From: Chris Hugo (chrishugo@xxxxxxxxx)
Date: Sun Mar 24 2002 - 00:18:49 GMT-3
Hi ALL,
Did you also take a look at the policy routing on R1 what this does is set the
net hop to the loopback interface which is suppose to get routed out normally.
I would think it's suppose to get back to the 10.1.1.0 subnet but they specific
ally removed the 10.1.1.0 route in ospf on router 4. So how R1 would not be abl
e to get back to 10.1.1.0. So the only back is through the IPSEC tunnel which i
s not suppose to occur.
Bob in the San Francisco Bay Area wrote: Chris,
hi, wow your a lot further along in these labs than I am. Looks to me
like R2 should be R4 like you said.
I think that this lab makes us work through the issue that items that
are NAT'd will never become interesting traffic to the IPSEC tunnel
between the 2 inside network addresses. That is the NAT occurs first,
then the source address will be checked (after the NAT translation) and
may no longer qualify for the IPSEC encryption, even though we may
intend it to qualify. So anything that we intend to send over the
tunnel, we must selectively turn off NAT for.
Does that make any sense? At least that is what it appears to be
getting at to me.
We did some excercizes similar to this in the CSS1 classes on both the
firewall feature set and PIX.
Also, since IPSEC doesn't support multicast, we may see an excercise
that requires us to put IPSEC inside a GRE tunnel that does support
multicast in order to pass routing protocol updates. I'm just guessing
as I haven't read ahead. But that was also an excersize in the CSS1 class.
FWIW,
Bob
Bob
Chris Hugo wrote:
> I would like to go over lab 15 of IP expert task 1. I think there
> could be some errors in there. Can you take a look at task 1 and tell
> me what you think the author is trying to do. I was thinking it was
> nat-on-stick but I don't think it is. I would like your feedback.
>
> I also noticed that the task list was to also modify R2. Isn't this
> suppose to be R4?
>
> I have the latest update 2.1. Can someone please tell me the intention
> of task 15.1. If I know the intention of this section of the lab I can
> formulate the proper solution. THANKS IN ADVANCE.
>
> I have posted this message to IP EXpert's Zone web site but I had no
> response yet.
>
>
> ------------------------------------------------------------------------
> Do You Yahoo!?
> Yahoo! Movies <$rd_url/tag/http://movies.yahoo.com/> - coverage of the
> 74th Academy Awards.
> Yahoo! Groups Sponsor
> ADVERTISEMENT
>
>
>
>
> To unsubscribe from this group, send an email to:
> helloccielab-unsubscribe@yahoogroups.com
>
>
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
> .
---------------------------------
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:20 GMT-3