Hi, Yes, In LAN to LAN configuration, NAT-T option is not checked. Regards, Mustafa ... View more

Not at your site, or at least not with the VPN concentrator (you could NAT the traffic with any internal router on your site though). If you want the VPN3000's to do the whole thing then you have to NAT it at the SiteA concentrator, this way when it gets to your site it'll already be 192.168.100.x, which is really no different than the SiteB concentrator NAT'ing it after it arrives. See http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml ... View more

First off, enable CEF, that should help a bit. Second, running BGP should be determining the best route to the destination site, this is not "load-balancing" but it does allow the traffic to take the most efficient route to the destination. Where this isn't very good is if your using a "Tier-1" ISP for one connection and a "Tier 2 or 3" provider for the second. When this happens, all the "paths" to the destination are more efficient on the Tier-1 link. You can even this out a bit by "padding" the link, ie: artificially making the Tier-1 path longer on both the inbound and outbound traffic. The basics of BGP are this. BGP figures out the best route by how many AS's are between you and your destination. ie: it doesn't keep track of the # of hops, just the number of AS's it has to cross to get there. So, with a Tier-1 provider the path to most hosts might be an average of 2 AS's it crosses, while on a Tier 2 it might be 3 or 4, while on a Tier 3 it might be 4 or 5. You need to pad the numbers from the Tier 1 to even out the average lengths a bit more. Check out this message for examples of the outbound, the inbound is the same, but you would need to prepend your neighbors AS # instead... http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1dd665bd/2#selected_message ... View more

DFM admin console->Polling and Thresholds etc., try changing the 'RestartTrapThreshold' to 1. coldstart is a processed trap. so the dfm will display as a generic notification with modified field entries. ... View more

Excellent! top banana! Cheers Tony ... View more

Hi, Currently I'm using the leased line connection, if I change the default gateway to ADSL router, how to configure routemap on ADSL Router? Do you have any example? The PIX's have 6 interfaces and the follow is my setting on each interfaces. outside(e0)-203.117.144.xxx, inside(e1)-192.168.101.xxx, dmz(e2)-192.168.100.xxx, state(e3)-192.168.253.xxx (failover) Should i use the same IP range 203.117.144.xxx for the ADSL link instead of 203.118.40.xxx. From your expertise, what is the better solutions. Thanks & Regards. Lim ... View more

Mismatch of IKE phase II atts(check your ipsec transformset); Also, check the network list to match the exact networks defined on the access-list on the router and the logs of the concentrator. ... View more

As far as my knowledge goes, if the user is authenticated and using the services, during which you reniew his account, inevitably it has to take effect only during next login. This I believe is a security feature. ... View more

the command you needed is: isakmp nat-traversal 20 hope this helps ... View more

The question is: "how many parallel paths?" One or two is going to be fine, but when you get much over two parallel paths between the two MFSCs, I would start using passive interface to cut some of them down. In general, I actually don't recommend putting transit traffic on links with hosts and servers on them, either, but that may not be possible in this case. :-) Russ.W ... View more

Hi, But if there is acl and conduit both in configuration, ACL should check first. Then why in this case it's check conduit, insted of acl? Thanks, Mustafa ... View more

I had a similar problem. In the following you find the answer from the TAC. In my case it works. ==================== Answer from TAC ==================== The Security Monitor database is stored in two files that are located in the ~CSCOpx\MDC\Sybase\Db\IDS subdirectory: idsmdc.db and idsmdc.log. During normal operation, the size of the idsmdc.db file is never reduced. When records are pruned from the database tables, space is made available in the file for additional data, but the file does not become smaller. If the default pruning rules are in place and pruning is occurring, you do not need to reduce the size of the database files. However, in some situations (as, for example, when the default rules are deleted or if the IDS_dbAdminAnalyzer daemon is stopped), these files may grow large, and you will have to reduce their size. The database compact utility provides this function. You will want to run this utility if the idsmdc.db and idsmdc.log files combined exceed your available resources. Next: First trying running idspruning with the option do delete the alarms marked for deletion. Than try to compact the database. Detail description are below. In addition a have put the logging from the try I did in the lab for you below. Prune: Here is a sample to delete all but the last 7 days of events (be aware all data before will be lost): C:\Program Files\CSCOpx\MDC\bin\ids>idspruning -r"syslog,alert,auditlog" -a7 Compact: A utility was added to the IDSMC/SecMon 1.2 release to compact the database. usage: IdsDbCompact [-c dir] [-r] [-u dir] [-v] (If no options are given, the directory that idsmdc.db is in will be used for new database creation and /unload under that will used for database unload. Old database will not be deleted, but renamed to idsmdc.db.orig and idsmdc.log.orig) -c: Directory new database will be created in -r: Remove original database after successful compact -u: Directory database will be unloaded in -v: Verbose output\n To run this utility, the user should follow the below steps. 1. Before running this utility, perform a database backup. 2. CW2000 Daemon Manager must be stopped before IdsDbCompact.exe is run. Run this from a dos prompt. Type: > net stop "CiscoWorks Daemon Manager" 3. After the CW2000 system has stopped, run the IdsDbCompact utility. 4. After completion of the IdsDbCompact.exe utility, restart the CW2000 Daemon Manager. Run this from a dos prompt. Type: > net start "CiscoWorks Daemon Manager" 5. Wait at least 10 minutes after restarting CW2000 to allow all processes to restart. Suggested command lines: If you have space on the disk where idsmdc.db currently exists and you want to compact the database while saving a copy of the old database as idsmdc.db.orig > IdsDbCompact.exe If you have space on the disk where idsmdc.db currently exists and you want to compact the database without saving a copy of the old database: > IdsDbCompact.exe -r If you have little space where idsmdc.db currently resides and don't want to save the current database. This assumes that the database resides on a drive other than c: > IdsDbCompact.exe -r -u "c:\temp\unload" ---------------------------------- Example for the lab I just did for you. C:\Program Files\CSCOpx\MDC\bin\ids>idspruning -r"syslog,alert,auditlog" -a7 ?.. C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS>date The current date is: Tue 11/11/2003 Enter the new date: (mm-dd-yy) C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS>time The current time is: 19:25:57.20 Enter the new time: C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS>dir Volume in drive C has no label. Volume Serial Number is 4859-2450 Directory of C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS 11/11/2003 07:39p . 11/11/2003 07:39p .. 11/11/2003 12:06a AlertPruneData 11/11/2003 07:34p 160,055,296 idsmdc.db 11/11/2003 07:34p 147,259,392 idsmdc.log 2 File(s) 430,800,896 bytes 3 Dir(s) 28,084,457,472 bytes free C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS> C:\Program Files\CSCOpx\MDC\bin\ids>net stop "CiscoWorks Daemon Manager" The CiscoWorks Daemon Manager service is stopping.............................. ........................................... The CiscoWorks Daemon Manager service was stopped successfully. C:\Program Files\CSCOpx\MDC\bin\ids>IdsDbCompact New database will be created in C:\PROGRA~1\CSCOpx\MDC\Sybase\DB\IDS Database will be unloaded in C:\PROGRA~1\CSCOpx\MDC\Sybase\DB\IDS\unload Original database will be renamed to C:\PROGRA~1\CSCOpx\MDC\Sybase\DB\IDS\idsmdc .db.orig If there any files in C:\PROGRA~1\CSCOpx\MDC\Sybase\DB\IDS\unload, they will be deleted! Do you wish to continue(y/n)? y The CiscoWorks Sybase Server service is starting. The CiscoWorks Sybase Server service was started successfully. Adaptive Server Anywhere Initialization Utility Version 7.0.3.2046 Creating system tables Collation sequence: 1252LATIN1 Creating system views Setting permissions on system tables and views Setting option values Loading Java classes Initializing UltraLite deployment option Database "C:\PROGRA~1\CSCOpx\MDC\Sybase\DB\IDS\idsmdc.db" created successfully Starting to load new database Execution time: 181.203 seconds The CiscoWorks Sybase Server service is stopping. The CiscoWorks Sybase Server service was stopped successfully. C:\Program Files\CSCOpx\MDC\bin\ids> C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS>dir Volume in drive C has no label. Volume Serial Number is 4859-2450 Directory of C:\Program Files\CSCOpx\MDC\Sybase\Db\IDS 11/11/2003 07:45p . 11/11/2003 07:45p .. 11/11/2003 12:06a AlertPruneData 11/11/2003 07:45p 150,052,864 idsmdc.db 11/11/2003 07:42p 160,055,296 idsmdc.db.orig 11/11/2003 07:45p 196,608 idsmdc.log 11/11/2003 07:42p 147,259,392 idsmdc.log.orig 4 File(s) 581,050,368 bytes 3 Dir(s) 27,934,208,000 bytes free C:\Program Files\CSCOpx\MDC\bin\ids>net start "CiscoWorks Daemon Manager" The CiscoWorks Daemon Manager service is starting. The CiscoWorks Daemon Manager service was started successfully. wait some minutes (about 10 min) ==================== End ==================== ... View more