devices and hosts since then.

    As for what Sprkymrk said it is completely valid to create a supernet to accommodate a set number of hosts. We are spoiled when it comes to private IP addressing in we can use the 10.0.0.0/8 network and make an insane number of subnets with an insane number of hosts. When the addresses are from the public address pool you need to be far more frugal in the implementation of an addressing scheme. If you need to accommodate 500 hosts on a single subnet (lets say a cable provider where the node has 500 homes and can't be subdivided easily) what would you do if you only have class C addresses to work with? You create a supernet. You can take 2 of your class "C" networks and make them appear as a single network (technically supernet). This is done by borrowing bits from the network portion of the address, thus increasing the number of host bits. If you have 9 host bits this will give you 510 host addresses, regardless of the address class. So a 206.31.0.0/23 creates a supernet that would start at 206.31.0.0 and end at 206.31.1.255 (if you subtract the subnet and broadcast addresses you will have a range of 206.31.0.1 to 206.31.1.254 which is 510 addresses)
    Today I went through and experimented with 192.168.2.0 255.255.254.0 using my lab equipment ... and indeed, I could address my routers and switches using this mask, along with verifying connectivity within the address range. On router IOS 12.3 / 12.4 no problem.

    But ... on this one:

    Router#show ver
    Cisco Internetwork Operating System Software
    IOS (tm) C2600 Software (C2600-I-M), Version 12.2(28 ) RELEASE SOFTWARE (fc5)

    ~~~~~~~~~~~~~

    Router(config-if)#ip address 192.168.2.1 255.255.254.0
    Bad mask 0xFFFFFE00 for address 192.168.2.1

    ~~~~~~~~~~~~~

    Interesting, only acceptable in later IOS versions ???

    RK
Sign In or Register to comment.