HTTPS and PDM on a PIX 515

I tried to connect to my pix vai the web page and I could not.

I tried Https://192.168.1.1 but I wasn't happy.

My question is:

Do I need to have Java or any other software installed on my WEB interface prior PC between my PC and the PIX.

Thank you

Hi vitancr,

your PDM version is compatible with your IOS? Otherwise, you can download a version that is compatible...

Another important thing allows http, what you already have...

Try again with another laptop or PC using the same IP address... maybe there is a problem with this PC... it can happen sometimes...

all the best...

Tags: Cisco Security

Similar Questions

HTTP does not not to PIX 515

It was working last week and it works for others, even today, but my PC I get the following:

exception: Java.Security.AccessControlException: access denied

Our PC tech did something to my system trying to make me an administrator, and he has NOT worked since. I got out for Sun.com and downloaded the latest version of Java runtime, without result.

All of the Suggestions.

The problem is a bug in the edition of Sun Java 1.5.x, downgarde JDK Version 1.4.1_02 and everything works again.

sincerely

Patrick

PDM with PIX 515 does not work

I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

Hello

have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

Enable http server

http A.B.C.D 255.255.255.255 inside

A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

If you're still having problems after the addition of these two lines, you might have a look at this page:

http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

Kind regards

Tom

PIX 515 and software version 6.3 (4)

We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?

Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?

Thank you.

You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.

If you use PDM, you will need to be updated also.

Josh

How to open a port and limit the range of addresses that use it on PIX 515?

I have a Pix 515 v6.3 and a new piece of software that I'm getting soon need aura 5080 open port for incoming & outgoing HTTP traffic. The server will be in my DMZ to 10.0.0.1

I would like to restrict inbound access to this port so that it can be used in 4 specific IP adderess foreign xxx.xxx.xxx.24 through xxx.xxx.xxx.27 and also, if possible, limit the outbound destination using this port to a single specific foreign IP address xxx.xxx.xxx.30.

Could you please tell me the best way to do it.

Thank you in advance for a relative novice to PIX.

PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.26 host 5080

PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.27 host 5080

PIX (config) # access - group acl-outside in interface outside

PIX (config) # access list acl - dmx permit tcp host 10.0.0.1 xxx.xxx.xxx.30 eq 5080

PIX (config) # access - group acl - dmz dmz interface

static (inside, outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

See also:

PIX 500 series firewall

http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration

Configuration of the PIX Firewall with access to the Mail Server on the DMZ network

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

sincerely

Patrick

MM, pix 515 and mac filtering

I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.

MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.

You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.

PIX 515 and VAC + card

Hello

I just installed a map VAC + in our pix 515.

I can check if the card is installed and working properly.

"sh worm" gives no information if the card is installed.

Greatings Marc

Do a 'show' version and 'see the crypto engine check.

See Q & A map VAC:

http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_qanda_item09186a0080148723.shtml

sincerely

Patrick

Upgrade from PIX 515

Hi all

My company needs upgrade its PIX 515 to have the function VPN 3DES for remote site connection. So I just need to buy a license of 3DES for the PIX functionality? and can I also upgrade the IOS 6.1 so that I can use PDM to config the PIX? And I also need to upgrade the memory in the PIX?

Thank you very much!

Best regards

Teru Lei

Yes to the first question.

Better 6.2 and pdm 2.1 I think.

How much memory do you have? Reach

http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html#xtocid4

There is memory for pix 6.2 requirements

Good luck!

--

Alexis Fidalgo

Systems engineer

AT & T Argentina

PIX 515 DMZ problem

Hello

We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

6.3 (3) version PIX

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Auto ethernet3 interface

!

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 dmz1 security50

nameif ethernet3 dmz2 security40

!

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!

names of

!

IP outside X.Y.Z.163 255.255.255.248

IP address inside 192.168.0.9 255.255.255.0

dmz1 192.168.10.1 IP address 255.255.255.0

IP address dmz2 192.168.20.1 255.255.255.0

!

fromOut list of access permit icmp any host X.Y.Z.162 source-quench

fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

fromOut list of access permit icmp any unreachable host X.Y.Z.162

fromOut list of access permit icmp any host X.Y.Z.162 time limit

fromOut list access permit tcp any host X.Y.Z.162 EQ field

fromOut list access permit tcp any host X.Y.Z.162 eq telnet

fromOut list access permit tcp any host X.Y.Z.162 eq smtp

fromOut list access permit tcp any host X.Y.Z.162 eq www

!

fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

!

fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!

pager lines 24

!

Outside 1500 MTU

Within 1500 MTU

dmz1 MTU 1500

dmz2 MTU 1500

!

Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

!

Access-group fromOut in interface outside

Access-group fromDMZ1 in interface dmz1

Access-group fromDMZ2 in the dmz2 interface

Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

Hi jamil,.

There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

REDA

termination of VPN client 4.0 on pix 515

I am trying to connect the cisco 4.0 vpn client to a worm of pix 515 6.1 and receive as a result of errors that I guess are the related hashing algorithm but am not sure. Only DES is not enabled 3DES. Config output Cisco post interprets but apparently no error in config.

Journal of VPN client:

Cisco Systems VPN Client Version 4.0 (Rel)

Copyright (C) 1998-2003 Cisco Systems, Inc. All rights reserved.

Customer type: Windows, Windows NT

Running: 5.0.2195

1 10:58:34.890 25/09/03 Sev = Info/4 CM / 0 x 63100002

Start the login process

2 10:58:34.906 25/09/03 Sev = Info/4 CVPND/0xE3400001

Microsoft's IPSec Policy Agent service stopped successfully

3 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100004

Establish a connection using Ethernet

4 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "x.x.x.226".

5 10:58:35.953 25/09/03 Sev = Info/6 IKE/0x6300003B

Attempts to establish a connection with x.x.x.226.

6 10:58:36.000 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Nat - T), VID (Frag), VID (Unity)) at x.x.x.226

7 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

8 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

9 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

10 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

11 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

12 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

13 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

14 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

15 10:58:56.093 25/09/03 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 10:58:56.593 25/09/03 Sev = Info/4 IKE/0x6300004A

IKE negotiation to throw HIS (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 10:58:56.593 25/09/03 Sev = Info/4 CM / 0 x 63100014

Could not establish the Phase 1 SA with the server 'x.x.x.226' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

18 10:58:56.593 25/09/03 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

19 10:58:56.593 25/09/03 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

20 10:58:56.625 25/09/03 Sev = critique/1 CVPND/0xE3400001

Service Microsoft's IPSec Policy Agent started successfully

21 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

22 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

23 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

24 10:58:57.093 25/09/03 Sev = Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Journal of Pix:

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: approved new addition: ip:x.x.x.194 Total VPN peer: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 1 Total VPN EEP

RS: 1

Exchange OAK_AG

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform against the policy of priority 1 2

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 5 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 1

ISAKMP: 3DES-CBC encryption

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

RS: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

RS: 1

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

RS: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

RS: 1

ISAKMP (0): retransmission of phase 1...

ISAKMP (0): retransmission of phase 1...

ISAKMP (0): delete SA: src x.x.x.194 dst x.x.x.226

ISADB: Reaper checking HIS 0x80db91c8, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 0 Total of VPN EEP

RS: 1

Peer VPN: ISAKMP: deleted peer: ip:x.x.x.194 VPN peer Total: 0

ISAKMP: Remove the peer node for x.x.x.194

Thanks for any help

Hello

Pix isakmp policy should have DES, MD5, and group 2 for the 4.x to connect Cisco VPN client, these are proposals that the client sends to the server...

http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals be configured on the PIX (VPN server)

Arthur

Allowing ICMP and Telnet via a PIX 525

We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:

1 Ping and telnet to the 6509 and internal network works very well for the PIX.

2 Ping the 7206 for the PIX works just fine.

3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).

In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.

The layout is:

6509 (MSFC) - PIX 525-7206

IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18

255.255.255.0 255.255.255.240 255.255.255.240

(both)

networks: a.b.5.0 a.b.5.16

255.255.255.240 255.255.255.240

6509:

interface VlanX

Description newwan-bb

IP address a.b.5.1 255.255.255.0

no ip redirection

router ospf

Log-adjacency-changes

redistribute static subnets metric 50 metric-type 1

passive-interface default

no passive-interface Vlan9

((other networks omitted))

network a.b.5.0 0.0.0.255 area 0

default information are created

PIX 525:

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 failover

hostname XXXXXX

domain XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access ip-list 102 permit a whole

access-list 102 permit icmp any one

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo response

access-list 102 permit icmp any any source-quench

access-list 102 permit everything all unreachable icmp

access-list 102 permit icmp any one time exceed

103 ip access list allow a whole

access-list 103 allow icmp a whole

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo response

access-list 103 permit icmp any any source-quench

access-list 103 allow all unreachable icmp

access-list 103 allow icmp all once exceed

pager lines 24

opening of session

timestamp of the record

logging buffered stored notifications

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

Outside 1500 MTU

Within 1500 MTU

failover of MTU 1500

IP address outside a.b.5.17 255.255.255.240

IP address inside a.b.5.2 255.255.255.240

failover from IP 192.168.230.1 255.255.255.252

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Access-group 103 in external interface

Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1

Route inside a.0.0.0 255.0.0.0 a.b.5.1 1

Inside a.b.0.0 255.240.0.0 route a.b.5.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

Telnet a.0.0.0 255.0.0.0 outdoors

Telnet a.0.0.0 255.0.0.0 inside

Telnet a.b.0.0 255.240.0.0 inside

Telnet a.b.5.18 255.255.255.255 inside

Telnet timeout 5

SSH timeout 5

Terminal width 80

Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.

on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix

Your access lists are confusing.

access-list # ip allowed any one should let through, and so everything that follows are redundant statements.

for the test,.

alloweverything ip access list allow a whole

Access-group alloweverything in interface outside

should the pix act as a router - you are effectively disabling all firewall features.

PIX 515 limited software technical spec

I couldn't find a complete tech

specifications of the restricted part of the software on the PIX-515-R-DMZ-BUN, which is this chassis seem to bear no x interfaces, y amount of RAM and Z no users inside. X = 3, Y = 32 meg, which is Z and are there restrictions more and more of this?

Rgds

Martyn Beck

The only chassis PIX that has limitations of the user is the 501 PIX which comes with a 10, 50 or unlimited user license. The 515 has not any restrictions on the number of internal users that this number is rather arbitrary. Instead, we use the throughput and simultaneous connections that are roughly 190 MB of throughput and 130 000 simultaneous connections. Also the license restricted on the 515 does not failover of any kind.

Here is a link to 515E data sheets:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

I hope this helps.

Scott

PIX 515 no traffic on the new IP address don't block

We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

The problem:
We can not all traffic to the pix on the new 213.x.x.x/28 range.
-If we try to ping 213.x.x.61, we get the lifetime exceeded.
-ISP Gets the same thing of their router.
-ISP tries ssh and gets no route to host.

The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

Excerpt from config:
7.0 (7) independent running Pix 515
outside 92.x.x.146 255.255.255.240
inside 192.168.101.1 255.255.255.0
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
Access-group acl_out in interface outside
acl_out list extended access permit tcp any host 213.x.x.x eq www
acl_out list extended access permit tcp any host 213.x.x.x eq ssh
static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
ICMP allow any inaccessible State

192.168.101.99 is a test with http and ssh linux server

Any help much appreciated.

PM
```
dsc_tech_1 wrote:
I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0

    ISP says

    ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32

Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
```
If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

Jon

ASA: Equivalent to the pdm on a Pix command.

Hello

I'm currently spending my Pix to an ASA 5520... itineraries of all ACL, static, groups, and so on work very well for transfer via BUT does not have the command of PDM. Is there a command for the SAA, which is equivalent to the command of PDM on the Pix?

Thank you

Chris

Hi Chris,

I haven't worked directly on a SAA, but I think that she and the PIX 515E I am watching with anger at the present time, both run 7.0.x.

What you're after (the app formerly PDM) is now called ASDM. I * think * the same commands will work to implement access ASDM (enable http server, etc.), but the PDM commands that appear in the config are actually 'locators' that PDM is used to reference objects. Thus, when an object (network, etc.) has been created in the MDP, he created a "(emplacement PDM x) entry in the config to help track."

I don't think that you can get away from simply by changing PDM to ASDM (or maybe it work?) and I think that what you have to do is to allow him to discover things for yourself, OR click on "unidentified object" button that appears from time to time.

Out of curiosity, do you find ASDM an improvement on PDM? Maybe it's me, but I find them both extremely counterintuitive.

HTH-

Gary

Limit the number of users for a pix 515 uauth

I have a PIX 515 authenticate and authorize against a Cisco Secure ACS server for outbound internet connections (using the web prompt). For the purposes of scale, I need to know the maximum number of sessions competitor for these types of users. I know there is a limit of 16 reviews on simultaneous approval process (the process of logging in first), but once they are connected, is there a limit?

Once connected, the number of connections is limited by the number of concurrent connections that can handle a PIX. For example, the PIX 515 E can handle a maximum of 130 000 concurrent connections.

HTTPS and PDM on a PIX 515

Similar Questions

Maybe you are looking for