Hi all,

I got all the ccsa exam of boxxx 1,2,3 test.
which one is best for the real ccsa exam?

Can any passed ccsa exam ppl give their great advice?

I also got the exam-axxxxx 150 Q&A. Can I use exam-axxxxx enough to pass the ccsa exam.

If I study the boxxx 1,2,3 test, It waste my time ma?

Thank you for any advice!!!
send to me kencheng555@yahoo.com

Ken Cheng

Report this post to a moderator

Ken, I feel bad the way that guy stiffed you on your notes!!!

Which version are you studying for?

I dont think any of the sample tests are any good.

The CCSA test is poorly written, and your best bet is the coursware, with my study guide, and some hands on... Forget the practice tests!!!!

I will give you my study guide since you were stiffed on your last deal by that other guy. I usually sell them, but as I have been helped, I will help you as well....

Also feel free to ask me any questions.

Report this post to a moderator

KICKBOXR

Could you fully explain NAT and there modes.
and why use the local.arp directory on NT.

please explain NAT its confussing me thanks




thanks

Report this post to a moderator

Ill try to simplify it real quick...

NAT

Network Address Translation,

think of it as a way to handle the private addresses that a company or yourself may use on your internal network, and allow access to the internet.

With NAT, you can use those private addresses like 192.168.x.x etc, placed behind a NAT system, and the NAT will translate the IP Addresses to usable addresses before sending them out on the internet. In order to keep track of the who from where issues, the NAT system will use different port numbers so the email that one person is trying to get doesnt get mixed up with the Morpheus that another is downloading.

Its really a simple concept, TCP does the same thing, but for its own system, the idea of NAT is to use the same basic structure, but to break down the ports even more to unassigned, or non-"well Known" ports...

Now what are our options with Checkpoint?
Remember CheckPoint is not the only NAT service out there......

With CheckPoint, we have to look at how we want to be represented on the internet or public networks...

If we have a pool of public addresses, we can use that pool to represent a certain range of private addresses. This idea is good for those who will do teleconferencing or other apps that require to know exact IP addresses of origination. This allows you to do so, without exposing the actual IP address of the private network. (Security)

Another option is to let the IP address of the public interface of the NAT machine represent everyone in the private network. (most common). This is for the average user, the majority of your company....

What about our webservers, etc...

Well, those must be represented by static IP addresses, so we can still put them behind the firewall, using NAT, and do a static mapping of a defined public IP address to the web servers private IP address...

NAT will translate the public and the private for both directions....

As far as the Static destination.... Static Source....

Its simple too, think of which way the traffic is going....

Web sercver.... Static destination or source???

Joe the user??? Static destination or static source???

Actually it could be either...
See the destination or Source is when it it translated.. In earlier versions of FW1, it was all done on the server side, meaning routing tables could get big since the packets had to be routed first, then translated... now we can do Static Destination... meaning the packet is translated prior to being routed....

Now the local.ARP

This can be done automatically, and not that you have to do it, we can do static nat without this but requires rebooting the machine.... (Main reason to use the local.arp file)

this creates a virtual interface without assigning the ip address you wish to assign to the internal host. So we look at the steps.

after we create the static map, we create the local.arp file

1. Create a file named 'local.arp' in the $FWDIR\state' directory.
2. Open the file in a text editor and use the following syntax to enter one line into the file followed by [Enter]: <valid IP address of Network Address Translated Host> <MAC address of external interface of Firewall>
3. Save 'local.arp' (ensure it does not have .txt extension).
4. Use fwstop and fwstart to restart the firewall.


(this is quicker than re-booting the machine)

you can also have the local.arp file automatically created as well..

If we dont use the local.arp file.... we would have to go into the TCP/IP settings of our machine, add the ip address physically to the interface, and then reboot.... (you are thinking you dont have to reboot with 2000?? Well, technically yes, but do you want to troubleshoot NAT problems that would be fixed with a reboot of the machine?)

Hope that helped, let me know....

Report this post to a moderator

Thank kickboxr

NAT is much cealer now.

Question: in the rule base were should you put a authentication rule, should it be for the stealth rule or like checpoint say the steaith rule be the first rule in the rule base, in which it should go aftear the stealth rule ?


thank you

Report this post to a moderator

In most cases, it should go before the stealth rule...

Remember, the rules are checked in order. Once the packet achieves one of the rules, the packet is either passed or dropped based upon that rule. There fore, in most cases, if the stealth rule is before the authentication, then there would never be any authentication since the stealth rule would drop the packet.

Report this post to a moderator

thank you kick boxr.


I got CCSA by Examcram, what are your thoughts it seems to me that the question are two easy.

I will also be geting the CCSA study book next week any thoughts ?

You've been a great help its all becoming clear.



thanks
ZARCOFF

Report this post to a moderator

I am not sure about the exam cram... Have not looked at it... But I have heard whispers it was pretty good... My experience with exam cram is it is full of errors... So If you can spot the errors, then I guess you would be ready for the exam... LOL....

There is a new CCSA book coming out. I am hoping it will be full of good informtion. I have mine ordered, even though I dont need it, I would still like to read it. Ill let you know when I get it if its good... It usually takes me a day or two to read those books.

Report this post to a moderator

THANK YOU KICKBOGR

Please let me know what you think off the CCSA study book as i have one on order.


thanks
zarcoff

Report this post to a moderator