ID and PIX 515

I was told that the PIX 515E firewall is capable of BLOCKING malicious attacks as attack Dinal of Service. I learned again by CA engineers that it not are a NO product out there that is able to block attacks but rather notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attack or not. Thanks in advance.

The PIX has some features to prevent DOS attacks, but he can't block everything. For example, if someone launches an attack smurf or something that uses all of your available bandwidth, then the PIX obviously cannot do anything about it because the damage is already done at the time wherever traffic allows you the PIX.

For something like a TCP SYN attack on a host inside the PIX, then you can configure the static command to allow only a total number of connections through, and/or a number of half-open connections through the internal host, effectively protecting the Server internal. The PIX will refuse further attempts to connect over this limit.

The PIX also has a built-in limited to IDS. It can detect signatures of 59 common packages and can be configured to block these if they are considered. Signatures that he seeks only are based a package signatures, wide as a real IDS device can get nothing.

In short, no one can say yes, "The PIX prevents all attacks back", no box cannot do that, because it depends on what the attack back. If someone is flooding your available circuit bandwidth, you really get your ISP involved to block this traffic BEFORE it happens to you. Yes, host-based DOS attacks, the PIX should be able to block most of them with standard configuration controls.

Tags: Cisco Security

Similar Questions

  • VPN 3.6.3 and Pix 515 6.2connection problems.

    We have improved our image pix at 6.2, but unfortunately cannot get the 3.6.3 client to connect. The message we get is "unable to establish a connection to the security gateway." We don't have a problem connecting with a client 3.2 or 3.5, however. Someone at - it a similar problem?

    Hello

    VPN Client 3.6 always supports DES/MD5; However, support for SHA/DES is no longer available.

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/3_6/361_clnt.htm#xtocid18

    If the proposal is not configured for DES/SHA and you are still having problems connecting, then after the isakmp and ipsec debugging of the pix and the client logs and we can take a look to see what is happening.

    Kind regards

    Arul

  • PIX 515 and software version 6.3 (4)

    We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?

    Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?

    Thank you.

    You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.

    If you use PDM, you will need to be updated also.

    Josh

  • How to open a port and limit the range of addresses that use it on PIX 515?

    I have a Pix 515 v6.3 and a new piece of software that I'm getting soon need aura 5080 open port for incoming & outgoing HTTP traffic. The server will be in my DMZ to 10.0.0.1

    I would like to restrict inbound access to this port so that it can be used in 4 specific IP adderess foreign xxx.xxx.xxx.24 through xxx.xxx.xxx.27 and also, if possible, limit the outbound destination using this port to a single specific foreign IP address xxx.xxx.xxx.30.

    Could you please tell me the best way to do it.

    Thank you in advance for a relative novice to PIX.

    PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

    PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

    PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.26 host 5080

    PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.27 host 5080

    PIX (config) # access - group acl-outside in interface outside

    PIX (config) # access list acl - dmx permit tcp host 10.0.0.1 xxx.xxx.xxx.30 eq 5080

    PIX (config) # access - group acl - dmz dmz interface

    static (inside, outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

    See also:

    PIX 500 series firewall

    http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration

    Configuration of the PIX Firewall with access to the Mail Server on the DMZ network

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

    sincerely

    Patrick

  • MM, pix 515 and mac filtering

    I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.

    MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.

    You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.

  • PIX 515 and VAC + card

    Hello

    I just installed a map VAC + in our pix 515.

    I can check if the card is installed and working properly.

    "sh worm" gives no information if the card is installed.

    Greatings Marc

    Do a 'show' version and 'see the crypto engine check.

    See Q & A map VAC:

    http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_qanda_item09186a0080148723.shtml

    sincerely

    Patrick

  • PDM with PIX 515 does not work

    I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

    Hello

    have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

    Enable http server

    http A.B.C.D 255.255.255.255 inside

    A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

    If you're still having problems after the addition of these two lines, you might have a look at this page:

    http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

    Kind regards

    Tom

  • Limit the number of users for a pix 515 uauth

    I have a PIX 515 authenticate and authorize against a Cisco Secure ACS server for outbound internet connections (using the web prompt). For the purposes of scale, I need to know the maximum number of sessions competitor for these types of users. I know there is a limit of 16 reviews on simultaneous approval process (the process of logging in first), but once they are connected, is there a limit?

    Once connected, the number of connections is limited by the number of concurrent connections that can handle a PIX. For example, the PIX 515 E can handle a maximum of 130 000 concurrent connections.

  • Cisco Pix 515 VPN problems

    Hi all

    Here's my problem, I have 2 PIX 515 firewall...

    I'm trying to implement a VPN site-to site between 2 of our websites...

    Two of these firewalls currently run another site to site VPN so I know who works...

    I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

    Protected networks are:

    172.16.48.0/24 and 172.16.4.0/22

    If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

    2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

    It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

    Don't know what that might be, the other VPN are working properly.

    Any help would be great...

    I enclose a copy of one of the configs...

    Let me know if you need another...

    no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

    Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

  • PIX - 515 does not identify Tokenring Interfacecard

    Hello

    I installed a PIX-1 TR interface in the PIX 515. Start ok, 'answer' no configuration. SH LVE and sho int etc. presents only the build Ethernet0 and Eth1 but no interface tokenring.

    HS release looks like as follows.

    Thanks Ruedi

    pixfirewall # sh ver

    Cisco PIX Firewall Version 6.2 (2)

    Cisco PIX Device Manager Version 2.0 (2)

    Updated Saturday, June 7 02 17:49 by Manu

    pixfirewall until 10 mins dry 14

    Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

    I28F640J5 @ 0 x 300 Flash, 16 MB

    BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 0003.6bf6.a8a9, irq 11

    1: ethernet1: the address is 0003.6bf6.a8aa, irq 10

    Features licensed:

    Failover: disabled

    VPN - A: enabled

    VPN-3DES: disabled

    Maximum Interfaces: 3

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Throughput: unlimited

    Peer IKE: unlimited

    Serial number: 405341167 (0x182903ef)

    Activation key running: xxxxxxxxx

    Modified configuration of enable_15 to 13:11:47.490 UTC Tuesday, December 23, 2003

    pixfirewall #.

    Hello

    Token-Ring is no longer supported, I think since version 6.0.

  • PIX 515 DMZ problem

    Hello

    We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

    What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

    6.3 (3) version PIX

    interface ethernet0 car

    Auto interface ethernet1

    Auto interface ethernet2

    Auto ethernet3 interface

    !

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 dmz1 security50

    nameif ethernet3 dmz2 security40

    !

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    !

    names of

    !

    IP outside X.Y.Z.163 255.255.255.248

    IP address inside 192.168.0.9 255.255.255.0

    dmz1 192.168.10.1 IP address 255.255.255.0

    IP address dmz2 192.168.20.1 255.255.255.0

    !

    fromOut list of access permit icmp any host X.Y.Z.162 source-quench

    fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

    fromOut list of access permit icmp any unreachable host X.Y.Z.162

    fromOut list of access permit icmp any host X.Y.Z.162 time limit

    fromOut list access permit tcp any host X.Y.Z.162 EQ field

    fromOut list access permit tcp any host X.Y.Z.162 eq telnet

    fromOut list access permit tcp any host X.Y.Z.162 eq smtp

    fromOut list access permit tcp any host X.Y.Z.162 eq www

    !

    fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

    fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

    !

    fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

    !

    pager lines 24

    !

    Outside 1500 MTU

    Within 1500 MTU

    dmz1 MTU 1500

    dmz2 MTU 1500

    !

    Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

    Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

    NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

    NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

    NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

    static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

    !

    Access-group fromOut in interface outside

    Access-group fromDMZ1 in interface dmz1

    Access-group fromDMZ2 in the dmz2 interface

    Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

    Hi jamil,.

    There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

    REDA

  • termination of VPN client 4.0 on pix 515

    I am trying to connect the cisco 4.0 vpn client to a worm of pix 515 6.1 and receive as a result of errors that I guess are the related hashing algorithm but am not sure. Only DES is not enabled 3DES. Config output Cisco post interprets but apparently no error in config.

    Journal of VPN client:

    Cisco Systems VPN Client Version 4.0 (Rel)

    Copyright (C) 1998-2003 Cisco Systems, Inc. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 5.0.2195

    1 10:58:34.890 25/09/03 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    2 10:58:34.906 25/09/03 Sev = Info/4 CVPND/0xE3400001

    Microsoft's IPSec Policy Agent service stopped successfully

    3 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100004

    Establish a connection using Ethernet

    4 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "x.x.x.226".

    5 10:58:35.953 25/09/03 Sev = Info/6 IKE/0x6300003B

    Attempts to establish a connection with x.x.x.226.

    6 10:58:36.000 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Nat - T), VID (Frag), VID (Unity)) at x.x.x.226

    7 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    8 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    9 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    10 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    11 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    12 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    13 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    14 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    15 10:58:56.093 25/09/03 Sev = Info/4 IKE / 0 x 63000017

    Marking of IKE SA delete (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    16 10:58:56.593 25/09/03 Sev = Info/4 IKE/0x6300004A

    IKE negotiation to throw HIS (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    17 10:58:56.593 25/09/03 Sev = Info/4 CM / 0 x 63100014

    Could not establish the Phase 1 SA with the server 'x.x.x.226' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

    18 10:58:56.593 25/09/03 Sev = Info/5 CM / 0 x 63100025

    Initializing CVPNDrv

    19 10:58:56.593 25/09/03 Sev = Info/4 IKE / 0 x 63000001

    Signal received IKE to complete the VPN connection

    20 10:58:56.625 25/09/03 Sev = critique/1 CVPND/0xE3400001

    Service Microsoft's IPSec Policy Agent started successfully

    21 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    22 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    23 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    24 10:58:57.093 25/09/03 Sev = Info/4 IPSEC/0x6370000A

    IPSec driver successfully stopped

    Journal of Pix:

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: approved new addition: ip:x.x.x.194 Total VPN peer: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 1 Total VPN EEP

    RS: 1

    Exchange OAK_AG

    ISAKMP (0): treatment ITS payload. Message ID = 0

    ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform against the policy of priority 1 2

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 5 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 1

    ISAKMP: 3DES-CBC encryption

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

    RS: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

    RS: 1

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

    RS: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

    RS: 1

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): delete SA: src x.x.x.194 dst x.x.x.226

    ISADB: Reaper checking HIS 0x80db91c8, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 0 Total of VPN EEP

    RS: 1

    Peer VPN: ISAKMP: deleted peer: ip:x.x.x.194 VPN peer Total: 0

    ISAKMP: Remove the peer node for x.x.x.194

    Thanks for any help

    Hello

    Pix isakmp policy should have DES, MD5, and group 2 for the 4.x to connect Cisco VPN client, these are proposals that the client sends to the server...

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/rel4_0/admin_gd/vcach6.htm#1157757

    This link will show you IKE proposals be configured on the PIX (VPN server)

    Arthur

  • Upgrade from PIX 515

    Hi all

    My company needs upgrade its PIX 515 to have the function VPN 3DES for remote site connection. So I just need to buy a license of 3DES for the PIX functionality? and can I also upgrade the IOS 6.1 so that I can use PDM to config the PIX? And I also need to upgrade the memory in the PIX?

    Thank you very much!

    Best regards

    Teru Lei

    Yes to the first question.

    Better 6.2 and pdm 2.1 I think.

    How much memory do you have? Reach

    http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html#xtocid4

    There is memory for pix 6.2 requirements

    Good luck!

    --

    Alexis Fidalgo

    Systems engineer

    AT & T Argentina

  • A question about the old Pix 515

    Hi Experts.

    My client needs additional interfaces of FE and do not want to migrate the chassis 515E.

    Can the data sheet of the former 515 Pix no longer available due to the declaration of the EOS, you please confirm that the Pix 515 supports 1FE - PIX and PIX - 4FE cards before ordering one of them?

    Thank you

    The 515 supports 4 interface cards. Make sure they are running a UR pix license if - 515R takes only supported 3 interfaces.

  • DNS traffic blocked after PAT - PIX 515

    I have PIX 515 with 3 named NIC (internal, external, dmz)

    I have 2 servers (Exchange and Windows 2000 with SMTP) in the demilitarized zone.

    I currently have a static command pointing to doamin for exchange Server IP address in the DMZ.

    I wanted to PAT on the IP address of the e-mail domain so that the configuration will look like as follows.

    The IP field will be used for the global IP

    all pop3 for global ip traffic will go to Exchange

    all www for the global IP traffic will go to Exchange

    all smtp for global ip traffic will go to the Windows 2000-based SMTP relay (SMTP relay is configured to send the e-mail received in exchange Server)

    I hosted DNS udp and tcp traffic to the servers.

    before pat, the server can use DNS to resolve IP domain e-mail and send mail to the Internet.

    As soon as I PAT the Internet e-mail delivery stops.

    When I did an NSLOOKUP command returns an error indicating that the DNS server cannot be resloved.

    The servere DNS used by these 2 servers are servers DNS of ISP.

    Is there any concern when you PAT.

    Thank you

    Hello

    I found the problem:

    for now, your dmz servers can go to the internet with pop3, smtp, and www. Only for these protocols is a (static) translation to provide in the config file.

    You will need to will provide you a translation for other protocols (for example, dns) also. This can be accomplished with one of the following two things:

    create a nat - pair overall for the DMZ for outdoor

    NAT (dmz) 1 0.0.0.0 0.0.0.0

    Global (outside) 1 200.100.100.168 (already exists)

    create a static translation for each of the other protocols (next to pop3, smtp, www), you want to pass from the dmz to the internet (you already did that for www, pop3 and smtp).

    Kind regards

    Tom

Maybe you are looking for