501 to 3000 PIX VPN concentrator

I know that a lot of these configs have been covered here and have read a few today. Here's my dilemma.

We have a VPN concentrator in our GOING to Florida. We set up a remote site of contract in another State. The customer is what allows us to place our PIX 501 on their (private) network and out to the internet to return to our VPN concentrator. According to the staff of the company, you have to cross a their corporate firewall. We have assigned a private to our internal ethernet IP address and has assigned a private one for us to use on our external interface on the PIX. The two private investigation periods are in the 192.168.129.x/24 (our inside) and 192.168.96.x/26 (on the outside provided by customer)

Initially, they were to provide a public IP address peer with against our public IP hub. Now, they are unable to do so.

They provided a possible PAT range of public IP addresses to go against, but there is no way of knowing what particular IP peer against. Is it possible to be able to point the VPN concentrator for a range of public IP addresses and hope a peers. I can ping from the PIX coming out to our public address of VPN concentrators. Any help would be appreciated.

We configure ezvpn, however, the problem is that the vpn tunnel can only be activated from the pix not starting from the hub.

Tags: Cisco Security

Similar Questions

  • Recovery of password on the vpn concentrator 3000 4.0 running above

    Hi all

    I looked in the collection of information about a vpn concentrator 3000 for one our clients who have recently begun to support. We have no documentation on the user name or password for the hub:

    The link on cisco http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml
    tells you how to reset the administrative password. But can someone confirm after doing so, the hub will retain the old configuration, I am very reluctant to do so because we have no documentation anywhere configuration and saw that you can lose it in some of the old pix/switches/routers.

    Thank you very much.

    For what it's worth, I followed this procedure to properly reset the administrator password on a VPN 3000 Concentrator without loss of the active configuration.

  • VPN concentrator + PIX on LAN-> customers can not reach local servers

    Hello

    I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.

    For the topology:

    The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.

    On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the

    VPN client-PCs.

    I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses

    the 10.0.100.0/24 range.

    The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to

    internal to the 10.0.1.28 server.

    To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in

    10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.

    So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is

    Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1

    This does not solve my problem though.

    In the PIX logs, I see the entries as follows:

    % 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064

    The PIX seems to abandon return packages, i.e. traffic from the server back to the client

    To my knowledge, the problem seems to be:

    Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.

    My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the

    package because he has not seen the package from the client to the server.

    So here are my questions:

    (o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and

    computers servers on the local network (10.0.1.0/24)?

    (o) someone else you have something like this going?

    PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.

    Thank you very much in advance for your help,.

    -ewald

    Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.

    Best regards

    Robert Maras

  • Cisco VPN Client behind PIX 515E,-> VPN concentrator

    I'm trying to configure a client as follows:

    The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

    Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

    You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

  • Connection VPN concentrator 3000 problem

    Hi all

    I hope that u all experts will be able to help me through this time thick. Our VPN 3000 Concentrator admin password has been changed by someone in order to reset the password using directly by serial cable, now the problem is it allows me to connect with admin console but not via the web administration or telnet interface. I have activated access telnet and http, but always without success. Concentrator uses the internal database so no AAA server is configured.

    Can someone help me please thanks to this?

    Kind regards

    The console password should be the same as the telnet and HTTP password.

    The problem doesn't seem to be on the password.

    Please check under: Administration--> access--> access control list--> and check if your IP is in the list. If this isn't the case, please add your IP address/subnet to the list for you HTTP access to the VPN concentrator.

  • A PIX-to-PIX VPN can allow traffic in only one direction?

    Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip.  Everything works very well, allowing traffic to flow both ways after that the tunnel rises.  But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX?  In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

    Thanks for any comments.

    pixfirewall # sh conf
    : Saved
    : Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
    6.3 (4) version PIX
    interface ethernet0 car
    interface ethernet1 100full
    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    activate the encrypted password
    encrypted passwd
    pixfirewall hostname
    .com domain name
    fixup protocol dns-maximum length 4096
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol they 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol 2000 skinny
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names of
    access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
    pager lines 24
    ICMP deny everything outside
    Outside 1500 MTU
    Within 1500 MTU
    IP address outside xxx.xxx.xxx.248 255.255.255.255
    IP address inside 192.168.27.2 255.255.255.0
    alarm action IP verification of information
    alarm action attack IP audit
    IP local pool ippool 10.10.10.1 - 10.10.10.254
    PDM logging 100 information
    history of PDM activate
    ARP timeout 14400
    NAT (inside) - 0 102 access list
    Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
    Timeout xlate 0:05:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + 3 max-failed-attempts
    AAA-server GANYMEDE + deadtime 10
    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS 3 max-failed-attempts
    AAA-RADIUS deadtime 10 Server
    AAA-server local LOCAL Protocol
    No snmp server location
    No snmp Server contact
    SNMP-Server Community public
    No trap to activate snmp Server
    enable floodguard
    Permitted connection ipsec sysopt
    Crypto ipsec transform-set esp - esp-md5-hmac gvnset
    Crypto-map dynamic dynmap 10 transform-set gvnset
    gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
    gvnmap interface card crypto outside
    ISAKMP allows outside
    ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
    ISAKMP identity address
    ISAKMP keepalive 60
    ISAKMP nat-traversal 20
    part of pre authentication ISAKMP policy 9
    encryption of ISAKMP policy 9
    ISAKMP policy 9 md5 hash
    9 2 ISAKMP policy group
    ISAKMP policy 9 life 86400
    vpngroup address ippool pool gvnclient
    vpngroup dns 192.168.27.1 Server gvnclient
    vpngroup gvnclient wins server - 192.168.27.1
    vpngroup gvnclient by default-domain '.com'
    vpngroup split tunnel 101 gvnclient
    vpngroup idle 1800 gvnclient-time
    vpngroup password gvnclient *.
    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet timeout 30
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 30
    management-access inside
    Console timeout 0
    Terminal width 80
    Cryptochecksum:
    pixfirewall #.

    Of course, without a doubt capable.

    You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

    Example:

    access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

    the Interior-acl ip access list allow a whole

    group-access Interior-acl in the interface inside

    Hope that helps.

  • Ports open VPN concentrator

    I'm running the port scan (Angry IP Scanner) against VPN concentrator. Sometimes it shows the port as open 21. I have disabled ftp under "Management protocols" sometimes it shows the port 389 & 1002 as open. What wrong with my VPN concentrator?

    I activated only IPSEC protocol Tunneling.

    When I run the scan of port which ports are should be included amongst them open?

    Thank you

    Hello avilt,

    VCA means Cluster Virtual Agent. This is used mainly when the VPN 3000 pair is configured for load balancing,... when doing so cells communicate with each other on VCA and we must normally allow this on the filters...

    My question is, u have allowed this filter on the public interface? you see the ports via the VPN concentrator or you make a sweep WILL and see these ports (such as FTP) to be opened on the VPN concentrator?

    REDA

  • Failover with VPN concentrator

    Hi all

    We have unique VPN concentrator which is the single point of failure, so need your help to mitigate the same

    The topology diagram is attached

    Site A and Site B.

    Site B has internet gateways where we have existing VPN.

    The intention to introduce the site A & Concentrator VPN gateway VPN is set as well

    Our design is provided for in

    Connectivity between the two locations & other office is managed by BGP.

    Default route is pointing at the Internet gateway.

    Info by the Internet Segment.

    ·         We have the SP independent IP range

    ·         Switching between 2 SP to site B is obtained by using the iBGP and eBGP

    Challenge: VPN concentrator single Point of failure (the Cisco VPN concentrator 3000)

    Here are the design goals

    ·         Implement internet gateways to the Site - A which will have redundancy level of Portal Site

    ·         Place on the VPN concentrator, which will act as a switch between site

    o If the concentrator vpn site B is out of box A VPN site must support all traffic.

    Concentrator VPN active o replica of Site B

    Is it possible to achieve the objectives of design.

    Please help about the VPN concentrator... How I can set VPN concentrator in failover mode... Just as we do firewalls?

    Help, please

    Hi yogesh,

    Concentrator VPN supports failover through VRRP. Please find the following for your reference document:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

    As for the addition of failover for VPN concentrator, you happen to have a spare hub VPN to run VRRP?

    Don't know if you know, however, VPN concentrator comes end of life and the last delivery date was November 2007, as a result, you will not be able to buy VPN concentrator more.

    Here's the EOL notificatin for your reference:

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

  • aid required for the image backup vpn concentrator

    Hi, I am unable to download the vpn concentrator ios image to the tftp server. is someone can pls tell me what is the procedure for that. I can't find good documentation on it. pls help someone.

    concerning

    Assane

    Assane,

    You try to save the image of the hub to the VPN concentrator. Like the 4.7.2.D or the version E or F of the code. If this is the case, it is not possible to copy the image file from the hub to the tftp server.

    You must download the CEC file.

    He had an answer to your question earlier, but it pointed you on how to make a backup of your CONFIGURATION file.

    If this answers your question, feel free to write it down.

  • Simple PIX PIX VPN issues

    I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

    access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

    access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

    NAT (phoenix_private) 0-access list 101

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-md5-hmac chevelle

    ntlink 1 ipsec-isakmp crypto map

    1 ipsec-isakmp crypto map TransAm

    correspondence address 1 card crypto transam 101

    card crypto transam 1 set peer 172.18.126.233

    card crypto transam 1 transform-set chevelle

    interface inside crypto map transam

    ISAKMP allows inside

    ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

    ISAKMP identity address

    part of pre authentication ISAKMP policy 1

    of ISAKMP policy 1 encryption

    ISAKMP policy 1 md5 hash

    1 1 ISAKMP policy group

    ISAKMP policy 1 lifetime 1000

    and if I generate the traffic logs show this: -.

    9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

    9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

    No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

    I do something obviously stupid, can someone tell me what it is, thank you.

    Jon.

    Hello

    1. you create a second access as list:

    outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

    and

    2. instead of

    correspondence address 1 card crypto transam 101

    You must configure

    card crypto transam 1 match address outside_cryptomap

    the problem is that you configure an ACL for nat and crypto - that does not work

    concerning

    Alex

  • Configuration file for the VPN concentrator

    Hello

    I have a text-based VPN concentrator configuration file, and I want to know if there is a configuration guide of Concentrator VPN that I can use to refer to this file. The configuration on cisco.com guide is currently for the GUI based configuration.

    Furthermore, if there is a tool/utility that will read the configuration file in the format GUI without physical access to the device, which will also help.

    Thanks in advance for any assistance.

    There is a "XML export screen" in the management section of the files on the VPN concentrator. You can export the current configuration of the concentrator in a XML format, which provides the labels and values for the fields in the configuration file.

    http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html#wpxref53361

  • problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

    Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

    Some basic information:

    I work at a seller who needs from one site to the other tunnel.  There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system.  I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range.  So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator.  The hosts behind the tunnel use 20x.x.x.x public IP addresses.

    My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper.  The seller sees my packages and provider host meets them and sends them to the tunnel.  They never reach the external interface on my Cisco router.

    I'm from the external interface so that my endpoint and the peers are the same IP address.  (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.)  Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

    I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host.  Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel.   The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel.  The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

    The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

    Here is what we have done so far:

    (1) confirm the config with the help of Cisco 2811.  The tunnel is up.  SH cyrpto ipa wristwatch tunnel upward.
    (2) turn on Nat - T side of the tunnel VPN landscapers
    (3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
    (4) successfully, tunnel and reach a different configuration hosting
    (5) to confirm all the settings of tunnel with the seller
    (6) the seller confirmed that his side host has no way and that it points to the default gateway
    (7) to rebuild the tunnel from scratch
    8) confirm with our ISP that no way divert traffic elsewhere.  My gateway lSP sees my directly connected external address.
    (9) confirm that the ACL matches with the seller
    (10) I can't get the Juniper because he is in production and in constant use

    Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

    Options or ideas are welcome.  I had countless sessions with Cisco webex, but do not have access to the hub of the seller.  I can forward suggestions.

    Here's a code

    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 2
    BA 3des
    preshared authentication
    Group 2

    Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

    Crypto-map dynamic dynmap 30
    Set transform-set RIGHT

    ISAKMP crypto key address No.-xauth

    interface FastEthernet0/0
    Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
    IP 255.255.255.240
    IP access-group 107 to
    IP access-group out 106
    NAT outside IP
    IP virtual-reassembly
    route IP cache flow
    automatic duplex
    automatic speed
    crypto mymap map

    logging of access lists (applied outside to get an idea of what will happen.  No esp traffic happens, he has never hits)

    allowed access list 106 esp host host newspaper
    106 ip access list allow a whole
    allowed access list 107 esp host host Journal
    access-list 107 permit ip host host Journal

    access-list 107 permit ip host host Journal
    107 ip access list allow a whole

    Crypto isa HS her
    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
      QM_IDLE ASSETS 0 1010

    "Mymap" ipsec-isakmp crypto map 1
    Peer =.
    Extend the 116 IP access list
    access - list 116 permit ip host host (which is a public IP address))
    Current counterpart:
    Life safety association: 4608000 kilobytes / 2800 seconds
    PFS (Y/N): N
    Transform sets = {}
    myTrans,
    }

    OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

    (4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

    !
    (1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

    !
    IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

    !

    (6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

    !

    (2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

    (3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

    (1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

    !

    (5) crypto-nat route-map permit 5 <> condition for the specific required NAT
    corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

    (7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

    Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1).  When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2).  When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4).  We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

  • 3015 VPN concentrator Version help

    The 3015 comes not only as no redundant hw together? If not, how do I know which version I have?

    I don't have the CD of VPN client supplied with the appliance, can it be downloaded or bought?

    Thanks for any help.

    Jeff

    The 3015 comes with no card encryption HW (SEPs). This is the same chassis as the 3030, 3060 and 3080, the only difference between the models is the memoy in the box and how many MS and feeds they included. The 3015 allows you to upgrade to a more powerful area by simple addition of MS, but as is, it's basically empty.

    The client code and the VPN concentrator here are downloadable from EAC:

    http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml

    You will need a CCO login that has access to this page.

  • BW policy on VPN concentrator

    I've got a 3030 VPN concentrator with 4.0.1 B. I OS release have implemented a policy of BW for the VPN site - to many. Is it possible to check/see if the policy is applied (for example, deleted if traffic over the limit)?

    Thank you, Meg

    Monitoring - statistics - bandwidth Mgmt should give you some details.

  • Download the firmware from the 3030 VPN concentrator?

    Hello

    I would like to download a newer firmware our vpn concentrator but wish to download a copy of the old firmware. Is this possible and how can I do? It seems that the only option is to download, as well as a fall on a document that indicate how to go back but still doesn't explain not how can I get a copy of the old firmware. Thank you

    I think that Cisco pulls some of the older minor revisions out of the web for major versions when the image becomes a bit old. 3.5 (3), you should be fine with 3.6 (which is available for download). You cannot copy the picture from the hub as far as I know.

Maybe you are looking for