Allowing ICMP and Telnet via a PIX 525

Similar Questions

• PIX 525 config and VPN configuration

  Hello

  I was asked to work on a customer request to replave sound no cisco FW with a pix 525 and also lead to a VPN solution using this PIX 525.

  I'm not a FW as my main experience is with Routing/Switching, but I have read some documentation and had some hands on a client of vpn300 501 PIX and cisco.  I managed to make it appear the vpn connection, even if all tests have failed (you need to solve any further).

  Customer has its main site with an application that runs on a Web server that must be accessed only through the vpn to: 3rd party + a few remote users.

  The solution, I want to propose to the client is:

  option 1:

  PIX 525 as a vpn server + Cisco vpn 3000 client on all PCs of remote users.

  option 2:

  PIX 525 as a vpn server + vpn client windows on all PCs of remote users

  option 3:

  PIX 525 as vpn + PIX 501 to 3 rd party server + vpn client windows on all PCs of remote users

  First I want to confirm that these motions are feasible.  So which option should I go for knowing that the remote users are only about 10.

  Client doesn't no Ganymede or RADIUS should go for statis userid/pass set up on PIX525?

  Any idea, advice, suggestion is welcome.  Thanks in advance

  Kind regards

  ngtelecom

  Hello

  Option 1

  In my opinion, is the best solution because the PIX 525 will act as a firewall and the VPN server.

  Then, all the clients connect via VPN using Cisco's VPN IPsec client software.

  Option 2

  The advantage of this option is that you do not need to install VPN software on clients (not a problem, only 10 clients)

  The problem is that it does not come with split tunneling and don't provide as good protection as Cisco software.

  Option 3

  This is also valid, and you can do an EasyVPN connection where the 525 is the server and the 501 to the customer.

  Local authentication on the PIX 525 sounds great.

  As a recommendation, the PIX are EoS and the replacement are the ASAs.

  It will be useful.

  Federico.

• Q for PIX-525 spec (failover FE) and the GBIC

  Qestion for PIX-525 spec.

  1 PIX-525-UR-GE-BUN(2GE + 2FE). I want to use 2GE as inside and outside interface and failover FE. I found a doc who must use the GE model 535 failover. Is it supports statefull failover FE model 525?

  2 PIX-1GE-66 map PIX 525, is the built in card GBIC interface, or do I module GBIC order (ex, WS-G5484) to put into the card?

  Thank you

  1. the restriction on the use of a dynamic rollover interface that corresponds to the fastest interface on the PIX is the PIX 535. The PIX 525 cannot switch the line traffic GE rate if this restriction is lifted on the 525 platform. You can use a link FE on a PIX 525 as the dynamic link even if you have GE links as other interfaces.

  2. the GE on the PIX interface card contains a multimode SC connector. No GBIC not necessary... just of cables.

  I hope this helps.

  Scott

• VPN site to site Pix 525 ver7.2 (2) and Pix 501 ver 6.3

  Hello!!

  I have problems to establish a vpn between two pix.

  The first pix 525 a version 7.2 (2) an another Pix version 6.3 has this it is not run by myself.

  The fixed phase 1 but send the associated messages

  can help me

  Thank you

  I'm glad you got it working now :)

  Please evaluate the useful messages.

  Concerning

  Farrukh

• Allowing connections incoming www by cisco pix

  It's really driving me crazy - I scoured the internet for suggestions and actually found several people who have had the same problem and found a solution that works. Doesn't seem to work for me if! I'm trying to allow any external IP address access on a web server that reside behind the firewall.

  Since it seems to be a fairly common thing, I'll post my current setup.

  6.3 (1) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  phoenix host name

  domain ciscopix.com

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  names of

  outside_access_in list access permit icmp any any echo response

  outside_access_in list all permitted access all unreachable icmp

  access-list outside_access_in allow icmp all once exceed

  outside_access_in list access permit tcp any any eq www

  pager lines 24

  opening of session

  timestamp of the record

  logging trap warnings

  host of logging inside the 192.168.252.86

  ICMP allow any inside

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 213.254.xxx.xxx 255.255.255.240

  IP address inside 192.168.252.41 255.255.255.0

  IP verify reverse path inside interface

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 192.168.252.69 255.255.255.255 inside

  location of PDM 0.0.0.0 255.255.255.255 inside

  location of PDM 0.0.0.0 255.255.255.255 outside

  location of PDM 192.168.252.71 255.255.255.255 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static tcp (indoor, outdoor) interface www 192.168.252.71 www netmask 255.255.255.255 0 0

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 213.254.xxx.xxx 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.252.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet 192.168.252.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.252.42 - 192.168.252.169 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  Terminal width 80

  Cryptochecksum:XXXXXXXXX

  Any advide would be much appreciated!

  These log messages mean that we have never seen a SYN - ACK the server return the PIX so we tore the connection "semi-open" based on the time-out settings. Suggestions:

  (1) make sure the WWW daemon on your server is started and connections TCP/80 ending. You are able to access this server from inside the PIX?

  (2) make sure that the default gateway on the server is pointing to the IP address of the PIX inside.

  Scott

• Card crypto controls lock-up PIX 525

  Does anyone know why my PIX 525 crashes when I apply my a cryptomap both command line? I first apply the following ACL. But when I try to apply the first line of cryptomap my PIX locks and I have to restart... Any help would be greatly appreciated >

  permit access ip xx.xx.0.0 255.192.0.0 list XXXXXtunnel xx.xx.18.0 255.255.255.0

  access-list allowed sheep xx.xx.0.0 xx.xx.xx.0 255.255.255.0 xx.xx.0.0 ip

  allowed to access-list acl-inner ip xx.xx.0.0 xx.xx.0.0 xx.xx.xx.0 xx.xx.xx.0

  xxx_map 157 ipsec-isakmp crypto map

  card crypto xxx_map 157 correspondence address xxx-tunnel

  card crypto xxx_map 157 counterpart set xx.4.xx.xx

  card crypto xxx_map 157 transform-set xxx_set

  Hello

  I came across this problem when there are other entries already exist under the same crypto map, and are already applied to an interface.

  I found that by denying first crypto map interface command, change the config and re - apply the interface command then it will work very well.

  So...

  (1) no xxx_map interface card crypto outside

  (2) place the lines of crypto map configuration

  (3) interface xxx_map crypto map out

  Of course, you will lose the existing tunnels if some already set up but then this happens if you reboot anyway!

  It may be useful

• interface maximum pix 525

  Hi all

  a question about the PIX-525-UR, the brochure said two 10/100 Fast Ethernet on board and the support of the Gigabit Ethernet, up to eight 10/100 FE or three interfaces Ethernet Gigabit.

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/hig63/525.htm

  I understand that we got 3 PCI ports and 2 10/100 onboard, but research on the above page

  i've got on the Options of unrestricted Interface

  2 4 - port FE, which makes a total of 10 interface.

  How can it be possible? It allows to disable two interface?

  Then I saw on the forum that the 525 supports a GigE interface (but not at full speed) and that about 1 to 4 FE + 2 GE ports?

  What limitation?

  Thank you

  Patrizio

  Q. did you means 'You may 8 interfaces to the maximum on the 525 UR'? (10-total 2 off = 8)

  A. that's correct. A 525 UR lights only 8 interfaces in the software. If you add two 4 ports, the last 2 ports on the 2nd map cards will be disabled.

  Q. I wondering what kind of constraint on the interface, GigE, example not at full speed, what it means?

  A. GigE interface on the PIX runs at full rate. What is meant when people say that a 525 is not a true firewall in concert, it's that the 525 has a flow of about 330 MB/s max, which is clearer than a concert. The 535 is a true firewall in concert because it has a flow of more than 1000 MB/s.

  Two interfaces Gig is supported on the 525 and both support the full power of concert on the map. However, there will be delays in passing the packets to the CPU if the PIX is trying to pass more than 330 MB/s or more.

  Make a little more sense?

  Scott

• Telnet to the PIX from the outside

  I tried the task through several suggestions.

  None of which worked. My last try was using this link.

  http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080089bd6.html

  PIX VPN client works fine however I am still unable to telnet to the PIX.

  In addition, the document speaks of configuration on the client.

  Step 3 in the VPN client, create a security policy that specifies the IP address of the remote party identity and IP gateway under the same IP address IP address of the external interface of the PIX firewall. In this example, the IP address of the PIX firewall outside is 168.20.1.5.

  I see there is only one place to put an IP address on the client. There is no place on the client to a gateway address. I tried to change my gateway machine and it still does not work.

  Does anyone have a config to work on how to Telnet to a PIX from the outside?

  The step that you are referencing is for users who use the old client VPN CiscoSecure. Do you really use that? I'm guessing that you are actually using the VPN client 3000, in which case you just have:

  (1) an acl of encryption that allows the traffic of your address has been assigned outside the pix

  (2) a statement of telnet that allows telnet address assigned from outside

  i.e.

  no_nat of ip host 200.1.1.1 access list permit 10.1.1.100

  Telnet 10.1.1.100 255.255.255.255 outside

  HTH

  Jeff

• Telnet Session 506th PIX

  I have a problem with my 506th Pix: I can not connect by telnet session. Y at - it an option to reactivate PDM?

  Thks

  Yes, there is a way to access Telnet via - PDM

  Cofniguration-> system-> Administration properties-> Telnet

  Here you can add the host IPs you can telnet and specify the interface where these customers.

  Note: You cannot telnet to the outside interface security PIX firewall / low level.

  Kind regards

  Maryse.

• Balancing on two PIX 525

  I'm creating network solution that will have two firewalls Pix 525 related to two different suppliers. For performance reasons, I'd like my clients to connect to Internet via two firewalls in "round robin" mode. What are my options?

  I want to create something like bridge load Protocol (GLBP) Balancing on the router 2800 series. I do not know and cannot know if Pix supports GLBP. Otherwise, are supported by any similar solution?

  Thanks for any response.

  Hello Milos,

  I have another solution for you for 2 ISP requirement of OER (optimized for Edge sending). Here is the link that will show the multiple scenarios and functionality.

  http://www.Cisco.com/en/us/products/ps6599/products_data_sheet0900aecd801dfcec.html

  If you find good, then you can run your firewall in failover mode, behind the router master REL for reasons of security, but not for purposes of routing.

  2nd solution could be to ACB with multiple tracking Options:

  http://www.Cisco.com/en/us/Tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

  In the 2nd solution also, you can use PIX behind the router in for regular security to security policies.

  3rd solution: you can use 2 2800 routers and terminate ISP links on both of them and run GLBP between them.

  Here are the PIX balancing g. load balancing is supported in PIX 7.0 from only:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a008054c4b7.html#wp1102712

  concerning

  Michael C

• How can I change text size and point via the command prompt?

  I want to create a script that will allow me to easily change to or from my TV to my monitor. I know how to change the display, but I don't know how I can change the size of text and point via the command prompt (that is, from 100% to 150%). Does anyone know how?

  Unfortunately, you can not.  In addition, change the DPI requires reboot (or logout and back).  But you can apply a different theme, that you can call from the command just by opening the .themepack file.  Since themes can control the size of some elements of the police who might do the trick you are looking for.

• Problems with VPN PIX 525 Lan-to-Lan Cisco 2610XM

  Hello world

  I have a VPN with PIX 525 versi problems? n 7.2 (1) and Cisco 2610XM Version 12.3 (18). When start the PIX, all tunnels works well, but 6-7 days, some of the tunnels do not work properly. Traffic passes the tunnel with some networks, but not with all networks. Sometimes the tunnel descends and it is imposible to go upward.

  Attach them files are the "debug crypto isakmp" in both devices.

  Thank you and sorry for my bad English

  If your configuration of the tunnel on router 7500 series, the tunnel interface are not supported for politicians to service in the tunnel interfaces on 7500

• Check the process of cpu on a Pix 525 Version 7.2 (2)

  Hi all,

  A few hours ago I got a high CPU usage on my Pix 525 Version 7.2 (2), I wanted to check what process was taking all the CPU, but I noticed that there is no command "show processes".

  I was able to see the percentage of CPU utilization (cpu, CPU utilization show show) but not the list of processes, does anyone know how can I check this?

  Thanks in advance for your help.

  Hi Alfonso,.

  There should be a command "show processes" in 7.2 (2). Make sure you have the appropriate permissions to use this command.

  There's even a command 'show proc cpu-hog' who will show you the last three albums CPU hogging deals, and when they were last hogging CPU:

  Pix525/pri/law # sh proc cpu-hog

  Process: Unit, shipping NUMHOG: 2, MAXHOG: 7158, LASTHOG: 110

  LASTHOG at: 19:38:57 EDT April 3, 2009

  PC: 113a4b

  Traceback: 1154a 0 1123f0

  Process: this / console, NUMHOG: 2, MAXHOG: 330, LASTHOG: 320

  LASTHOG at: 11:53:57 EDT July 18, 2007

  PC: fe809d

  Traceback: 1008 has 51 10087 1007ee3 has 6 100ae4f 1021716 10216d 3 102142a

  101d0dd 100 c 149 100bee3 100bcb4 ffe27a febbb4 1006b 26

  Process: ssh, NUMHOG: 8, MAXHOG: 238, LASTHOG: 230

  LASTHOG in: 02:00:37 EDT April 27, 2009

  PC: 100a 720

  Traceback: 10087f6 100ae4f 102166a 102142 has 101d0dd 100 c 149 100bee3

  100bcb4 ffe27a febbb4 10069e5 ff8806 fea054 1006b 26

• With RW on PIX 525 SNMP community

  I'm trying to configure SNMP on PIX 525 and Solarwinds use tool to download the config. When I try to download the config it tells me that the community string has read only rights. Y at - it give a way RW in PIX as in routers?

  Thank you

  Gilbert

  For free, you can use Kiwi CatTools. You give names of username/password and it can connect to any Cisco device and upload the config. It can even create reports of diff on configs. Alternatively, you can provide a set of commands that you want to connect to devices provided and run it. It is in the same people doing the often preferred Kiwi Syslogd.

• PIX 525 level v6.0 to v6.2 (1) or v6.2 (2)?

  I've upgraded the code on all our PIX.

  I was moving to code 6.2 for adding features and the ability to update of PDM to support the consolidation and VPN.

  Most firewalls are 515 s but I have a pair of 525 s 6.0 running (1).

  Open caveats for 6.2 (2) are... CSCdx89579 PIX 525 crashes intermittently.

  The release notes for the 6.2 (1) the earlier version is not a caveat to 525 breaks down.

  My question:

  That caveat introduced in 6.2 (2) or simply not found in 6.2 (1)? If it was introduced in 6.2 (2) at least I can set it to 6.2 (1) for this pair. No one knows how many times and in what circumstances this happens?

  Thank you

  Scot

  This bug is seen only in a failover pair, and even in this case only when say a person is a "write pending" on a PIX and someone else makes a "write mem" on the other. Basically when two orders are executed at the same time, it * may * happen. Very rare, given that a single customer by the look of it.

  This bug is also in point 6.1, in fact it has been discovered in this code, which is why it appears in the notes of 6.2 version. In fact, he is also fixed in 6.0 code, which means that the bug was, it's just that no one has been to her then.

  It was fixed and integrated in some draft versions of the code, no versions of release. You can open a TAC case if you wish and ask for one of these versions (they will be able to look to the high no problem as long as you give them the ID of the bug). Of course then you will run draft code, it's up to you if you want to do it or not.