A bridging firewall (sometimes called a transparent firewall) is a security appliance that does NOT actively participate in the routing of packets that are allowed by the policies in place to pass through the device.
Recently I have started with a new approach to failover detection that does not rely on IP SLA on cisco routers. The problems with IP SLA and route tracking objects are non-trivial. In one particular case I have a customer with a 10MB ethernet feed that goes thru a large national carrier. The carrier has a next hop router in the building connected by 100 ft or so of cat5/cat6. The connection leaves that router and is fiber/SONET all the way to the customer edge routers at the carrier office.
Cisco ASA was swapped in for a SonicWall firewall. The ASA had a known-to-be working config, and outbound NAT was working but inbound sessions to a mail server that had a 1:1 nat on a different ip that the outside interface of the firewall were failing. After looking closey we realized about half of the static nats were working - you could ping the static nat ip and access tcp services that were allowed via the acl. In front of the firewall was a managed router - the ISP had restricted all access to the console/telnet/ssh on the router.
Busybox is a swiss army knife utility that is very useful for system recover. Recently I had a server with a scsi backplane issue that caused scsi drives to "fail" and remove themselves from the kernel. The drives were tested in other server and work fine, and this was happening with multiple different drives. Before we determined it was the server backplane though, we were doing a migration of data:
(sdb, sdc) md1: data, virtual servers, databases
Cisco docs state that you can have more than one VTP server in a VTP
domain and that updates on one switch will update the switch and its VLAN configuration.
We have a scenario where two switches that are in different VTP domains
need to be migrated so that they are both in the same VTP domain will the
VLAN information be corrupted when they are joined? What about if the VLAN names and VLAN IDs are manually matched on both switches first?
The switch with higher config revision will overwrite the config of the other.
2 Pixes running 6.3.3 configured for failover, with config synced.
Upgraded the standby box to 6.3.5 and rebooted. The active box remained active and took down the failover since the OS version was not matching any more (6.3.3 vs 6.3.5).
Then upgraded the active PIX and when it rebooted the standby took over. When the original active PIX came back up though the 2 pixes started fighting over who was the active PIX and the public and inside ips would switch back and forth between the boxes as the battled to take over.
We have encountered a strange problem sending email to @comcast.net users at several sites running Microsoft Exchange and OpenDNS. No SMTP errors were seen in the logs other than that the emails will stay in the queue and time out and generate a basic NDR - unable to contact server message.
Customer has 2 physical circuits, Comcast Business Cable with 1 static IP, and a multi-t1 bundle to Verizon Business. Comcast will be used as the primary egress for internet browsing. Inbound email, web, and RDP services are mapped via static nats on a Cisco ASA that handles the Verizon connection. The Comcast connection has its own ASA for firewalling. Traffic needs to be sticky (i.e. it must go back out the same firewall it came in on or else the stateful packet inspection on the ASAs as well as the outbound NATs will break and the traffic will drop.