Allowing ICMP and Telnet via a PIX 525
We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:
1 Ping and telnet to the 6509 and internal network works very well for the PIX.
2 Ping the 7206 for the PIX works just fine.
3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).
In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.
The layout is:
6509 (MSFC) - PIX 525-7206
IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18
255.255.255.0 255.255.255.240 255.255.255.240
(both)
networks: a.b.5.0 a.b.5.16
255.255.255.240 255.255.255.240
6509:
interface VlanX
Description newwan-bb
IP address a.b.5.1 255.255.255.0
no ip redirection
router ospf
Log-adjacency-changes redistribute static subnets metric 50 metric-type 1 passive-interface default no passive-interface Vlan9 ((other networks omitted)) network a.b.5.0 0.0.0.255 area 0 default information are created PIX 525: ethernet0 nameif outside security0 nameif ethernet1 inside the security100 nameif ethernet2 security10 failover hostname XXXXXX domain XXX.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol 2000 skinny names of access ip-list 102 permit a whole access-list 102 permit icmp any one access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo response access-list 102 permit icmp any any source-quench access-list 102 permit everything all unreachable icmp access-list 102 permit icmp any one time exceed 103 ip access list allow a whole access-list 103 allow icmp a whole access-list 103 permit icmp any any echo access-list 103 permit icmp any any echo response access-list 103 permit icmp any any source-quench access-list 103 allow all unreachable icmp access-list 103 allow icmp all once exceed pager lines 24 opening of session timestamp of the record logging buffered stored notifications interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full Outside 1500 MTU Within 1500 MTU failover of MTU 1500 IP address outside a.b.5.17 255.255.255.240 IP address inside a.b.5.2 255.255.255.240 failover from IP 192.168.230.1 255.255.255.252 alarm action IP verification of information alarm action attack IP audit history of PDM activate ARP timeout 14400 Global 1 interface (outside) NAT (inside) 1 0.0.0.0 0.0.0.0 0 0 Access-group 103 in external interface Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1 Route inside a.0.0.0 255.0.0.0 a.b.5.1 1 Inside a.b.0.0 255.240.0.0 route a.b.5.1 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00 Timeout, uauth 0:05:00 absolute GANYMEDE + Protocol Ganymede + AAA-server RADIUS Protocol RADIUS AAA server No snmp server location No snmp Server contact SNMP-Server Community public No trap to activate snmp Server enable floodguard No sysopt route dnat Telnet a.0.0.0 255.0.0.0 outdoors Telnet a.0.0.0 255.0.0.0 inside Telnet a.b.0.0 255.240.0.0 inside Telnet a.b.5.18 255.255.255.255 inside Telnet timeout 5 SSH timeout 5 Terminal width 80 Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.
on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix
Your access lists are confusing.
access-list # ip allowed any one should let through, and so everything that follows are redundant statements.
for the test,.
alloweverything ip access list allow a whole
Access-group alloweverything in interface outside
should the pix act as a router - you are effectively disabling all firewall features.
Tags: Cisco Security
Similar Questions
-
PIX 525 config and VPN configuration
Hello
I was asked to work on a customer request to replave sound no cisco FW with a pix 525 and also lead to a VPN solution using this PIX 525.
I'm not a FW as my main experience is with Routing/Switching, but I have read some documentation and had some hands on a client of vpn300 501 PIX and cisco. I managed to make it appear the vpn connection, even if all tests have failed (you need to solve any further).
Customer has its main site with an application that runs on a Web server that must be accessed only through the vpn to: 3rd party + a few remote users.
The solution, I want to propose to the client is:
option 1:
PIX 525 as a vpn server + Cisco vpn 3000 client on all PCs of remote users.
option 2:
PIX 525 as a vpn server + vpn client windows on all PCs of remote users
option 3:
PIX 525 as vpn + PIX 501 to 3 rd party server + vpn client windows on all PCs of remote users
First I want to confirm that these motions are feasible. So which option should I go for knowing that the remote users are only about 10.
Client doesn't no Ganymede or RADIUS should go for statis userid/pass set up on PIX525?
Any idea, advice, suggestion is welcome. Thanks in advance
Kind regards
ngtelecom
Hello
Option 1
In my opinion, is the best solution because the PIX 525 will act as a firewall and the VPN server.
Then, all the clients connect via VPN using Cisco's VPN IPsec client software.
Option 2
The advantage of this option is that you do not need to install VPN software on clients (not a problem, only 10 clients)
The problem is that it does not come with split tunneling and don't provide as good protection as Cisco software.
Option 3
This is also valid, and you can do an EasyVPN connection where the 525 is the server and the 501 to the customer.
Local authentication on the PIX 525 sounds great.
As a recommendation, the PIX are EoS and the replacement are the ASAs.
It will be useful.
Federico.
-
Q for PIX-525 spec (failover FE) and the GBIC
Qestion for PIX-525 spec.
1 PIX-525-UR-GE-BUN(2GE + 2FE). I want to use 2GE as inside and outside interface and failover FE. I found a doc who must use the GE model 535 failover. Is it supports statefull failover FE model 525?
2 PIX-1GE-66 map PIX 525, is the built in card GBIC interface, or do I module GBIC order (ex, WS-G5484) to put into the card?
Thank you
1. the restriction on the use of a dynamic rollover interface that corresponds to the fastest interface on the PIX is the PIX 535. The PIX 525 cannot switch the line traffic GE rate if this restriction is lifted on the 525 platform. You can use a link FE on a PIX 525 as the dynamic link even if you have GE links as other interfaces.
2. the GE on the PIX interface card contains a multimode SC connector. No GBIC not necessary... just of cables.
I hope this helps.
Scott
-
VPN site to site Pix 525 ver7.2 (2) and Pix 501 ver 6.3
Hello!!
I have problems to establish a vpn between two pix.
The first pix 525 a version 7.2 (2) an another Pix version 6.3 has this it is not run by myself.
The fixed phase 1 but send the associated messages
can help me
Thank you
I'm glad you got it working now :)
Please evaluate the useful messages.
Concerning
Farrukh
-
Allowing connections incoming www by cisco pix
It's really driving me crazy - I scoured the internet for suggestions and actually found several people who have had the same problem and found a solution that works. Doesn't seem to work for me if! I'm trying to allow any external IP address access on a web server that reside behind the firewall.
Since it seems to be a fairly common thing, I'll post my current setup.
6.3 (1) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
phoenix host name
domain ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
names of
outside_access_in list access permit icmp any any echo response
outside_access_in list all permitted access all unreachable icmp
access-list outside_access_in allow icmp all once exceed
outside_access_in list access permit tcp any any eq www
pager lines 24
opening of session
timestamp of the record
logging trap warnings
host of logging inside the 192.168.252.86
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside 213.254.xxx.xxx 255.255.255.240
IP address inside 192.168.252.41 255.255.255.0
IP verify reverse path inside interface
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.252.69 255.255.255.255 inside
location of PDM 0.0.0.0 255.255.255.255 inside
location of PDM 0.0.0.0 255.255.255.255 outside
location of PDM 192.168.252.71 255.255.255.255 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static tcp (indoor, outdoor) interface www 192.168.252.71 www netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 213.254.xxx.xxx 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.252.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 192.168.252.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.252.42 - 192.168.252.169 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:XXXXXXXXX
Any advide would be much appreciated!
These log messages mean that we have never seen a SYN - ACK the server return the PIX so we tore the connection "semi-open" based on the time-out settings. Suggestions:
(1) make sure the WWW daemon on your server is started and connections TCP/80 ending. You are able to access this server from inside the PIX?
(2) make sure that the default gateway on the server is pointing to the IP address of the PIX inside.
Scott
-
Card crypto controls lock-up PIX 525
Does anyone know why my PIX 525 crashes when I apply my a cryptomap both command line? I first apply the following ACL. But when I try to apply the first line of cryptomap my PIX locks and I have to restart... Any help would be greatly appreciated >
permit access ip xx.xx.0.0 255.192.0.0 list XXXXXtunnel xx.xx.18.0 255.255.255.0
access-list allowed sheep xx.xx.0.0 xx.xx.xx.0 255.255.255.0 xx.xx.0.0 ip
allowed to access-list acl-inner ip xx.xx.0.0 xx.xx.0.0 xx.xx.xx.0 xx.xx.xx.0
xxx_map 157 ipsec-isakmp crypto map
card crypto xxx_map 157 correspondence address xxx-tunnel
card crypto xxx_map 157 counterpart set xx.4.xx.xx
card crypto xxx_map 157 transform-set xxx_set
Hello
I came across this problem when there are other entries already exist under the same crypto map, and are already applied to an interface.
I found that by denying first crypto map interface command, change the config and re - apply the interface command then it will work very well.
So...
(1) no xxx_map interface card crypto outside
(2) place the lines of crypto map configuration
(3) interface xxx_map crypto map out
Of course, you will lose the existing tunnels if some already set up but then this happens if you reboot anyway!
It may be useful
-
Hi all
a question about the PIX-525-UR, the brochure said two 10/100 Fast Ethernet on board and the support of the Gigabit Ethernet, up to eight 10/100 FE or three interfaces Ethernet Gigabit.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/hig63/525.htm
I understand that we got 3 PCI ports and 2 10/100 onboard, but research on the above page
i've got on the Options of unrestricted Interface
2 4 - port FE, which makes a total of 10 interface.
How can it be possible? It allows to disable two interface?
Then I saw on the forum that the 525 supports a GigE interface (but not at full speed) and that about 1 to 4 FE + 2 GE ports?
What limitation?
Thank you
Patrizio
Q. did you means 'You may 8 interfaces to the maximum on the 525 UR'? (10-total 2 off = 8)
A. that's correct. A 525 UR lights only 8 interfaces in the software. If you add two 4 ports, the last 2 ports on the 2nd map cards will be disabled.
Q. I wondering what kind of constraint on the interface, GigE, example not at full speed, what it means?
A. GigE interface on the PIX runs at full rate. What is meant when people say that a 525 is not a true firewall in concert, it's that the 525 has a flow of about 330 MB/s max, which is clearer than a concert. The 535 is a true firewall in concert because it has a flow of more than 1000 MB/s.
Two interfaces Gig is supported on the 525 and both support the full power of concert on the map. However, there will be delays in passing the packets to the CPU if the PIX is trying to pass more than 330 MB/s or more.
Make a little more sense?
Scott
-
Telnet to the PIX from the outside
I tried the task through several suggestions.
None of which worked. My last try was using this link.
PIX VPN client works fine however I am still unable to telnet to the PIX.
In addition, the document speaks of configuration on the client.
Step 3 in the VPN client, create a security policy that specifies the IP address of the remote party identity and IP gateway under the same IP address IP address of the external interface of the PIX firewall. In this example, the IP address of the PIX firewall outside is 168.20.1.5.
I see there is only one place to put an IP address on the client. There is no place on the client to a gateway address. I tried to change my gateway machine and it still does not work.
Does anyone have a config to work on how to Telnet to a PIX from the outside?
The step that you are referencing is for users who use the old client VPN CiscoSecure. Do you really use that? I'm guessing that you are actually using the VPN client 3000, in which case you just have:
(1) an acl of encryption that allows the traffic of your address has been assigned outside the pix
(2) a statement of telnet that allows telnet address assigned from outside
i.e.
no_nat of ip host 200.1.1.1 access list permit 10.1.1.100
Telnet 10.1.1.100 255.255.255.255 outside
HTH
Jeff
-
I have a problem with my 506th Pix: I can not connect by telnet session. Y at - it an option to reactivate PDM?
Thks
Yes, there is a way to access Telnet via - PDM
Cofniguration-> system-> Administration properties-> Telnet
Here you can add the host IPs you can telnet and specify the interface where these customers.
Note: You cannot telnet to the outside interface security PIX firewall / low level.
Kind regards
Maryse.
-
I'm creating network solution that will have two firewalls Pix 525 related to two different suppliers. For performance reasons, I'd like my clients to connect to Internet via two firewalls in "round robin" mode. What are my options?
I want to create something like bridge load Protocol (GLBP) Balancing on the router 2800 series. I do not know and cannot know if Pix supports GLBP. Otherwise, are supported by any similar solution?
Thanks for any response.
Hello Milos,
I have another solution for you for 2 ISP requirement of OER (optimized for Edge sending). Here is the link that will show the multiple scenarios and functionality.
http://www.Cisco.com/en/us/products/ps6599/products_data_sheet0900aecd801dfcec.html
If you find good, then you can run your firewall in failover mode, behind the router master REL for reasons of security, but not for purposes of routing.
2nd solution could be to ACB with multiple tracking Options:
http://www.Cisco.com/en/us/Tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
In the 2nd solution also, you can use PIX behind the router in for regular security to security policies.
3rd solution: you can use 2 2800 routers and terminate ISP links on both of them and run GLBP between them.
Here are the PIX balancing g. load balancing is supported in PIX 7.0 from only:
concerning
Michael C
-
How can I change text size and point via the command prompt?
I want to create a script that will allow me to easily change to or from my TV to my monitor. I know how to change the display, but I don't know how I can change the size of text and point via the command prompt (that is, from 100% to 150%). Does anyone know how?
Unfortunately, you can not. In addition, change the DPI requires reboot (or logout and back). But you can apply a different theme, that you can call from the command just by opening the .themepack file. Since themes can control the size of some elements of the police who might do the trick you are looking for.
-
Problems with VPN PIX 525 Lan-to-Lan Cisco 2610XM
Hello world
I have a VPN with PIX 525 versi problems? n 7.2 (1) and Cisco 2610XM Version 12.3 (18). When start the PIX, all tunnels works well, but 6-7 days, some of the tunnels do not work properly. Traffic passes the tunnel with some networks, but not with all networks. Sometimes the tunnel descends and it is imposible to go upward.
Attach them files are the "debug crypto isakmp" in both devices.
Thank you and sorry for my bad English
If your configuration of the tunnel on router 7500 series, the tunnel interface are not supported for politicians to service in the tunnel interfaces on 7500
-
Check the process of cpu on a Pix 525 Version 7.2 (2)
Hi all,
A few hours ago I got a high CPU usage on my Pix 525 Version 7.2 (2), I wanted to check what process was taking all the CPU, but I noticed that there is no command "show processes".
I was able to see the percentage of CPU utilization (cpu, CPU utilization show show) but not the list of processes, does anyone know how can I check this?
Thanks in advance for your help.
Hi Alfonso,.
There should be a command "show processes" in 7.2 (2). Make sure you have the appropriate permissions to use this command.
There's even a command 'show proc cpu-hog' who will show you the last three albums CPU hogging deals, and when they were last hogging CPU:
Pix525/pri/law # sh proc cpu-hog
Process: Unit, shipping NUMHOG: 2, MAXHOG: 7158, LASTHOG: 110
LASTHOG at: 19:38:57 EDT April 3, 2009
PC: 113a4b
Traceback: 1154a 0 1123f0
Process: this / console, NUMHOG: 2, MAXHOG: 330, LASTHOG: 320
LASTHOG at: 11:53:57 EDT July 18, 2007
PC: fe809d
Traceback: 1008 has 51 10087 1007ee3 has 6 100ae4f 1021716 10216d 3 102142a
101d0dd 100 c 149 100bee3 100bcb4 ffe27a febbb4 1006b 26
Process: ssh, NUMHOG: 8, MAXHOG: 238, LASTHOG: 230
LASTHOG in: 02:00:37 EDT April 27, 2009
PC: 100a 720
Traceback: 10087f6 100ae4f 102166a 102142 has 101d0dd 100 c 149 100bee3
100bcb4 ffe27a febbb4 10069e5 ff8806 fea054 1006b 26
-
With RW on PIX 525 SNMP community
I'm trying to configure SNMP on PIX 525 and Solarwinds use tool to download the config. When I try to download the config it tells me that the community string has read only rights. Y at - it give a way RW in PIX as in routers?
Thank you
Gilbert
For free, you can use Kiwi CatTools. You give names of username/password and it can connect to any Cisco device and upload the config. It can even create reports of diff on configs. Alternatively, you can provide a set of commands that you want to connect to devices provided and run it. It is in the same people doing the often preferred Kiwi Syslogd.
-
PIX 525 level v6.0 to v6.2 (1) or v6.2 (2)?
I've upgraded the code on all our PIX.
I was moving to code 6.2 for adding features and the ability to update of PDM to support the consolidation and VPN.
Most firewalls are 515 s but I have a pair of 525 s 6.0 running (1).
Open caveats for 6.2 (2) are... CSCdx89579 PIX 525 crashes intermittently.
The release notes for the 6.2 (1) the earlier version is not a caveat to 525 breaks down.
My question:
That caveat introduced in 6.2 (2) or simply not found in 6.2 (1)? If it was introduced in 6.2 (2) at least I can set it to 6.2 (1) for this pair. No one knows how many times and in what circumstances this happens?
Thank you
Scot
This bug is seen only in a failover pair, and even in this case only when say a person is a "write pending" on a PIX and someone else makes a "write mem" on the other. Basically when two orders are executed at the same time, it * may * happen. Very rare, given that a single customer by the look of it.
This bug is also in point 6.1, in fact it has been discovered in this code, which is why it appears in the notes of 6.2 version. In fact, he is also fixed in 6.0 code, which means that the bug was, it's just that no one has been to her then.
It was fixed and integrated in some draft versions of the code, no versions of release. You can open a TAC case if you wish and ask for one of these versions (they will be able to look to the high no problem as long as you give them the ID of the bug). Of course then you will run draft code, it's up to you if you want to do it or not.
Maybe you are looking for
-
Satellite L305-S5921 - Touchpad no longer works
Thanks in advance for any help. I had my laptop for about a month now, and about a week in I plugged a USB external mouse because I prefer it on the touchpad. One day I decide to unplug the external mouse and use the touchpad for a bit, but when I un
-
Why the AutoCorrect shuts off when I use the Smart keyboard on my iPad Pro?
I just got my Smart keyboard, and it works well for me, but for the automatic correction. I don't understand why it does not work when I use the Smart keyboard? In settings, keyboard, I see that it is turned on. I turned off and turned on, but no
-
How to make the button to set the properties of auto-scale one of the Axes on the graphical indicator so I can turn on or off when I press on it. I need to change the adjustment vaguely Autoscale property for my graphic indicator. Can someone help me
-
Unactivated product key. I had this bridge for over 2 years with no problem. I've updated my AntiVirus MicroTrend, one couple of days, and that's when the problem seem to start. I don't know if she has nothing to do with it or not. I've been runn
-
What would cause some windows file be corrupt or missing computer start in safe mode
Windows started closing slowly services now boots only upward in safemode and Panel half missing including the mobility centre using wireless settings