Dynamic PAT on the PIX

Hi Expert,

If I want the range of dynamic ports NAT in 5500 to 5800, in my address public IP that a NAT IP address private, how to set up?

Here is an example,

public IP = x.x.x.x

address private IP = z.z.z.z

NAT x.x.x.x port 5500-5800 to z.z.z.z port 5500-5800

The PIX firewall running OS 6.3 (4).

Customer actually needs to activate it for ftp trffic which allow customers can dynamic port within the range of 5500 and 5800.

Hope someone can help me on this, thank you.

Rgds,

To the Shaw feel Yeong

I checked your configs... the only option you have is of static type using 219.95.73.28 which is not yet used.

public static 219.95.73.28 (inside, outside) 200.1.1.X netmask 255.255.255.255

access-list 101 permit tcp any host 219.95.73.28 range 5500-5800

I also see that remotely using remote desktop access from the Internet. Make your customer aware that this kind of access are a risk of security as user names and passwords travel on clear text. I suggest remote VPN set up for remote access. Anyway... the instructions above will solve your current problem.

Please rate if you find it useful

Tags: Cisco Security

Similar Questions

  • Outgoing PAT to the IPSec Tunnel

    Hello

    Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.

    We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.

    We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.

    I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity

    I would like constructive guidance on where I'm wrong.

    See you soon

    Hello

    The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.

    In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.

    Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.

    pls control and dream of return.

  • W2000 PPTP in the path through the PIX PIX

    Inside of a configured simple PIX I have a w2000 customer VPN with PPTP. The client cannot talk to one another otside PIX configured with VPDN.

    Everything works as expected if I put in a nat-Firewall NETGEAR801 instead of PIX siple.

    See PIX config and syslog. Waths evil?

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate 2KFQnbNIdI.2KYOU encrypted password

    FAXRuw8pF2Tl7oBe encrypted passwd

    HMS host name

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    access-list acl_outside allow icmp a whole

    access-list acl_outside allow accord a

    Allow Access-list acl_outside esp a whole

    pager lines 24

    opening of session

    recording of debug console

    recording of debug trap

    host of logging inside the 194.132.183.10

    interface ethernet0 10baset

    interface ethernet1 10baset

    Outside 1500 MTU

    Within 1500 MTU

    external IP 217.215.220.221 255.255.255.0

    IP address inside 194.132.183.2 255.255.255.192

    alarm action IP verification of information

    alarm action attack IP audit

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Access-group acl_outside in interface outside

    Route outside 0.0.0.0 0.0.0.0 217.215.220.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    No sysopt route dnat

    NSM #.

    Syslog sed:

    % 305011-6-PIX: built a dynamic TCP conversion of ide:194.132.183.10/1366 to outside:217.215.220.221/1124

    % 302013-6-PIX: built 212 for outbound TCP connection: 194.71.189.109/1723 (194.71.189.109/1723) to inside:194.132.183.10/1366 217.215.220.221/1124)

    % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

    % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

    % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

    % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

    % 302014-6-PIX: disassembly of the TCP connection 212 for side:194.71.189.109/1723 to inside:194.132.183.10/1366 duration 0:00:10 TCP fins 788 bytes

    First off I would say don't not cut and paste your config PIX here, or at the x.x.x.x at least on your external IP address.

    The PIX does not support PPTP thru PAT (nat/global). PPTP uses the Protocol IP 47 (GRE), and the PIX cannot PAT these cause there is no TCP/UDP port number to use.

    PIX 6.3 code it will however support, but it won't be available until the beginning of next year. At the moment the only way to circumvent your situation is to define a one-to-one NAT translation for this internal host. Something like:

    > static (inside, outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0

    will do for you, providing you 217.215.220.222 routed and available. I would also change

    > acl_outside of access list allow accord a

    TO

    > acl_outside gre 194.71.189.109 allowed access list host 217.215.220.222

    It's a little safer.

  • peer cvpn through pix and ending the pix

    cvpn-= pix = - internet-= point of termination vpn (pix) =

    Can someone point me to a document or explanation on why ipsec must be open on the first pix to IPSEC to cross because he hails from this network? I can't find a document that explains better that I can or includes the above scenario for the layman.

    The PIX opens only the holes for the return for TCP and UDP based traffic. IPSec ESP is located just above IP and is therefore not based TCP/UDP. For this reason, you must specifically allow Protocol IP 50 (ESP) in the PIX from the outside, because as I said, the PIX will not open a hole to get him back.

    He done the same for the ICMP protocol, it takes of icmp in the PIX, if you want your interior to the users to be able to ping outside guests. Because ICMP is not based of TCP/UDP, the PIX does not open a hole for the return to return to traffic.

    Now, that said everything that, in point 6.3, they added a '' correction '' ESP, so the PIX could inspect the outbound ESP for A a SINGLE TUNNEL, he PAT to the address of the external interface and allow the return of traffic to. It is disabled by default, you can activate it with the following text:

    fixup protocol esp-ike

    You can read about it here:

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/DF.htm#wp1067379

  • ping for the pix vpn problem

    Hello

    I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

    I can open a vpn session.

    I can't ping from the remote pc to the LAN

    I can ping from any station on the LAN to the remote pc

    After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

    I am so newb, trying for 2 days changing ACLs, no way.

    I must say that I am in dynamic ip wan on the local network and the remote pc.

    Any idea about this problem?

    Any help is welcome.

    Here is the configuration of my pix:

    6.3 (4) version PIX

    interface ethernet0 10baset

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the password * encrypted

    passwd * encrypted

    pixfirewall hostname

    domain ciscopix.com

    clock timezone THATS 1

    clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    correction... /...

    fixup protocol tftp 69

    names of

    name 192.168.42.0 Dmi

    inside_access_in ip access list allow a whole

    inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

    outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

    access-list outside_cryptomap_dyn_20 allow icmp a whole

    pager lines 24

    opening of session

    logging trap information

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside the 209.x.x.x.255.255.224

    IP address inside 192.168.42.40 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

    location of PDM 192.168.229.1 255.255.255.255 outside

    209.165.x.x.x.255.255 PDM location inside

    209.x.x.x.255.255.255 PDM location outdoors

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

    Timeout xlate 0:05:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    Dmi 255.255.255.0 inside http

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    TFTP server inside the 192.168.42.100.

    enable floodguard

    Permitted connection ipsec sysopt

    AUTH-prompt quick pass

    AUTH-guest accept good

    AUTH-prompt bad rejection

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    vpngroup address dmivpndhcp pool dmivpn

    vpngroup dns 192.168.42.20 Server dmivpn

    vpngroup dmivpn wins server - 192.168.42.20

    vpngroup dmivpn by default-field defi.local

    vpngroup idle 1800 dmivpn-time

    vpngroup password dmivpn *.

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    VPDN username vpnuser password *.

    VPDN allow outside

    VPDN allow inside

    dhcpd address 192.168.42.41 - 192.168.42.72 inside

    dhcpd lease 3600

    dhcpd ping_timeout 750

    Terminal width 80

    Cryptochecksum: *.

    Noelle,

    Add the command: (in config mode): isakmp nat-traversal

    Let me know if it helps.

    Jay

  • Using dynamic PAT with IPSec VPN

    Hello

    I will say first of all thanks for reading this post.

    My goal is to create a dynamic PAT for 5 private host 1 ip address public, then to allow this ip address public 1 via an ipsec tunnel.

    I have an ASA5555 running on code 9.2 (1).  Here's what I have so far:

    network of object obj - 12.12.12.12 {mapped address}

    host 12.12.12.12

    object-group, LAN {address}

    host 10.0.0.1

    host 10.0.0.2

    host 10.0.0.3

    host 10.0.0.4

    host 10.0.0.5

    NAT (inside, outside) dynamic source LOCAL obj - 12.12.12.12

    First question - haven't set up that PAT correctly? I'm trying to PAT the local private addresses on the public address 12.12.12.12

    Now I would use 12.12.12.12 as interesting traffic and leave it in a vpn tunnel:

    access-list 1 extended permit ip host 12.12.12.12 object-group Remote_Network

    This configuration seems correct?  Is there another way to accomplish the same task?

    Thank you for your time.

    Looks good so far.

    But if this PAT is only for VPN traffic, then you can change the policy-nat NAT rule:

     nat (inside,outside) source dynamic LOCAL obj-12.12.12.12 destination static Remote_Network Remote_Network

  • Problem with VPN client connecting the PIX of IPSec.

    PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

    Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection

    Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160

    Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED

    Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:

    Remote host: 10.0.1.7 Protocol Port 0 0

    Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6

    044adb5, outbound SPI = 0xcd82f95e

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)

    PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X.  Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0

    Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

    Then debugging IPSec are also normal.

    Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:

    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
    Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68) , :
    QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
    D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_
    BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
    Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

    Here is the config VPN... and I don't see what the problem is:

    Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
    life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP policy 20
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 7200
    crypto ISAKMP policy 65535
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400

    outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248

    attributes global-tunnel-group DefaultRAGroup
    authentication-server-group (outside LOCAL)
    Type-X group tunnel ipsec-ra
    tunnel-group X general attributes
    address pool addresses
    authentication-server-group (outside LOCAL)
    Group Policy - by default-X
    tunnel-group X ipsec-attributes
    pre-shared-key *.
    context of prompt hostname

    mask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0

    Please remove the acl of the dynamic encryption card crypto, it causes odd behavior

    try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes

  • With PAT on Cisco PIX VPN client

    Dear all,

    I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

    Is there a setting I should put on PIX, VPN client or router?

    Thank you.

    Doug

    And if you still have problems, upgrade your pix, 6.3 and usage:

    ISAKMP nat-traversal

    But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

    Kind regards

  • Conentrator PIX using NAT on the PIX?

    Hello

    I'm looking for the docs on how to set up an ipsec tunnel hub pix, all the IP behind the pix (inside) should be NAT'ed to a single IP address and have access to the network behind the hub.

    Any help will be appreciated.

    TYIA

    Yes, makes no difference. The policy-NAT'ing for IPsec traffic has priority over the standard PAT for Internet traffic, so traffic above the tunnel will be policy-NAT would rather than 'normal' NAT would be on his way through. ACL encryption will match while the packet is sent, and it will be encrypted and sent via the tunnel.

  • Cannot access the pix on external hard drive

    I have windows 7 Ultimate.  I have an external hard drive.  I have almost 300 pictures on the hard drive that he told me that I don't have permission to open.  I tried the power.  I need these photos.  I have tried to take ownership of the folder in which the photos are.  I can't say whether or not it is what allows property.  I am very frustrated.  I need the pix for the upcoming trial.

    Help!

    Here you go:

    Property to seize your records.

  • Configuration of the PIX 520 with two links to Internet

    Hello.

    I have a pix 520 with four interfaces ethernet firewall, in fact I am with

    just two interfaces,

    Ethernet 0 outdoors

    Ethernet 1 inside

    ethernet2 closed intf2

    ethernet3 closed intf3

    Thus, in the interface to the outside, I have access to the internet, but now I

    access to the internet and I want to configure the two, I mean,.

    a single network inside and two internet access,

    is it posible?

    the perhaps configuration.

    Ethernet 0 (access 1) outdoors

    1 Ethernet (ip 10.1.1.1) inside

    ethernet2 outside2 (access to internet 2)

    ethernet3 inside2? (ip 10.1.1.2)?

    Thanks for the help,

    You can plug it in like that, but there is no way to route traffic by default. PIX does not support this type of connections that you can only configure a default route on the pix. This link should help describe what you can do: http://www.cisco.com/warp/public/110/pixfaq.shtml#Q18

    I hope this helps.

    Kurtis Durrett

  • Fleeing from a host on the PIX 520 but alerts that are still coming to the IDS

    Last week I saw allot of traffic from a particular host that triggers alerts IDS. After investigating the source, I added a statement SHUN to the pix. When I do a 'sho shun stat' of the NTC for this host is quite high (352) and rises. I still get alerts of the IDS on this particular host (Fragment IP and host sweeps). I guess if I was fleeing from an IP address, I don't receive alerts of IDS on that. Can someone explain what I am doing wrong? Thanks in advance.

    Seems obvious, but can't hurt to ask - where the sniff of your sensor interface? Of course, if your sniffing interface is located outside the pix, then junk traffic will always reach the pix - it just won't be through it.

    In addition, are fleeing this host for these alarms? Doing a show 'show shun' that host being blocked FOR the time you see alerts for this particular host?

    Jeff

  • Comment by instructions in the PIX config file?

    Hello

    Is there a way of declarations of entry comment in a PIX config file? If so, how?

    TIA

    Prefix the line with a: (colon).

    for example. The first line of the following is a comment and is ignored

    : Allow access to the Web server

    acl_outside list access permit tcp any host 1.1.1.1 eq www

    Note: Comment lines are deleted when the configuration file is entered in the PIX.

  • Configure the PIX 501 for IDS

    I have a PIX 501 with wired high-speed LAN headquarters inside and outside. Which would be a solid policy IDS to enable and what interfaces it must be applied to? There will be other measures necessary to enable IDS?

    IDS on the PIX itself is very limited, it checks only 59 signatures listed here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9 under the section of signatures supported IDS). The signatures themselves are pretty basic.

    If you do not want to activate this, then for the signatures of attacks I would fix for drop/alarm/reset action, which is the default anyway.

    You will also need to set the logging to a syslog server and monitoring for any 4000nn messages in syslog, cause it event IDS.

  • DES/3DES license needed for the PIX 515 active/active configuration.

    Hello

    I am setting up two PIX active/active.

    My problem is that the PIX without restrictions, the 3DES activated license but the FO - AA that just the license OF.

    I would like to know if it is possible to downgrade the 3DES to just unlimited license OF (I know that the alternative would be to upgrade the FO - AA 3DES but I don't need this license).

    Thank you.

    Javier,

    You can get FREE 3DES/AES license of Cisco for your PIX, go here:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_product_index09186a00801bc3ec.html

    Hope this helps and please note post if it isn't.

    Jay

Maybe you are looking for