Is it a question of Pix?

Hi guys,.

I got a 515E with Pix os 7.0. This work of Pix as a border between my edge router and my network firewall internal.

Some of my clients inside require a SMTP via SSL connection to external SMTP server. I opened all the ports on the pix, but always in vain. Finally I tried to get one of the customer's internal network in order to access all THE ports on the outside. Right when I did, this particular client should be able to access all the services on the Internet. But the same error came out with the number SMTPoverSSL. Im sure it is the problem of the PIX because I had tried out the PIX and connect directly to the router, it works!

Someone out there of experts who can advise me? Thanks in advance.

Kind regards

Keng honored

If you do an inspection policy, try to remove the "inspect esmtp" of your

class inspection_default

Kind regards

DC

Tags: Cisco Security

Similar Questions

  • Question of PIX 515E

    Hi all

    We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

    PIX-151st #show version

    Cisco PIX Firewall Version 6.3 (1)

    Cisco PIX Device Manager Version 3.0 (1)

    Updated Thursday 19 March 03 11:49 by Manu

    PIX-515E up to 5 hours and 15 minutes

    Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

    Flash E28F128J3 @ 0 x 300, 16 MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 000f.2457.4b12, irq 10

    1: ethernet1: the address is 000f.2457.4b13, irq 11

    Features licensed:

    Failover: enabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Maximum Interfaces: 6

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Flow: IKE peers unlimited: unlimited

    This PIX has a failover license only (FO).

    Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

    PIX-515E # config t

    WARNING *.

    Configuration of replication is NOT performed the unit from standby to Active unit.

    Configurations are no longer synchronized.

    PIX-515e (config) #.

    Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

    you have in your possession a PIX failover. That's why says in the "sh run".

    This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

    Good luck

    Steve

  • Question of PIX network diagram...

    This is a lame question, so I apologize in advance.

    On network diagrams, when using the provided Cisco PIX stencil, is there a way 'just' to face the stencil. I mean, the arrow must face in the outbound direction, with the vertical line closer to "external"?

    again, I apologize for what is lame...

    Yes, the vertical line or I would say that the wall - as the form should be placed on the external interface.

    for example

    www-(|)<) ---="" inside="">

  • Question of pix 515 2 ISP

    I have a client with a 515 cisco pix. Is it possible to have 2 separate configs on the pix and power quickly select what config you want to begin? My client had problems lately with his main ISPS who happens be the fastest connection between the 2 and when it comes down there do intellectual property changes on the pix to perform the failover manually.

    Ok..

    I have a client with a 515 cisco pix. Is it possible to have 2 separate configs on the pix and power quickly select what config you want to begin?

    -YES, YOU CAN CONFIGURE YOUR PIX 515E IN MULTIPLE CONTEXT

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

    My client has had problems lately with its main ISP which is be the fastest connection between the 2 and when it breaks down there manually make changes to intellectual property on the pix to make the transition to the

    -YOU CAN CONFIGURE "FAI DOUBLE FEATURE."

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

  • question static pix 515

    I have installed a pix 515 at home on my broadband for the test connection. I was wondering if it is possible to use the static command to map an internal on the dhcp address assigned by ISP. I have reverse DNS client installation to map the dhcp WAN attributed to a public dns server address.

    Example:

    outside interface0

    Interface1 inside

    IP address outside dhcp setroute

    inside the 172.16.0.1 IP address

    IP route 0.0.0.0 0.0.0.0 dhcp

    Thank you

    Assuming you have something like:

    > nat (inside) 1 0 0

    > global (1 external interface)

    for your outgoing traffic, you can proceed as follows for incoming traffic:

    > static (inside, outside) tcp interface 80 172.16.0.2 80 netmask 255.255.255.255

    It maps all TCP port 80 package intended for the PIX outside interface to the internal server at 172.16.0.2 on port 80. The keyword "interface" means interfaces external IP address. You can add as many of these port mappings as you want. The ports must be the same either, you can map port 80 to port 345 if you wish.

  • Question STATIC pix

    I have a static mapping for my mail server (public to private IP address) and I was curious about the behavior of a static mapping. I got just as much as to process the incoming packets. But what happened in outgoing traffic from the server? The pix to see a package of outgoing e-mail and insert this public static address as the IP source address?

    Yes, he does. It uses the static statement as it would NAT, except that it always uses this external IP address assigned instead of pulling an IP from the NAT Pool address.

  • A question of pix port forwarding

    I don't have a single public ip address. It has been used by the external interface. How can I allow outside access to the internal host

    Web server?

    According to Jack Ko's post, you can also use the keyword: interface on your static, that is, if you only have a single public IP address and this IP is used for the PIX outside interface:

    public static tcp (indoor, outdoor) interface 80 80 netmask 255.255.255.255 0 0

    -or-

    To access SMTP:

    access list 100 permit tcp any eq smtp host

    Access-group 100 in external interface

    public static tcp (indoor, outdoor) interface smtp smtp netmask 255.255.255.255 0 0

    Yet once, save with: write mem and also issue: clear xlate

    Hope this helps,

    Jay

  • questions about pix timeout

    Hello

    Understand that there are some parameters of time-out on pix. Need to check:

    1 TCP timeout 01:00. In my view, that it is idle time-out. PIX send TCP reset after timeout?

    2. 03:00 timeout Xlate. Is - this time out inactive?

    PIX send TCP reset after timeout?

    Yes, according to the information in the original post, the PIX should remove any xlates that has been inactive for 3 hours. Once these are removed, the need of xlates should be re-established a connection to occur.

    Does that help?

    Scott

  • Question of pix cannot be changed

    I placed a series of photos in a collage in photoshop. I've never had this problem before, but none of the pix are editable. He let me use the eraser on them. What have I done wrong?

    No. I asked if your image was of 32 bits, and it is not.

    I'm pretty confident that your layers are smart objects (you can tell by the icon small mini document at the bottom right of the layer icon in the layers panel). You cannot delete dynamic objects. You must rasterize them and then erase them or create a mask layer for them and paint on which to erase them.

    http://help.Adobe.com/en_US/Photoshop/11.0/WSCCBCA4AB-7821-4986-BC03-4D1045EF2A57a.html

    If you have text layers (with the "T" icon in the layers panel) in the doc, these also cannot be erased and you will have to do the same for them, rasterize and then delete, or create a mask and black top to 'clear' the paint layer.

  • Recovery of Frontpage - organization, download questions

    Hiya

    Rant included... My wife has an extensive site of our Golden Retriever kennel.  Against my advice, she built and maintained on Frontpage, Expression later.  Host says that we have to go forward into something and another not obsolete.  (We can leave there what't fix anything that does not work, but I have to build into something else).

    I used a copy of the MX for years, quite happy.  Not a cutting-edge designer!

    Woman finds herself quite capable of building in DW.  The problem is that in the public Service what she did was to build a page and click on publish.

    To be clear on the difference, on my page for my group, I create a page, have all the images in a folder.  Download page, download all new pix which is hands down in this folder.

    I can't do nothing out how FP organizes things.  There is a list of single file, pages, images, and other stuff, everything in alphanumeric order.

    Woman comes to discover that in the public Service the separate elements of a page does not automatically send with the page.  I need to download the pix individually.

    Lotsa pix.  Not organized.  Beautiful new pages redone, now she has to go through this list huge file and download the pix.  LOTSA PIX.

    She is pouting.

    Unless there is a solution of pixie dust, what will happen is I'll browse their huge site and reorganize it and insist she keep the organization.  Because she won't.

    {Microsoft composed a useless WISYWYG, owner, has gotten everyone is dependent on, and then abandoned.}  Thanks a lot}.

    Questions of pixie dust:

    [I never uploaded to DW; still used an FTP client.]

    (1) is it a function of MX for the download that would gather all the components of a page and load them together, in the public Service?

    HM.  "I guess there's no 2).

    Thank you

    Denno

    MX's 12.  It is obsolete, is supported and well beyond its expiration date.

    For her activation servers have been taken offline several years ago.

    "Cannot be activated" error in the former Macromedia products

    There's no magic wand to rebuild a site at the modern web standards.   We have too many changes since MX and FP came on the scene.

    You will need to bite the bullet and start with a clean slate.  Because your wife has no experience coding or file management, WordPress may be a better solution all around.   Most Web hosts support WordPress web.  And many have 'a button' your server C-Panel installation.

    Tip:  Find a suitable reactive WP theme that renders with elegance in desktop computers, tablets, and mobile phones.   PetCare kennels WordPress Theme Preview - ThemeForest

    Good luck with your project!

    Nancy O.

  • Do I really need two firewall waterfall?

    Hello

    I have a small ISP and I now have ISA2000 firewall, I'm supposed to put Cisco PIX firewall, someone tell me I should put two firewall, the Pix and the ISA in cascade mode (should I really do it?) is the Cisco firewall enough for me.

    The second question: what Pix is enough for me (501, 506E or 515E)

    I have about 500 users with dowonload 4 Mbps and 512 Kbps upload).

    Thanks in advance

    From the information provided here, I see no reason why you would need a PIX both the ISA firewall. The PIX should work fine by itself.

    As for the models of PIX to use, would have erred on the side of done something a bit bigger you have to right now. The 506E is enough power for your current needs, but it's a 2 fixed chassis interface. If you think that you will ever need one other interface or more power, you probably better to go with a 515E with a restricted license (limited license for now, because it can always be improved later). The 515E with the limited license will allow you to add another interface for the PIX later if you need to create a DMZ network ' ed. The license of the HEART on the 515E provides more interfaces if necessary.

    I hope this helps.

    Scott

  • VPN inside a PIX (General Questions)

    Hello

    I'm trying to implement a scenario of communication between a customer inside a pix that talks to a server on the outside. The customer must have an ipsec inside connection. I have the following config and a few questions I´d be very happy to get an answer for...

    Backup on the interface outside the security0 Server

    Client safety within 100 interface

    The client IP address is 200.200.212.194

    backup server address is 200.200.202.201

    I want to implement a VPN client connection to the inside interface, and therfore have implemented the following configuration.

    external IP 200.200.202.200 255.255.255.0

    IP address inside 200.200.212.193 255.255.255.192

    access-list 100 permit host 200.200.202.201 ip 10.3.3.0 255.255.255.0

    IP local pool privada 10.3.3.1 - 10.3.3.254

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    map mymap 10-isakmp ipsec crypto dynamic dynmap

    client configuration address map mymap crypto initiate

    client configuration address map mymap crypto answer

    mymap map crypto inside interface

    ISAKMP allows inside

    ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address private pool PRIVADAGROUP

    PRIVADAGROUP vpngroup password *.

    vpngroup split tunnel 100 PRIVADAGROUP

    I have a few questions about this configuration maybe some kind soul able to respond.

    1. the VPN clients receive an address (10.3.3.1) for example through the IKE negotiation. When I ping my server from the client with the active VPN tunnel I assume the real package that passes through the wire has 10.3.3.1 a source address and a destination of 200.200.212.193 (endpoint the VPN and inside interface). Within IPSEC, the package is my real ip with a source 200.200.212.194 address (address of the real client) and a destination address of 200.200.202.201 (address of the backup server that I am trying to ping). If all this makes sense and is correct could you confirm the following point.

    2 when the PIX deencrypts the package and removes the IPSEC header I find myself with my IP packet of origin with a source 200.200.212.194 address (address of the real client) and a destination address of 200.200.202.201 (address of the backup server that I am trying to ping). I don't know if I need then the following configuration to allow the package to be transferred to the backup without NAT server:

    access-list allowed sheep host ip 200.200.212.194 255.255.255.0 200.200.202.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    I was previously using the following configuration and it seemed to work but the more I think the less sense it seems to do as I´d wait for the SENATE to run on the dencypted package. I must be missing something or confused, or both.

    IP 10.3.3.0 allow Access-list sheep 255.255.255.0 200.200.202.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    3. as a last and probably least I m pretty sure I don't have to line "isakmp key * address 0.0.0.0 netmask 0.0.0.0" when connecting with a VPN client software only. Somone can confirm that for me.

    I'm actually trying to get this to work remotely with someone else doing the actual work and we don't speak the same language.

    Any help to store my confused brain would be appreciated.

    1. No, it's the other way around. The real package that passes through the wire has the address IP of the PC (200.200.212.194) as a source. Within the IPSec packet is allocated 10.3.3.1 as source IP address. When the PIX decrypts the packet, the outer header is removed, and the package has a source of 10.3.3.1 as it is sent to your server on the outside. The external server will respond to 10.3.3.1 so it must be routed to the PIX for her to work.

    Think of this as the normal instance with the PC to the outside through the Internet. A package from of and sent to 10.3.3.1 would never do to the original PC. The encrypted IPSec packet always contains the VPN endpoints real IP source and destination addresses. The decrypted original deck contains allocated as source IP and the actual destination as destination (usually also a private address) computer.

    2. This should make more sense now that you know the answer to 1.

    3. you don't need that if you have a "vpngroup password xxxx" command. This command «isakmp key...» "If there is no specific vpngroup key, or someone connects with a different groupname.

  • VPN on PIX Newbie question

    Hello

    I need to create a site to site VPN, I have in mind a PIX 515e. Behind it is a network of win2k with a domain controller for authentication. Users of the remote site must be attached to authenticate to this DC via a VPN.

    The two sites to connect to the internet by modem cable and the remote site will have up to 10 users behind the PIX/VPN.

    Here are my questions:

    What kind of material PIX the remote site needs? A 501/506, or something else.

    Do I need a VPN concentrator, etc. to the head of line?

    How the hell i make it work?

    Sounds simple right? I appreciate a lot of help because I am a little confused. Thanks in advance.

    Marc

    Hello Mark,

    Here is an example of PIX to PIX VPN using IPSec:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

    In addition, many more examples here to get you go, all TACS is the author:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

    Hope this helps - Jay

  • question about shun to pix

    Is it possible to have a user account specific on the sensor to connect and send commands on a PIX of shun, or are you limited to a generic connection with activate password?

    Thank you

    1) go to web configuration GUI on the sensor.

    (2) select the tab "configuration".

    (3) select 'blocking'-> 'logical devices.

    4. Enter username, password and enable password in the appropriate fields.

    5) go to "blocking devices", adds PIX as a blocking device.

    It should work. I do something similar through the IDSMC, but the configuration will be reflected on the individual sensors I described above. (Assume that you are on code sensor 4.x and the user name is valid for the PIX in question).

    I hope this helps.

    Kind regards

    Chad

  • Configuring PIX Cisco Question - very limited info. Sorry!

    People,

    Have been put to me a quetsion on a Cisco PIX (I don't know what model it is) who I know very very limited. The person asked me the question, is to help someone else! I apologize in advance for the lack of information here, but Im hoping that someone who has expertise in PIX experts will be able to diagnose the problem, or ask the question to the bottom of the chain to address this problem. The question they asked me: -.

    "Can't get NAT works correctly between the demilitarized zone and other ports.

    I know that it is very skectchy, but because I'm not a firewall or security Im not sure what I want or what questions I need to ask. I have however a copy of the config, if someone can help, we'd really appreciate it.

    Config is attached.

    I think that the above is not a problem.

    However, here it is a question;

    static (dmz1, external) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

    static (dmz1, external) 20.20.20.22 switch1 netmask 255.255.255.255 0 0

    I think it should be;

    static (dmz1, external) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

    (dmz1, external) 20.20.20.22 static nlbweb1 netmask 255.255.255.255 0 0

    Let us know if this can help,

    Paul

Maybe you are looking for