Reading IE Online Community

Hi every dubai!
Do you know IE(Internet Expert) Online Community? It  is a place for CCIE candidates to share their information and learn each other. You can discuss all about CCIE topics for free! Sometimes IE CCIE instructors answer your questions. I use it as one of the my study tool to pass lab exam.
I think that CCIE Security Technical section is so cool  for CCIE security candidates, because everyone share the same ploblems. and today i choose some interesting topics from there and write down here.

1. What is "aaa authorization config-commands"
"aaa authorization config-commands" means that you authorize command that are entered in global config, or other parser modes such as route-map mode.  By default only exec level commands, like "show ip int brief" or "enable" would be command authorized.

2.LAN-to-LAN and remote access VPN on the same device
It is possible for you to configure L2L and RA VPN on the same device. but be sure set RA as a lower sequence in crypto-map, otherwise do not work correctly.

3.Cisco ASA and the test regex command
When configuring the ASA to match packets based on regex patterns it can be useful to know if the ASA will even match the pattern you want to configure. The ASA includes the test regex commandto do this.A good example would be blocking instances of root.exe for the Code Red Worm.First you want to create your expression to match “root.exe”
[rR][oO][oO][tT]\.[eE][xX][eE]
Now you can try testing it with the test regex command.
ciscoasa(config)# test regex http://www.me.com/scripts/root.exe/c+dir [rR][oO][oO][tT]\.[eE][xX][eE]
INFO: Regular expression match succeeded.

4.Sig ID
AFAIR signature IDs are the same across all Cisco platforms. DIfference is that not all signatures are available for each platform/software.

5.why can not Rate Limiting with IPS while IPS Network Access Control once working?
Rate limiting is only supported in IOS versions about 12.3.  You can configure it in the IPS but it may not actually configure the router.  Check the show version output on the routers and find one that has a higher version to test the feature on.

6.Can not remove the whole access-list on ASA once configured
In ASA you can not remove the whole access-list with "no access-list xxx" like IOS, but use command "clear configure access-list xxx".


【IEWB-SC-V2　114/100 Labs】

【Cisco Network Security Troubleshooting Handbook　OVER!!!】




  with only 23 days left until lab exam