IDS PIX "fat Ping".

Is it possible to allow ping big answers through the signature of PIX IDS attack without completely turning off the ID?

Hello

Use the command 'ip signature verification' to disable this signature

signature verification IP:

Specify the message to display, establish a comprehensive policy to a signature and disable or exclude a signature verification.

I think that the signature is 2151: large ICMP traffic

Hope this helps,

Christophe

Tags: Cisco Security

Similar Questions

PIX IDS signatures

Does anyone know the PIX IDS signatures to block Ping scans and Port scans?

Do the substitution of signatures IDS ACL defined previously? For example; I want to allow people to ping - me (I allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port scans.

Gracias.

PIX IDS signatures are all listed here:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267

You will notice that it isn't sigs for the port scans and ping sweeps, mainly because it does not detect the PIX. This would imply the PIX to keep track of all the pings or connection attempts and try to understand that if a scanning goes, this is not what the PIX is designed for.

If you want to see these then a NID system is the best way to go. IDS PIX is very limited and don't look for a very small subset of the signatures, and most of these signatures simply consist of a package, do not try to reconstitute several packages to different hosts or ports.

The VPN client VPN connection behind other PIX PIX

I have the following problem:

I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

194.x.x.x is our customer s address IP PIX

I understand that somewhere access list is missing, but I can not understand.

Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

Can you please help me?

Thank you in advan

The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

I've cut and pasted here for you to read, I think that the problem mentioned below:

Question:

Hi Glenn,.

Following is possible?

I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

Thank you very much for any help provided in advance.

Response from Glenn:

First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

fixup protocol esp-ike

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

ISAKMP nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

Hope that helps.

PIX of VPN in several subnets

We have two remote sites and a framework to our parent company

the tunnel works very well between us and our remote offices, but they cannot connect to the internet application server and oracle on the parent through site framework

I have roads on our internal to the remote site router and our 520 pix for the address of the frame. How configure you routing for frame internal? 520 PIX can ping servers and network frame

set up 6.3 (3) version PIX

| Oracle application server and Intranet 173.1.2.X |

|

| Parent | net 173.1.2.0

|

|

| framework

|

| Internal router | 192.170.1.x

|

| PIX 520 our company | net 192.170.1.0

|

| External router: x.x.x.x

| |

| VPN |

| |

| PIX 501 remote sites. 192.170.2.0 and 192.170.3.0

501 sh IPSEC Security Association shows 0 for all counters

520 HS IPSEC security association

local ident (addr, mask, prot, port): DI (DI/255.255.255.0/0/0) = FRAME

Remote ident (addr, mask, prot, port): (192.170.2.0/255.255.255.0/0/0)

current_peer: X.X.X.X:0

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest

#pkts decaps: 0, #pkts decrypt: 0, #pkts check 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0

#send 101, #recv errors 0

endpt local crypto. : X.X.X.X, remote Start crypto. : X.X.X.X

Path mtu 1500, fresh ipsec generals 0, media, mtu 1500

current outbound SPI: 0

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

520 logs shows the key request his

702303: sa_request, (ING. MSG key) src = X.X.X.X, dest = X.X.X.X, sr

DI/255.255.255.0/0/0 (type = 4) = c_proxy, dest_proxy = 192.170.2.0/255.255.255.0/0

/ 0 (type = 4), Protocol = ESP, transform = esp - esp-md5-hmac, lifedur = 28800 s a

4608000 Ko d, spi = 0x0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

It's certainly an issue access list, I'll watch this Monday. Could you please give me a printout of the

NAT (inside) 0 access - your name-list ACL.

access - your name-list ACL...

sincerely

Patrick

PIX TTL values decreasing

This of course sounds abnormal. External interface of ping PIX,

$ ping 195.x.x.x

PING 195.x.x.x (195.x.x.x): 56 bytes

64 bytes from 195.x.x.x: icmp_seq = 0 ttl = 246 time = 7,393 ms

However, if I ping a box in the DMZ, things seem a little weird.

$ ping 195.x.x.x

PING 195.x.x.x (195.x.x.x): 56 bytes

64 bytes from 195.x.x.x: icmp_seq = 0 ttl = 55 time = 11,852 ms

I'm under 6.3 (1). I don't remember this behavior on earlier versions. If something has changed in the latest version.

Pointers are welcome.

I do not see why the PIX would decrement the values you seem when the ICMP packet passes through the PIX on the DMZ segment. My first guess would be that maybe the response to ICMP echo packet that you see in 195.x.x.x in the DMZ network does not take the same path as the package that strikes the PIX interface itself.

I would check the routing on the network and the DMZ itself host information. If this does not give you the answer, I would use the command "debug icmp trace" on the PIX to verify that in fact the echo and echo response is going through the PIX. You can also verify the ICMP packet with this debug information.

I hope this helps...

Marcus

Impossible to external ping

Hello

I am new to Cisco PIX so please excuse me for my very limited knowledge of PIX configuration.

We have an ADSL router doing NAT.

Its internal interface is 192.168.5.1

The ADSL router is connected to the external interface of the PIX 506th (192.168.5.3)

The internal interface of the PIX (192.168.6.1) is connected through the LAN

The PIX can ping external.

The LAN can ping to the internal interface of a PIX.

The local network cannot ping the external interface of the PIX or external ping

Here is the answer to try to ping outside the local network, and I placed the config below output. I can see that the translation is not be done properly but I can understand why t.

Any ideas?

136:-Interior ICMP echo request: 195.16.220.1 ID = 512 seq = 33792 length = 40 192.168.6.2

137: ICMP echo request: translate inside: 192.168.6.2 outside: 192.168.6.2

138:-Interior ICMP echo request: 195.16.220.1 ID = 512 seq = 34048 length = 40 192.168.6.2

139: ICMP echo request: translate inside: 192.168.6.2 outside: 192.168.6.2

140:-Interior ICMP echo request: 195.16.220.1 ID = 512 seq = length 34304 = 40 192.168.6.2

141: ICMP echo request: translate inside: 192.168.6.2 outside: 192.168.6.2

142:-Interior ICMP echo request: 195.16.220.1 ID = 512 seq = 34560 length = 40 192.168.6.2

143: ICMP echo request: translate inside: 192.168.6.2 outside: 192.168.6.2

See the pix1 conf (config) #.

: Saved

: Written by fred at 12:41:35.726 GMT Wednesday, October 5, 2005

6.3 (4) version PIX

interface ethernet0 car

Auto interface ethernet1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable the encrypted password xxxxxxxxxxx

xxxxxxxxxxx encrypted passwd

hostname pix

domain ciscopix.com

clock timezone GMT 12

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- more="" ---="">

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list acl_out permit icmp any one

pager lines 22

opening of session

timestamp of the record

recording console critical

debug logging in buffered memory

recording of debug trap

history of logging of information

ICMP allow all outside

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

external IP 192.168.5.3 255.255.255.0

IP address inside 192.168.6.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.6.21 255.255.255.255 inside

<--- more="" ---="">

location of PDM 192.168.6.2 255.255.255.255 inside

PDM 100 debug logging

history of PDM activate

ARP timeout 14400

NAT (inside) 0 192.168.6.0 255.255.255.0 0 0

Access-group acl_out in interface outside

Route outside 0.0.0.0 0.0.0.0 192.168.5.1 1

Timeout xlate 01:00

30:00:00 conn Timeout half closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.21 255.255.255.255 inside

<--- more="" ---="">

http 192.168.6.2 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

TFTP server inside the 192.168.6.21 c:\tftp

enable floodguard

string fragment 1 outside

Telnet timeout 5

SSH 192.168.6.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

fred xxxxxxxx encrypted privilege 15 password username

Terminal width 80

Cryptochecksum:xxxx

pix1 (config) #.

Thanks for your time.

Internet <-->router adsl <--192.168.5.0-->pix <-->192.168.6.0

assuming that the topology above is accurate, a route must be added on the adsl router.

originally, you mentioned that a pc behind the pix cannot get any response from the echo of the internet.

Imagine that an echo response happens on the router adsl with destination 192.168.6.0. now, the adsl router will then attempt to determine the next hop. However, it has no route to the pix to the 192.168.6.0. as a result, the adsl router will use the default gateway that is the internet, so the echo response can never be received by the pc behind the pix.

Impossible to achieve secondary with VPN tunnel

Hello

I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

PIX from IP 10.1.0.254

Router 10.1.10.254 IP address

Secondary router IP address 10.2.10.254

Secondary server IP address 10.2.0.1

The default gateway on the local network is 10.1.10.254

This router is a gre tunnel 3 of to 10.2.10.254

On this router, there is a default route for the pix (for internet).

Hello...

Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

on sheep access list, allow all traffic from the pool of secondary for the IP pool...

I hope this helps... all the best...

How to pass the tipping of the PIX515E of 6.3 (5) 6.3 (4)

Anyone know how to downgrade pix515E failover? because our PIX515E running is 6.3 (4), but failover is 6.3 (5) and we do not want a risk when upgrade production PIX so resemble the best solution is the failover of downgrade. Can anyone help?

Hello

In fact, it is even in the process of upgrading.

-Copy the pix * .bin in the tftp folder file

-When you click on the button 'show the dir' on the TFTP, the pix * .bin file should be

one of the files listed

-The terminal configuration mode of the PIX first ping the tftp server computer's ip

address (you should be able to get ping responses)

-Enter the command "copy tftp flash.

-Enter the ip address of the tftp server computer (press enter) then enter pix * .bin file name (press enter)

-It will ask you "do you want" - press on 'y' for yes

-Once you are at the prompt issuing the command "reload" to restart the PIX so that the

new version of the software takes effect

-When the PIX starts again, question 'version' show command to confirm if the new software now runs on the PIX.

Kind regards

Jagdeep

Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.

The VPN Clients need access to the subnet on another router

Hello

We have a pix 515e PIX Version 8.0 (2)

We have two subnet 10.1.x.x/16 and 10.2.x.x/16

The firewall is on 10.1.x.x and vpn clients can access this subnet.

The firewall can ping 10.2.x.y where x is a server in the other subnet.

On the 10.2.x.x customers out the firewall.

The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.

What I need to check that the vpn rules are correct in the pix 515e?

I think it is a rule of exemption nat or something like that not exactly sure.

Everything would be a great help.

Thank you

Hello

For clients VPN access to these subnets, check the following:

1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command

2. these subnets is included in the split tunneling

3. these subnets have a route to the PIX to send traffic to the VPN client pool.

4. There are no ACLs not applied to the inside interface of the PIX deny this communication.

Federico.

305006: failure of the creation of translation portmap

I'm pretty new to all these cases firewall so my apologies in advance if what I ask is obvious to more experienced people.

I have two servers inside my firewall and I'm testing the connectivity through my CISCO PIX 515E ping from one PC to the outside.

My server far beyond the firewall has an IP address of 192.168.2.105.

The other server has two network adapters, 192.168.2.106 and 192.168.1.107.

Iface inside the firewall is 192.168.1.1.

Iface outside the firewall is a.b.c.39

PC outside is a.b.c.1

I have the access rules for ICMP on the inside interface and external interface (allow a whole icmp).

I set up a static NAT between 192.168.1.107 and external interface.

I've implemented a global pool on the external interface and a dynamic NAT rule.

My Setup has the following...

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0

public static interface (inside, outside) 192.168.1.107 netmask 255.255.255.255 0 0

When I try and ping the PC outside since the closest server to the firewall (192.168.1.107), it works fine. The static NAT rule means that my external PC thinks he received an a.b.c.39 IP address ping request and luckily sends its response.

But when I try and ping 192.168.2.105 no ping request arrives on the PC from the outside.

Instead I get a message in my PIX device manager saying "" 305006: failed to create translation portmap for icmp src: inside the Server1 dst outdoors: userPC1 ".

Can someone tell me what I am doing wrong?

Remove the Static statement and access to 192.168.2.105 should work. It seems to me that the static statement is the dynamic substitution of your NAT. When you have that one public IP (interface) address, you must use the static to the Port Redirection statement only, and not a static definition of 1 to 1.

Kind regards

Jayson

Changes made on the ValueChangeListener reflects not elsewhere

Summary:
There is one input File competent where the user can select a file to download. The user will press a Save button to save the file in the database.
Workflow:
1. When the user select the file to download the valueChangeListener will be called.
2. In the valueChangeListener I store the file in a local variable of the type UplodedFile . I am able to access all the file property to this variable in the valueChangeListener ; in other words, I can access the file name, size,... form the local variable in the valueChangeListener .
3. When the user presses on the Save is a method for commit changes is called.
4. In the commit method that I get the data file of the local variable containing the data from the file.
The problem is:
This local variable that needs to store the data in the file is always NULL . I don't know why this variable does not contain the data of the file even if I put its value the valueChangeListener .
Note:
I tried to bind the input File competent to a local variable, and once again, he gave me the same result NULL value.
I use ADF technology JDeveloper 11.1.2.3

You should treat the data inside the value change listener because it is only present in the application. The IDS of fat is removed after the request.

Check out my blog JDev11.1.2.1.0: manipulation of images/files ADF (part 2) | JDev & amp; Goodies ADF

for a listener that processes the data directly.

Timo

Fleeing from a host on the PIX 520 but alerts that are still coming to the IDS

Last week I saw allot of traffic from a particular host that triggers alerts IDS. After investigating the source, I added a statement SHUN to the pix. When I do a 'sho shun stat' of the NTC for this host is quite high (352) and rises. I still get alerts of the IDS on this particular host (Fragment IP and host sweeps). I guess if I was fleeing from an IP address, I don't receive alerts of IDS on that. Can someone explain what I am doing wrong? Thanks in advance.

Seems obvious, but can't hurt to ask - where the sniff of your sensor interface? Of course, if your sniffing interface is located outside the pix, then junk traffic will always reach the pix - it just won't be through it.

In addition, are fleeing this host for these alarms? Doing a show 'show shun' that host being blocked FOR the time you see alerts for this particular host?

Jeff

Configure the PIX 501 for IDS

I have a PIX 501 with wired high-speed LAN headquarters inside and outside. Which would be a solid policy IDS to enable and what interfaces it must be applied to? There will be other measures necessary to enable IDS?

IDS on the PIX itself is very limited, it checks only 59 signatures listed here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9 under the section of signatures supported IDS). The signatures themselves are pretty basic.

If you do not want to activate this, then for the signatures of attacks I would fix for drop/alarm/reset action, which is the default anyway.

You will also need to set the logging to a syslog server and monitoring for any 4000nn messages in syslog, cause it event IDS.

ping for the pix vpn problem

Hello

I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

I can open a vpn session.

I can't ping from the remote pc to the LAN

I can ping from any station on the LAN to the remote pc

After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

I am so newb, trying for 2 days changing ACLs, no way.

I must say that I am in dynamic ip wan on the local network and the remote pc.

Any idea about this problem?

Any help is welcome.

Here is the configuration of my pix:

6.3 (4) version PIX

interface ethernet0 10baset

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

pixfirewall hostname

domain ciscopix.com

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

fixup protocol dns-length maximum 512

fixup protocol ftp 21

correction... /...

fixup protocol tftp 69

names of

name 192.168.42.0 Dmi

inside_access_in ip access list allow a whole

inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

access-list outside_cryptomap_dyn_20 allow icmp a whole

pager lines 24

opening of session

logging trap information

Outside 1500 MTU

Within 1500 MTU

IP address outside the 209.x.x.x.255.255.224

IP address inside 192.168.42.40 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

location of PDM 192.168.229.1 255.255.255.255 outside

209.165.x.x.x.255.255 PDM location inside

209.x.x.x.255.255.255 PDM location outdoors

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

Dmi 255.255.255.0 inside http

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

TFTP server inside the 192.168.42.100.

enable floodguard

Permitted connection ipsec sysopt

AUTH-prompt quick pass

AUTH-guest accept good

AUTH-prompt bad rejection

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

vpngroup address dmivpndhcp pool dmivpn

vpngroup dns 192.168.42.20 Server dmivpn

vpngroup dmivpn wins server - 192.168.42.20

vpngroup dmivpn by default-field defi.local

vpngroup idle 1800 dmivpn-time

vpngroup password dmivpn *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN username vpnuser password *.

VPDN allow outside

VPDN allow inside

dhcpd address 192.168.42.41 - 192.168.42.72 inside

dhcpd lease 3600

dhcpd ping_timeout 750

Terminal width 80

Cryptochecksum: *.

Noelle,

Add the command: (in config mode): isakmp nat-traversal

Let me know if it helps.

Jay

Ping on the PIX firewall

Is it possible to ping directly from low security high security without translations on a PIX?

For example, 192.168.2.90 is currently natted to 10.0.0.4 by the pix. I want to ping directly from 192.168.2.4 to 10.0.0.4.

I can certainly ping directly from 10.0.0.4 to 192.168.2.4.

Please let me know if you would like to see the complete config.

I hope I understand your question completely. You try to ping from one interface to another on your PIX. This URL explains how this can be done.

http://www.Cisco.com/warp/public/110/31.html

IDS PIX "fat Ping".

Similar Questions

Maybe you are looking for