I need help quick-PIX 515e worm. 6.3 (5)
I'm new to this Cisco product and I'm in a jam. I got to get this product operational tomorrow morning.
(Problem :) I've got communications running inside the firewall, and with an access list I can ping the outside world with success; However, if on the inside, behind the firewall, I can't see anything through a web browser. It's as if the traffic does not go through. Please help, what should I do?
Here's a copy of the current configuration:
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable password xxxx
passwd xxxx
pixfirewall hostname
domain ciscopix.com
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service Internet tcp - udp
Description of the group for Internet access
port-object eq echo
port-object eq www
area of port-object eq
interface icmp permit access-list inside_access_in inside the interface outside response to echo
interface icmp permit access-list inside_access_in inside the interface outside time limit
inside_access_in list of permitted access interface icmp inside the outside interface is inaccessible
inside_access_in tcp allowed access list any object-group Internet any newspaper Internet-Group of objects
inside_access_in tcp allowed access list any Internet host 208.50.85.161 object-group newspaper Internet object-group
pager lines 24
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside the 208.x.x.x.255.255.224
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
208.50.x.x.x.255.255 PDM location outdoors
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global (outside) 10 192.168.1.3 - 192.168.1.254 netmask 255.255.255.0
Global (inside) 1 192.168.1.3 - 192.168.1.254
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
inside_access_in access to the interface inside group
routing to the outside interface
OSPF authentication null
routing inside interface
OSPF authentication null
Route outside 0.0.0.0 0.0.0.0 208.50.85.161 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
disable proxy-limit AAA
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp Server contact
SNMP-server community
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No.-xauth No.-config-mode
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.1.2 - 192.168.1.254 inside
dhcpd dns 206.165.6.11 209.130.136.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:xxxx
: end
inside_access_in ip access list allow a whole
That's my guess.
Im a gui guy, never use the cli. Good luck
Tags: Cisco Security
Similar Questions
-
Im going to buy a Lenovo SL400 laptop I customized...
I live in Israel, so for a problem, the AC adapter is eauropian or American?
If not, how can I ask American replance europian AC adapter for Lenovo?
I would appreciate any kind of help
Have a nice week than ya'll, Gil
Welcome to the forum!
All laptops Lenovo come with automatic universal power adapter detects the voltage. You just need a plug appropriate (detachable) for outputs used in your country.
I hope this helps.
-
Network connectivity XP Guest crashes: need help quickly!
I have troubleshooted of many problems of VMware workstation over the years on my own; However, this one has me baffled.
The installation program:
Client: Windows XP SP3. 1.4 GB of RAM. 2 processors.
Host: Linux 2.6.25 (Gentoo). AMD X 2 5600 + 2.9 Ghz. 4 GB of RAM. VMware Workstation v. 6.05
Behavior
From some time last week, the guest started crashing on boot. After some troubleshooting, I discovered that the guest will begin and if the networks virtual Ethernet (NAT and host-only) are disconnected. To log in after that start immediately blocked the prompt. I have not tested extensively, I think that the client works fine if the Ethernet devices are disconnected.
Corrections attempted
I'd say it's Needless to say, but I'll say. VMtools are installed and up-to-date.
I tried to uninstall devices ethernet comments, turn on/off the guest and then reinstalling the virtual devices in the virtual machine settings.
Both devices on the guest had been set with static IP (below the range assigned by DHCP); However, their DHCP definition made no difference.
I ran the vmware script - configures .pl.
I rebuilt and manually installed modules (vmblock.ko, vmmon.ko, vmnet.ko).
I ran the guest with the debugger; However, the newspaper produces no significant output.
I tried to start an installation that I had saved a few months ago. He has shown the same behavior.
Virtual devices host seem to work correctly:
root@cruise vmware # ifconfig vmnet1 vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01 inet addr:192.168.101.1 Bcast:192.168.101.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:67 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@cruise vmware # ifconfig vmnet8 vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08 inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:110 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Both devices are the ping requests.
I need this function comments in order to get the work done, and it is not very useful, if I can't do this network.
Important update
I've upgraded to VMware Workstation 6.5.1. I have the same behavior. Now, I have another problem. The upgrade of the workstation triggered XP to request reactivation. I have three days (until January 8) re - activate XP. Activate Windows without a network connection is a royal pain.
burmashave wrote:
From some time last week, the guest started crashing on boot.
Has nothing changed last week? The installation of updates on your host? New kernel?
Activate Windows without a network connection is a royal pain.
It takes 6 minutes by telephone.
-
BlackBerry smartphones need help quick pull does not
I'll draw fire fast pro, but when I run it it comes up with this untrapped exception java.lang.IllegalargumentException how could I solve this problem.
Hello!
This will make no sense at all, but try this:
Of Blackberryforums:
"JayinJay of the user:
-
Using PIX 515E configuration require
Dear all,
Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?
Pls. find the details following and configuration of VLAN attached router.
# I want to put as
«Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.
# Now it's
"My LAN on CISCO 2900 - VLAN (external) router - ISP.
Details of router & PIX:
#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)
Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)
#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)
#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)
Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN
#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services
VLAN router Config:
Current configuration: 1028 bytes
!
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname VLANRouter
!
boot-start-marker
boot-end-marker
!
activate the gcsroot password
!
No aaa new-model
IP subnet zero
!
!
no record of conflict ip dhcp
DHCP excluded-address IP 172.16.29.1 172.16.29.240
DHCP excluded-address IP 172.16.29.250 172.16.29.254
!
IP dhcp pool dhcppool
network 172.16.29.0 255.255.255.0
DNS-server 208.144.230.1 208.144.230.2
router by default - 172.16.29.1
!
!
!
!
controller E1 0/0
!
controller E1 0/1
!
!
interface FastEthernet0/0
IP 208.144.230.197 255.255.255.224
NAT outside IP
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 172.16.29.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
IP nat inside source list 7 interface FastEthernet0/0 overload
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 208.144.230.200
!
!
access-list 7 permit 172.16.29.0 0.0.0.255
!
Line con 0
line to 0
line vty 0 4
opening of session
!
!
!
end
All advice is appreciated.
Kind regards
Hiren s Mehta.
ORG Informatics Ltd.
Bamako, MALI
AFRICA
Hi hiren,.
See the answers below:
#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)
When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.
Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)
Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.
#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)
PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...
#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)
PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.
Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN
didn't get it... is that on the internet router or switch?
#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services
If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...
-
need help to remove kkash virsus
Why can't, I need help to remove the worm kkash/Rodolphe that divert my laptop used I would even turn on windows I would think MS essentials would protect me
Hello
Scan of Malware in Safe Mode with network.
http://www.bleepingcomputer.com/tutorials/how-to-start-Windows-in-safe-mode/#Vista
Windows Vista
Using the F8 method:
- Restart your computer.
- When the computer starts, you will see your computer hardware are listed. When you see this information begins to tap the F8 key repeatedly until you are presented with the Boot Options Advanced Windows Vista.
- Select the Safe Mode with networking with the arrow keys.
- Then press enter on your keyboard to start mode without failure of Vista.
- To start Windows, you'll be a typical logon screen. Connect to your computer and Vista goes into safe mode.
- Do whatever tasks you need and when you are done, reboot to return to normal mode.
Once in Safe Mode with network, download and run RKill.
RKill does NOT remove the malware; It stops the Malware process that gives you a chance to remove it with your security programs.
http://www.bleepingcomputer.com/download/rkill/
Then, download, install, update and scan your system with the free version of Malwarebytes AntiMalware in Mode safe mode with networking:
http://www.Malwarebytes.org/products/malwarebytes_free
See you soon.
-
I need help deleting these accounts quickly because I'm not going to use the most.
Cancel/delete email
Hello look at these emails I created just a mess.
I need help deleting these accounts quickly because I'm not going to use the most.
I want just all my information wiped out of these emails
& When they are removed and all of my information are wiped out, I want these emails to become available and new to others for their use.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
E-mail address is removed from the privacy *.
Please thank you.
It is just a JOKESTER, but you're talking about Hotmail accounts? If so, please ask here.
Windows Live Solution Center Hotmail Forum
http://windowslivehelp.com/forums.aspx?ProductID=1 -
need help, there is a strange thing to pix!
the diagram please see www.ciscofan.com/smbc.jpg
now the router of the ebs has a NM-1CE1U & NM-30DM, then remote clients can dial in to the network, the router of the pboc has a wic - 2T module, connect to the remote site via ebs DDN.the ip address of the pix interface is x.x.45.2, the ebs, the ip address of the ethernet router is x.x.45.1, and the ip address of the remote client can get (the pool of ip addresses) is the ip address x.x.45.110-x.x.45.140.the of pix515E inside the interface is x.x.44.1.I using nat 0 0 0 to avoid any nat (image the pix as the router) then the strange thing happens, after configuration, router ebs, can not ping any address which is like x.x.44.x, after x.x.45.1 ping server1, then both dialer clients and the ebs router can ping Server1, but cannot ping server2, after x.x.45.1 (router ebs) ping server2 , the two Dialer clinets and ebs the router can average ping server2, etc.that computers inside must ping computers outside first, then the external computers can access (include ping) inside is server.and the thing even stanger, if there is any traffic between ebs and the remote client (or the router of the ebs) in some time (maybe a few hours, but I'm not sure) remote dialer clients or ebs router cannot ping (access) inside
Servers.for instance, after one night, in the morning, customers remote dialer or ebs router cannot ping x.x.44.x.It seems there is a configuration of Time out, but how can I set it up?
What follows is the pix (515e) configuration:
PIX Version 6.1 (4)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
nameif ethernet3 intf3 security15
nameif ethernet4 ebs security20
nameif ethernet5 pboc security25
activate n5vL encrypted password
passwd 2KFQnencrypted
pixfirewall hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
pager lines 24
Automatic stop of interface ethernet0
Auto interface ethernet1
Automatic stop of interface ethernet2
Automatic stop of interface ethernet3
Auto interface ethernet4
Auto ethernet5 interface
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
intf3 MTU 1500
MTU 1500 ebs
PBoC MTU 1500
external IP 127.0.0.1 address 255.0.0.0
IP address x.x.44.1 255.255.255.0 inside
IP address intf2 129.0.0.1 255.255.255.0
intf3 IP address 127.0.0.1 255.255.255.255
IP address ebs x.x.. 45.2 255.255.255.0
IP address x.x.46.2 255.255.255.0 pboc
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
failover outside 0.0.0.0 ip address
IP Failover inside 0.0.0.0
failover ip address 0.0.0.0 intf3
failover ip address 0.0.0.0 ebs
failover ip address 0.0.0.0 pboc
history of PDM activate
ARP timeout 14400
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
allow icmp a conduit
allow ip a conduit
Route the pboc 10.24.15.0 255.255.255.0 x.x.46.1 1
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
You have no static command to create the static translation slots. Thus, you need outbound to create temporary translation locations, but these are not permanent, you will have problems.
public static x.x.44.0 (Interior, exterior) x.x.44.0 netmask 255.255.255.0
You must bring happiness
-
Hello
I have a PIX 515E current of execution to 7.
Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).
I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?
I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?
Is there a way to fix this?
Any help appreciated gratefully.
apply the commands below:
ISAKMP identity address
ISAKMP nat-traversal 20
If the problem persists, then please post the entire config with ip hidden public.
-
I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
Automatic stop of interface ethernet3
Automatic stop of interface ethernet4
Automatic stop of interface ethernet5
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 securite6
nameif ethernet4 intf4 security8
ethernet5 intf5 security10 nameif
enable password xxxx
passwd xxxx
hostname pix1
apprendrefacile.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
aetest name 10.10.10.1
name 10.10.10.2 aetest1
name 13.13.13.3 aetestdmz
name 13.13.13.4 aetestdmz1
access-list from-out-to allow tcp any any eq www
pager lines 24
opening of session
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
dmz1 MTU 1500
intf3 MTU 1500
intf4 MTU 1500
intf5 MTU 1500
IP address outside the 12.x.x.x.255.255.0
IP address inside 10.10.10.2 255.255.255.0
IP address dmz1 13.x.x.x.255.255.0
No intf3 ip address
No intf4 ip address
No intf5 ip address
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
history of PDM activate
ARP timeout 14400
public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0
public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0
Access-group from-out-to external interface
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.207 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 20
SSH timeout 5
Console timeout 0
Terminal width 80
Cryptochecksum:XXXXX
: end
Thank you... Jay
with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.
the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.
for example
static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
clear xlate
in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.
If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.
for example
alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255
the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.
-
All my photos are displayed such as BW because somehow I saved a preset to quickly develop and it records in BW. This is for all of my photos. Individually, I can cancel their but need help how to get rid of the preset then all photos of goes to Default or in the shot. Thank you
Go to the develop module and highlight all the images in the film at the bottom of the screen. Enable automatic synchronization, and then click the reset button. To reset all the images in your camera default settings.
-
Cisco VPN Client Authentication - PIX 515E-UR
Hi all
I need your expert help on the following issues I have:
1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.
2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?
3 can. what command I use to debug RADIUS authentication?
Thanks in advance for your help.
Hi vincent,.
(1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication
(2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...
(3) use the "RADIUS session debug" or "debug aaa authentication..."
I hope this helps... all the best... the rate of responses if found useful
REDA
-
Need help to understand political static with Nat No.
Hi all
I have a Pix 515e with 6 interfaces. 5 interfaces are considered as internal that we don't want any translation NAT occur between them. We want only NAT between the 5 and the external interface.
I created a No_Nat ACL successfully to not manage any portion of nat.
What I have trouble understanding is the static command to allow traffic between higher levels to lower levels and vice versa.
I understand the
public static inside_address outside_address (indoor, outdoor)
for the part of NAT translation.
What I do not understand, this is when the inside address and address outside are the same, what order are going. For example, my inner interface (192.168.1.0/24) (sec100) is where the live servers, and I have another interface named accounting (192.168.2.0/24) (sec75).
If I don't want no nat occurs between these two, I have the following
No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit
No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit
NAT (inside) 0-list of access No_Nat
NAT (accounting) 0-list of access No_Nat
Now how can I enter the static command?
Maybe
static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
or
static (inside, accounting) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
or
static (accounting, inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
or
static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
I do not understand the prescription for it and why it would be used one verses the other way. Is the security level determines the order? Do I need two static command, one for each direction?
Thank you
Denny
Hello denny
static can be defined in any way... its only traffic that determines what it... for example, if accounting dmz is access to any server on your inside interface, you normally want the accounting servers see the original on its public IP server inside... so, you will end up as static
static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
only the above static command is sufficient to establish connectivity between inside and dmz accounting. u don't need 2 static on any sense...
Similarly, if you want to inside users to access a server on the dmz accounting, you can write a static type
static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
hope you understand. Let us know if you need help... but normally a statement nat 0 is more than enough for the inside / dmz communication
Kind regards
REDA
-
VPN with ASA 5500 VPN with PIX 515E vs
I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.
Craig
According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.
On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.
HTH
Rick
-
I have two PIX 515E firewall v7.01 configured in a failover scenario.
The two units were operating without problem. Primary worked very well and the configuration changes have been transferred to secondary school.
By TAC support, the only thing needed to test the failover was to issue a command to 'reload' in the primary and the secondary, take on main. Then, "active failover" question on the once rebooted device it was up in the secondary role.
Failover to the secondary unit worked without problem, it is a smooth transition to the secondary unit.
The problem came in that the original primary unit is stuck in a loop when you try to reload with what looks like now configuration errors. It will not properly start upward.
Is not a valid procedure to test the failover?
It seems that in the real world, this could actually happen that failover should work?
Among what is shown:
Config ERROR: invalid journal / level
keyword specified; level must be emergencies (0) - debugging (7) Config error - acl_in list extended access permit tcp any newspaper SMTP host 208.13.32.36 eq
Out of config line 359, "access-list acl_in exten...". »
Config sync error: Suite not command could be executed in standby mode
Platform
acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive
Use BREAK or ESC to interrupt boot.ridge/vlan/modify flash): m
e inactivea VLAN
REPLICATION OF CONFIGURATION OF ACTIVE TOWARDS THE RESCUE UNIT IS INCOMPLETE,
Reading of 115200 bytes of the image of the flash.
TO AVOID THE EVE OF TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION UNIT, THE EMERGENCY UNIT WILL NOW RESTART *.
You're not going to like this answer.
It seems that commands typed in and abstract by cisco in the configuration are not valid when copied/pasted in or when the firewall is rebooted or receives an active firewall configuration.
I don't know exactly what you did, but here's what I did to reproduce your problem:
I typed in the command:
acl_in list access permit tcp any host 208.13.32.36 eq smtp interval 300 inactive information newspaper
Given that "interval 300 ft newspaper is the default, it is actually saved in the running-config like:"
acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive
It's * not * a command invalid (the word "journal" following address must be a logging level), if you try to kick it. When you restarted the firewall, he tried to shoot the active configuration of the device (because it is now pending), received this line and since he can't run it (because it is not a valid command), it keeps restarting itself so that it cannot take over and be the active firewall.
Best way to do is to hold this line (and other lines like him) outside the firewall active now - the line is marked "inactive" in any case, this should not affect you. The other way would be to change that line to something by default (the recording level change may be easier). In this way when the primary/secondary itself restarts again, the order received will have a valid log level (or if you take the lines out, they will not be a problem) and will allow the rest of the configuration process.
You can also report to cisco as a bug, if they are not combing these forums already.
-Jason
This rate if this can help.
Maybe you are looking for
-
My system is also set in the private browsing mode, whenever I try to use the book of face, or communities of support from apple, I'm not able to connect. What is the reason behind this? also please explain what is the impact of the incognito on the
-
I'm trying to reset my pc. I get a message that says: "cannot reset your computer. A required disk missing partition. What dose that mean. What should I do to reset my pc.
-
Detection updates Windows in LabVIEW?
Hi, I have an application running on a Windows 7 PC LabVIEW. This gets her famous Windows PC updates every week. I'm looking for an opportunity in LabVIEW to detect the new State of the window after the update of Windows, for example, by reading the
-
We use DAQ USB-6289 devices on our production floor. Sometimes operators moving from station to station as needed. The problem is that the name of the device changes when they do IE (DEV1 in DEV2). I looked at programmatically find device name of DAQ
-
Unable to connect to windows media center dish
We just had dish installed today but cannot get it on my computer. I have Windows Media Center on my computer. Any help would be greatly appreciated. Dish told me to contact Microsoft.