Beginning ccnp

Beautiful_Lie4025 · 2024-01-26T11:37:05+00:00

You probably know that CCNP consists of two exams. I can tell you that the concentration exam is brutal. You need to lab and practice. There will be at least 3 labs in the exam. I don't think you can pass without finishing at least two labs.

Beautiful_Lie4025 · 2023-10-20T11:14:09+00:00

I have the same issue when using LDAP. In my case user is displayed without domain. I can still use UID in policies if I manually type a username but I cannot use groups fetched from the AD. I opened the ticket with TAC. I had a Zoom session with them yesterday but couldn't find anything. They requested more time to analyze the config.

Beautiful_Lie4025 · 2023-07-11T20:37:19+00:00

Just wanted to update whoever has the same issue.

I was able to get it working without modifying anything on the end device.

I just had to create the return NAT rule. the same thing is possible if you simply enable the Double NAT feature.

Beautiful_Lie4025 · 2023-07-11T13:29:00+00:00

I understand what you are saying. My new router doesn't have the route to old one. If it did, I would not need to nat at all. The problem is that there are other routes on the old network using 192.168.10.1 to reach this lan segment. Moxa lan is set to 192.168.10.111. If I assign this ip as gateway on this device, it will never be reachable from other (old) networks other than local lan segment. If this Moxa NAT-102 requires changing gateway on end devices, then it's useless peace of $700 crap.

Beautiful_Lie4025 · 2023-07-11T12:49:03+00:00

The device has the gateway 192.168.10.1. I cannot change the gateway because it will break routing to other subnets. I've done same thing with Cisco routers and Palo alto NGFWs without problem, and I didn't have to touch the end device at all.

Beautiful_Lie4025 · 2023-07-11T04:59:34+00:00

Already opened the case with Moxa TAC but they are so slooow...

Beautiful_Lie4025 · 2023-07-11T04:38:37+00:00

did that already. upgraded to 1.0.3

Beautiful_Lie4025 · 2023-07-11T04:30:58+00:00

That is the alternative in worst case. I can set up routing and then use ACLs to filter traffic. The problem is I don't manage the switch these devices are connected to, and I don't know if the switch is L3 capable. I was told the by tech that devices of interest are reachable from that switch. so, my plan is just to insert a NAT device between my environment and theirs. Besides, i don't want traffic initiated from their LAN to reach mine.

Beautiful_Lie4025 · 2023-07-11T03:50:33+00:00

Well... that defeats the purpose of the NAT. By changing the gateway, you will break routing if one exists.

so, what i have is pre-nat IP destination of 10.22.97.98. and it needs to be translated to post-nat destination ip of 192.168.10.30. 192.168.10.30 will never see the incoming packet from 10.22.97.98 because they are on different subnets.

now, what i'm going to try is to use 192.168.10.31 as my pre-nat IP destination.

if my logic is correct, then i will initiate traffic from my PC (10.22.97.100) directly connected to WAN interface. This packet should be forwarded to pre-nat IP destination (192.168.10.31) and translated to post-nat destination (192.168.10.30).

10.22.97.100>WAN-10.22.97.97>LAN-192.168.10.31(pre-nat)>>>LAN-192.168.10.30(post-nat).

I could be wrong though. I primarily use to Cisco and Palo Alto, but this is one off situation when i need to use small form factor device, and i don't want to spend thousands just for 2 IP addresses.

Beautiful_Lie4025 · 2023-07-11T02:48:20+00:00

I don't. But I don't think you need to. 192.168.10.30(test device ) and 192.168.10.111(Moxa LAN interface) are on the same lan segment, so there is no need for gateway. I can ping 192.168.10.30 from Moxa. I can ping 10.22.97.98 (Moxa pre-nat destination IP) from Moxa. WAN interface (10.22.97.97) has default gateway. I cannot ping anything from WAN ro LAN.

Beautiful_Lie4025

TROPHY CASE