From: Veronica Timm (veronica@yorku.ca)
Date: Fri Mar 26 2004 - 12:26:40 GMT-3
Loizos,
The problem I have experienced appear to be a 'design feature' to
protect the secure hosts rather
than (maybe) a problem per se. Devices on the outside required tftp
from the outside inbound
to a protected server. We discovered later that there were application
problems on the protected
server that may have caused the tftp session to hang. This resulted in
the FWSM closing down
tftp on the protected interface. Without knowing more about the FWSM
internal architecture I would say:
1) the FWSM took the right action (from a security point of view)
2) the FWSM should have blocked tftp only to the affected server host
rather than the entire interface.
After much troubleshooting a 'clear xlate' restored tftp service on the
FWSM interface. Of course, a) the affected clients on the interface saw
this as a firewall problem.
b) Off hours, I was unable
to replicate the (server hung and ) tftp problem
If you encounter this problem, two internal bug numbers to reference
when talking to TAC are:
CSCeb51412 CSCec67252
Veronica Timm
York University
Toronto, Canada
LoizosCisco wrote:
>Veronica,
>
>Thank you for the links. I have seen those. Do you
>have any sample real life configs. Have you exprienced
>any problems or do you have any tips?
>
>You can e-mail me at: ylouis2@aol.com
>
>Thank you
>
>Loizos
>CCIE # 10702
>
>
>--- Veronica Timm <veronica@yorku.ca> wrote:
>
>
>>Loizos,
>>Good documentation? I would describe them as fair.
>>I am aware of only one set of FWSM documents which
>>I'm sure you have seen.
>>Does anyone know of any additional documentation?
>>
>>
>>
>>
>http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/fwsm112.pdf
>
>
>http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/bascfg.pdf
>
>
>http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/advcfg.pdf
>
>
>>In FWSM 1.1(2) I was informed by TAC to ignore the
>>*'firewall
>>multiple-vlan-interfaces' *command.*
>>*This will be used in a future release.
>>
>>Veronica Timm
>>York University
>>Toronto, Canada
>>
>>
>>
>>
>>LoizosCisco wrote:
>>
>>
>>
>>>Does anyone have any ifno or configs on the FWSM
>>>modules. I can not find any good documentation on
>>>Cisco web site.
>>>
>>>Thank you
>>>
>>>Loizos
>>>CCIE # 10702
>>>
>>>
>>>--- Chris Larson <CLarson@ossva.com> wrote:
>>>
>>>
>>>
>>>
>>>>It has been some time since I have worked with
>>>>Netscreen, but I have noticed they continually
>>>>
>>>>
>>beat
>>
>>
>>>>out competition including Cisco in most firewall
>>>>"shootouts". I am concerned about Juniper now
>>>>
>>>>
>>owning
>>
>>
>>>>them as Juniper has no experience in the
>>>>firewall/security market but that is probably
>>>>minor... who knows.
>>>>
>>>>The netscreen is gui through a browser, lacks (or
>>>>did) any good debugging for troubleshooting but is
>>>>very simple. If you understand the basics of
>>>>firewalling and VPN this is very easy to deploy.
>>>>
>>>>
>>At
>>
>>
>>>>the time Netscreen was about to introduce the 1000
>>>>that was vlan aware. Of course now so is the FWSM
>>>>but. I think the netscreen is an excellent and
>>>>
>>>>
>>easy
>>
>>
>>>>to use product for its pricing that apparently
>>>>outperforms most other firewalls according to
>>>>independant "shootouts".. I would imagine that has
>>>>to do with the design around ASICS rather then a
>>>>processor. Price to performance, you prolly can't
>>>>beat it. Feature wise though it may be lacking....
>>>>
>>>>
>>>>Chris #12380
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Wright, Jeremy [mailto:wright@admworld.com]
>>>>
>>>>
>>>> Sent: Wed 3/24/2004 11:35 AM
>>>> To: 'security@groupstudy.com'
>>>> Cc: 'ccielab@groupstudy.com'
>>>> Subject: PIX vs. Netscreen
>>>>
>>>>
>>>>
>>>> Has anyone had experience with both of these
>>>>products? If so, what are the
>>>>advantages/disadvantages of both? Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *****************************************
>>>> Jeremy Wright
>>>> CCIE# 11168
>>>> Network Engineer
>>>> Archer Daniels Midland
>>>> wright@admworld.com
>>>> (217)451-4063
>>>>
>>>> *****************************************
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This message is intended for the use of
>>>>
>>>>
>>the
>>
>>
>>>>individual or entity to which it is addressed and
>>>>may contain information that is privileged,
>>>>confidential and exempt from disclosure under
>>>>applicable law. If the reader of this message is
>>>>not the intended recipient or the employee or
>>>>
>>>>
>>agent
>>
>>
>>>>responsible for delivering this message to the
>>>>intended recipient, you are hereby notified that
>>>>
>>>>
>>any
>>
>>
>>>>dissemination, distribution or copying of this
>>>>communication is strictly prohibited.
>>>> If you have received this communication
>>>>
>>>>
>>in
>>
>>
>>>>error, please notify us immediately by email reply
>>>>or by telephone and immediately delete this
>>>>
>>>>
>>message
>>
>>
>>>>and any attachments. In the U.S. call us toll
>>>>
>>>>
>>free
>>
>>
>>>>at (800) 637-5843.
>>>> Spanish, French, French (Canada),
>>>>Portuguese, Polish, German, Dutch, Turkish,
>>>>
>>>>
>>Russian,
>>
>>
>>>>Japanese and Chinese:
>>>>http://www.admworld.com/confidentiality.htm.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>_______________________________________________________________________
>>
>>
>>>
>>>
>>>
>>>
>>>>Please help support GroupStudy by purchasing your
>>>>study materials from:
>>>>http://shop.groupstudy.com
>>>>
>>>>Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Yahoo! Finance Tax Center - File online. File on
>>>
>>>
>>time.
>>
>>
>>>http://taxes.yahoo.com/filing.html
>>>
>>>
>>>
>>_______________________________________________________________________
>>
>>
>>>Please help support GroupStudy by purchasing your
>>>
>>>
>>study materials from:
>>
>>
>>>http://shop.groupstudy.com
>>>
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>--
>>Veronica Timm
>>Senior Network Specialist
>>Network Operations
>>York University Voice: (416) 736-2100 x.22682
>>Toronto, Ontario Fax: (416) 736-5701
>>Canada. M3J 1P3 Email: veronica@yorku.ca
>>
>>
>>
>>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Finance Tax Center - File online. File on time.
>http://taxes.yahoo.com/filing.html
>
>
-- Veronica Timm Senior Network Specialist Network Operations York University Voice: (416) 736-2100 x.22682 Toronto, Ontario Fax: (416) 736-5701 Canada. M3J 1P3 Email: veronica@yorku.ca
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:48 GMT-3