Another "Tough" Pix 501 firewall problem

Similar Questions

• Pix 501 connection problems

  I am very new to cisco equipment and I was wondering if someone could help me with this (probably very simple question).

  When connecting to my pix via the browser (https://192.168.1.1/startup.html), the browser never took the start screen with the message that says "loading, please wait." This leads me to believe that the firewall is rejecting connections from my machine (which uses dhcp to get an ip address of the pix).

  To work around this problem, I tried to connect to the CLI using hyperterminal. I can connect and run a few basic commands as 'show version', but cannot log on as a user with permissions.

  If the web interface has a default connection of void & empty, surely the cli should be the same?

  Is anyone able to tell me what is the default login, so that I can start confguring the pix via the cli?

  Thanks in advance.

  Justin Spencer.

  Please see below for info pix:

  Cisco PIX Firewall Version 6.3 (3)

  Cisco PIX Device Manager Version 3.0 (1)

  Updated Thursday, August 13 03 13:55 by Manu

  pixfirewall until 12 minutes 18 seconds

  Material: PIX - 501, 16 MB RAM, 133 MHz Am5x86 CPU

  Flash E28F640J3 @ 0 x 3000000, 8 MB

  BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

  0: ethernet0: the address is 0011.937e.0486, irq 9

  1: ethernet1: the address is 0011.937e.0487, irq 10

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  The maximum physical Interfaces: 2

  Maximum Interfaces: 2

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal guests: 10

  Throughput: unlimited

  Peer IKE: 10

  This PIX has a restricted license (R).

  Serial number: 808301473 (0x302db3a1)

  Activation key running: 0xb53be54d 0x26da18f9 0xb2b78cef 0x8fe1abb6

  Configuration changed from enable_1 to 15:36:42.554 UTC, Monday, November 8, 2004

  pixfirewall >

  long live java.

  Please this mark as resolved, others won't waste time.

  Thank you

• pix 501 vpn problem

  Can connect, I see not all network resources.

  The Vpn Client, worm: 5.0.01, is running on an xp machine.

  It connects to the network is behind a 6.3 (5) pix501-worm.

  When the connection is established the remote client gets an address assigned to the pool 192.168.2.10 vpn - 192.168.2.25:

  The vpn client log shows:

  Line: 45 18:07:27.898 12/08/09 Sev = Info/4 CM / 0 x 63100034

  The virtual card has been activated:

  IP=192.168.2.10/255.255.255.0

  DNS = 0.0.0.0 0.0.0.0

  WINS = 0.0.0.0 0.0.0.0

  Area =

  Split = DNS names

  It is followed by these lines:

  46 18:07:27.968 12/08/09 Sev = WARNING/2 CVPND/0xE3400013

  AddRoute cannot add a route: code 87

  Destination 192.168.1.255

  Subnet mask 255.255.255.255

  Gateway 192.168.2.1

  Interface 192.168.2.10

  47 18:07:27.968 12/08/09 Sev = WARNING/2 CM/0xA3100024

  Failed to add the route. Network: c0a801ff, subnet mask: ffffffff, Interface: c0a8020a Gateway: c0a80201.

  48 18:07:28.178 12/08/09 Sev = Info/4 CM / 0 x 63100038

  Were saved successfully road to file changes.

  49 18:07:28.198 12/08/09 Sev = Info/6 CM / 0 x 63100036

  The routing table has been updated for the virtual card

  50 18:07:29.760 12/08/09 Sev = Info/4 CM/0x6310001A

  A secure connection established

  * ...

  I can ping the remote client, on an inside ip behind the same pix

  When I get the 'route add failure' above, but I cannot ping the computer name.

  I activated traversal of NAT using the PDM, but when I connect with this option, I get the error that the "remote endpoint is NOT behind a NAT device this end is behind a NAT device" and ping fails.

  Behind the pix are a few computers with no central server, so I'm failed a WINS server for remote clients.

  I created the vpn with the wizard.

  The configuration file is attached.

  Any suggestion would be appreciated.

  Kind regards

  Hugh

  Hugh, sure you can classify based on the whole conversation, but you don't have to do but be certainly provide assessments.

  To sum up the shrinking global problems, the main objective was to ensure configuration VPN RA on the PIX501 has been corrected.

  1. we have enabled NAT - T on the firewall - even if it wasn't the question, but need it either it should you RA other places - travseral NAT VPN sensitizes the firewall on the other ends NAT devices - here is some good information on NAT - T for reference in the future

  http://www.Microsoft.com/technet/community/columns/cableguy/cg0802.mspx

  2. we fixed the VPN-POOL/28 network as well as the access list and acl to be coherent crypto sheep.

  Here is a link for future reference with many PIX configuration scenarios

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

  Finally, your only question remaining, we can say is purely isolated with the customer software vpn and MAC machine.

  You could maybe try a different version of the client in the MAC, or also look at the release notes for the open caveats to avoid cisco cleint managing versions and MAC versions if there are problems.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/prod_release_notes_list.html

  Concerning

• Adding a pix 501 VPN 2

  Hello.. I am beginner in this kind of things cisco...

  I'm trying to set up multiple VPN on a Cisco PIX 501 firewall with routers Linksys BEFVP41...

  Since not very familiar with the CLI, I use the PDM utility and it was very easy for the first... Unfortunately, I get this error when I try to add the second VPN using the VPN Wizard:

  Outside_map map (ERR) crypto set peer 200.20.10.3

  WARNING: This encryption card is incomplete

  To remedy the situation even and a list of valid to add this encryption card

  Hi garcia

  for each vpn/peer, you need to a separate instance of crypto card, the card will have the same name, but different sequence... numbers one map encryption can be attributed to an interface, but you can have several instance of cards inside a main...

  for configuration, you can go through the URL below... It has all the details on IPSEC config:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/ipsecint.htm

  I hope this helps... all the best... the rate of responses if deemed useful...

  REDA

• PIX 501 - VPN - based

  Hello

  I am considering the implementation of a vpn pptp on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP address. I will also have to have at least 2-3 Terminal Server client connected simultaneously.

  The Terminal Server service will pass through vpn tunnel.

  Can this be achieved? A local Tech told me that I need at least 2 IP addresses.

  Thank you

  Mike

  For Terminal Server services, you can do it with just an IP address that is assigned to the external interface of the PIX, just create a static mapped port to port 3389 thru peripheral inward.

  For PPTP, you must however an IP address separate, different from that assigned to the PIX outside the int. This is because PPTP uses two TCP/1723 and GRE protocols. You can create a static mapped ports for TCP/1723 through the PPTP server, but you can't do it for the GRE. This is because GRE is not a TCP/UDP protocol, it is located just above IP and has therefore no port number to map through. You need an IP address unique address and card. You config should look like this:

  list of allowed inbound tcp access any host 200.1.1.1 eq 1723

  list of allowed incoming access will any host 200.1.1.1

  Access-group interface incoming outside

  public static 200.1.1.1 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

  where 200.1.1.1 is your second (different from the PIX off int) routable IP address 10.1.1.1 is your PPTP server inside

  If you only want to use an IP address, why don't the PIX not set itself up as a PPTP server and put an end to your connections on this. The PPTP client end simply on the PIX outside IP address, and you will not need all the others.

  See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for more details.

• PIX 501 and VPN Linksys router (WRV200)

  I inherited a work where we have a Cisco PIX 501 firewall to a single site and Linksys WRV200 Router VPN on two other

  sites. Asked me to connect these routers Linksys firewall PIX via the VPN.

  According to me, the Linksys vpn routers can only connect via IPSec VPN, I'm looking for help on the configuration of the PIX 501 for the linksys to connect with the following, if possible.

  Key exchange method: Auto (IKE)

  Encryption: Auto, 3DES, AES128, AES192, AES256

  Authentication: MD5

  Pre Shared Key: xxx

  PFS: Enabled

  Life ISAKMP key: 28800

  Life of key IPSec: 3600

  The pix, I installed MDP and I tried to use the VPN wizard without result.

  I chose the following settings when you make the VPN Wizard:

  Type of VPN: remote VPN access

  Interface: outside

  Type of Client VPN device used: Cisco VPN Client

  (can choose customer of Cisco VPN 3000, MS Windows Client by using the client MS Windows using L2TP, PPTP)

  VPN clients group

  Name of Group: RabyEstates

  Pre Shared Key: rabytest

  Scope of the Client authentication: disabled

  Address pool

  Name of the cluster: VPN - LAN

  Starter course: 192.168.2.200

  End of row: 192.168.2.250

  Domain DNS/WINS/by default: no

  IKE policy

  Encryption: 3DES

  Authentication: MD5

  Diffie-Hellman group: Group 2 (1024 bits)

  Transform set

  Encryption: 3DES

  Authentication: MD5

  I have attached the log of the VPN Linksys router VPN.

  This is the first time that I have ever worked with PIX so I'm still trying to figure the thing to, but I'm confident with the CCNA level network.

  Thanks for your help!

  Hello

  Everything looks fine for me, try to have a computer in every network and ping between them. Check the newspapers/debug and fix them.

  Let me know.

  See you soon,.

  Daniel

• Help the PIX 501 - cannot access startup.html

  I'm new to the network and has received a job to configure the PIX 501 firewall.

  The fact is:

  We use IP table rules as a firewall on a linux machine. My pc is connected to a switch. So I use the yellow network cable to connect the port of the Pix 501 0 to the port in the switch. Then I disconnect my pc of swich cable and plug into the port of the Pix 501 1.

  My pc is to use a static ip address before. I try to change to automatically get an IP address, but it will not work. So I changed the setting and use the IP address originally. Pop up message network connection icon says that the local connection is enabled. But when I try to ping 192.168.1.1, request time-out. Also I can't acess the https://192.168.1.1/startup.html.

  I have a look at Books Online cisco and shootings of disorder, but most of them talk about the configuration or more advance features. I'm still on the very basic level to try to connect to the firewall.

  I hope someone can help me. All ideas and questions are welcome. Thank you.

  Your IP address should be fine. You do not want to have the PIX connected to your local network, even if you have the Linux firewall as well as this will cause a conflict. Keep the PIX the LAN for now. Your DNS configuration will have no effect because the url you are trying to reach is based on the IP address and not the domain name if your PC has nothing to look for.

  You have to check the cable that you use - if your PIX has only an 'inside' interface, then you must use a crossover cable. If he has four so it's built in switch for a straight cable will be fine. Is what PIX model?

  After checking the cable - see if you can console in the firewall - use the blue cable that came with the PIX and set up a connection (hyper terminal) terminal with the help of 9600, 8, no 1. If you can console and then you can stick in a basic configuration you can get.

• Ping inside the interface on a Pix 501 from outside the network

  All the

  I have a Pix 501 firewall at a remote site with an IPSEC tunnel established at HQ. We have an analysis tool which remote sites for us let proactively pings know when a site crashes. I want to set up this ping the inside interface of the Pix tool as I can with 871 routers; However I can't configure the Pix to allow ICMP inside interface. I know by default that the Pix does not allow ICMP to the opposite interface and I was wondering if someone could help me with a configuration that will allow this? I enclose my configuration of the pix!

  Thank you

  Brian

  Hello

  By raising the ordering tool, it seems that the 'management-access' command was introduced in version 6.3

  I recommend spending at 6.3 If you can.

  Federico.

• Pix 501 problem, I can not receive smtp messages

  Currently, I can send messages but cannot receive the mail from the Internet, if I remove the Pix and connect directly to the Modem/router then I can SMTP on port 25 and SMTP mail works fine both in & out.

  All what we want this Pix to allow at present is:

  (a) access to Internet to all clients on the network internal

  (b) allow the customers to pop mail web e-mail accounts

  (c) we want to use Exchange & Outlook and accommodate our own email via the SMTP Protocol

  Please find attached two documents: -.

  1. a current edited config of my Pix 501 running

  2. a PowerPoint of my network diagram.

  I appreciate a lot of help.

  Vinny.

  I finally found the problem.

  On the ADSL router, you have configured the same 192.168.0.0/24 network you use behind the post office

  Server. This configuration will not work because it leads to a duplicate IP address range and you have routing

  problems.

  Change the configuration to another range of IP between the ADSL router and PIX firewall and everthing will be

  work.

  Note the address unique public IP that is configured, received is on the router Netgear ADSL uses all other interfaces

  public IP addresses.

  Recovery of the networks and the IPs:

  80.x.y.z/255.255.255.x = Netgear outside intellectual property

  192.168.2.0/255.255.255.0 = network between the internal Netgear and the PIX outside interface

  192.168.1.0/255.255.255.0 = network between the PIX inside and the external interface of the mail server

  192.168.0.0/255.255.255.0 = network between the internal interface of mail server and mail clients.

  Use 192.168.2.0 255.255.255.0 for this network, and then set it 192.168.2.1 for your ADSL router inside

  interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX firewall outside interface.

  ADSL installation:

  You can choose on the Netgear between all public traffic of the 80.x.y.z IP to 192.168.2.2 transmission which is NAT or

  You can transfer to forward the http, pop3 and smtp, didn't really matter, it's just important that you NAT or PAT it

  for the PIX firewall.

  PIX installation example:

  All traffic received on the PIX outside interface for http, pop3 and smtp is then transmitted by 192.168.2.2 to mail

  the server 192.168.1.2 external IP address.

  outdoor IP 192.168.2.2 address 255.255.255.0

  IP address inside 192.168.1.1 255.255.255.0

  acl_out list access permit tcp any host 192.168.2.2 eq http

  acl_out list access permit tcp any host 192.168.2.2 pop eq

  acl_out list access permit tcp any host 192.168.2.2 eq smtp

  Access-group acl_out in interface outside

  static (inside, outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0

  static (inside, outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0

  static (inside, outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 192.168.2.1

  Installation of mail server:

  The mail server has a default route to the PIX firewall.

  Default gateway on the mail server = 192.168.1.1

  Do you have NAt or PAT on the mail server internal clients to the Internet in the direction of the PIX? If not, you need to add another road on the PIX, so know the PIX the 192.168.0.0/24 network is behind the e-mail server, as this unit is the routing for this network.

  Add a route on the PIX inside interface:

  Route inside 192.168.0.0 255.255.255.0 192.168.1.2

  E-mail clients:

  All mail clients have the internal IP address of mail as default gateway server.

  Default gateway = 192.168.0.3

  This configuration will work 100%

  Sorry if I you confused.

  sincerely

  Patrick

• Pix 501 problem

  I can not configure a pix 501 as a firewall, I need to know if it comes with a default configuration. I connect the PIX of the LAN and it start´s to DHCP each machine on the network with no problem, but none of the user´s can access the internet.

  I need to know what to do to get access to internet protection and network security.

  Where can I go to configure the Pix, if I really need to configure it!

  Hi... basically, you need the following basic steps to access your internal users to the internet

  If you use 6.3 (5) PIX

  interface ethernet0 100full

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  inside_access_in ip access list allow a whole

  inside_access_in access to the interface inside group

  NAT (inside) 1 access-list inside_access_in

  Global 1 interface (outside)

  NOTE: with the config ablove room your internal users will have FULL access to the internet. If you want to restrict access to only http, https, ftp, dns, etc then you need to change the access list for something like that...

  inside_access_in list access permit tcp any any eq www

  inside_access_in list access permit tcp any any eq 443

  inside_access_in list access permit tcp any any eq ftp

  inside_access_in list access permit tcp any any eq 53

  inside_access_in udd allowed access list any any eq 53

  I hope that helps... Rate if he does!

• PIX 501 in the firewall of the Web server

  Hello

  At the suggestion of a colleague, we bought a firewall PIX 501 to protect our new Win2003 web server and a UNIX/Oracle DB server.

  I've never worked with before firewalls.

  Our servers are located in a cage at the ISP and belong to us. There are only two servers providing web site. I have read the documentation in the Getting Started book and it does not answer my question.

  We have 2 web sites with different IP numbers on our web server. Let's say 140.5.5.4 and 140.5.5.5. I understand that I have will redefine the numbers with the firewall (192,...) but I do not understand how the routers at the ISP will be able to route requests for two websites to the firewall when it has one IP number, say 140.5.5.1?

  Any help is appreciated.

  Thank you, Jerry

  Jerry,

  what you are referring is called port forwarding. Whether you a PIX with a public IP address 12.1.1.1 and your web servers are respectively and 12.1.1.2 12.1.1.3. Port forwarding is really a 2 step process:

  * a static translation of the public IP address of the PIX (12.1.1.1) at the address of the web server (12.1.1.2)...

  static (inside, outside) tcp 12.1.1.1 12.1.1.2 www www netmask 255.255.255.255 0 0

  * an intermediate statement basically "all web requests should be allowed in the pix outside of the interface"...

  driving permit tcp host 12.1.1.1 eq www everything

  Here is a link that will help you to clarify this point:

  www.Cisco.com/warp/Customer/707/28.html

  This should help you get started. Regarding the basic configuration, it takes config examples on the Cisco site, if you have access CCO.

  Let me know if it helps.

  Rob H.

• Problems with PIX 501 and Server MS Cert

  Hi all

  I have two problems with my PIX 501:

  1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!

  Yes, I wrote mem and ca records all!

  2. at the request of ca CRL , I get the following debugging:

  Crypto CA thread wakes!

  CRYPTO_PKI: Cannot be named County ava

  CRYPTO_PKI: transaction GetCRL completed

  Crypto CA thread sleeps!

  CI thread wakes!

  And the CRL is empty.

  Does anyone have any idea?

  Bert Koelewijn

  Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.

  Check the following prayer:

  Open the administration tool of CA (Certification Authority) then

  (1) right click on the name of CA and choose 'properties '.

  2) click on the tab "Policy Module".

  3) click on the button "configure."

  4) click on the tab "X.509 extensions".

  > From there, it can display the list of the "CRL Distribution Points".

  Turn off everything that isn't HTTP.

  You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.

• VPN connection between two pix firewall problems

  Hi, trying to create a VPN between the firewall two pix a 501 and a 506e.

  currently on the 506th pdm shows 1 IKE tunnel in the stats, but it displays then return to zero. The two hosts of pix can access the web and ping each other gateways.

  I posted the 506th config but the 501 config is the same.

  outside IP for pix 506th = a.a.a.a

  outside IP for pix 501 = b.b.b.b

  Internet service provider ip of the gateway to 506th = x.x.x.x

  Thank you

  Alex

  Hi Alex

  See the configuration on the other side (PIX501) it will be difficult to solve, you'll need to be sure when it is a phase failure 1 or phase 2.

  Please note between the two PIX IPSec negotiation fails if both of the phases SAs IKE do not match on the peers.

  Cordially MJ

• Pix 501 for Small Business SERVER 2003 configuration problems

  I am new to cisco equipment. My company recently purchased a firewall of Pix 501 unlimited number of users, it is connected to an internet connection by cable with a dynamic ip address. Internet works fine and so the dhcp server.

  I have a Windows 2003 Small Business Server on our network. I need to configure the firewall to forward ports on the SBS server for remote web workplace.

  Also about a week ago I lost connectivity to the GUI of PDM via my web browser. Telnet and console work perfectly well.

  I enclose my config file.

  Any help will be appreciated. Thank you

  Ed

  FIRT off, you do not have a group-access instruction set for one of your ACL. This means that you have blocked all inbound traffic. You also have your incorrect static instructions. You can start by cleaning your config and enter the correct commands, you should be able to stick to your firewall config mode:

  No list will host 192.168.1.1 acl-enabled access 192.168.1.1

  no access list acl_outside not allowed tcp any any eq www

  no access list acl_inside not allowed tcp any any eq www

  no access list no incoming icmp permitted any one

  No list of permitted no inbound tcp access any host 24.50.241.113 eq https

  No list to access acl - permit gre 192.168.1.1 host 192.168.1.1

  No outside_in not allowed access list tcp any host 24.50.241.113 eq www

  not static (inside, outside) tcp interface www SBSServer www netmask 255.255.255.255 0 0

  not static (inside, outside) tcp interface https SBSServer https netmask 255.255.255.255 0 0

  not static tcp (exterior, Interior) interface www SBSServer www netmask 255.255.255.255 0 0

  not static tcp (exterior, Interior) interface https SBSServer https netmask 255.255.255.255 0 0

  static (inside, outside) tcp 24.50.241.113 80 192.168.1.69 80 netmask 255.255.255.255 0 0

  static (inside, outside) 24.50.241.113 tcp 443 192.168.1.69 443 netmask 255.255.255.255 0 0

  access-list OUT-IN permit tcp any host 24.50.241.113 eq https

  access-list OUT-IN permit tcp any host 24.50.241.113 eq www

  allow to Access-list OUT-IN a whole icmp

  Access-group OUT-IN in interface outside

  What ip you are trying to access your pdm of? the looks of configuration http correct, unless your coming to one other than 192.168.1.x ip address

  Let me know if it works

• On PIX 501 6.3 intermittent Internet access (5)

  Hello

  I have a problem of access to the Internet from the local network behind a PIX 501. It worked for months, but suddenly, I discovered that Internet access is intermittent. Internet access works for about 10-15 minutes and then goes down. When I reboot the firewall or disable ARP Internet works again. I turn on debugging with 'debug arp' and I get an error message "arp-in: Dropping request outside the unsolicited nonadjacent ROUTEOUTSIDE 0002.cf69.50cf for 82.x.137.x 0000.0000.0000»

  Any ideas on what could be the problem?

  Thank you for your help.

  Kind regards.

  Hello, Couple of things to check.

  You have ICMP permitted on the external interface of the PIX. If so, can ask you someone to ping from the internet to the external IP address.

  When they ping, can you unplug the external interface and see if they receive a response in return.

  If so, then there is a problem with the access provider. They could give your IP address to another person.

  If this isn't the issue, then you open a TAC case and resolve this problem.

  See you soon,.

  Gilbert

  The rate of this post, if that helps.