Issue of ARP and PIX firewall
I have a PIX 515, which is the static NAT translations (using the static entries and alias). I have a remote access server running Citrix. We had some problems connecting to this server internally. I found that when I ping, 9 out of ten trials is expires after the first attempt. When I do a "arp / has" my workstation it is back with the MAC address of the internal interface of my PIX. If I try to ping and manually, disable my arp cache after ten or more attempts is correctly will ping the right device - and then go immediately to the MAC of PIX address. This configuration is a fairly standard for us. What could be wrong?
Looks like the PIX meets MAC address ARP queries the Citrix servers. Turn off the proxy ARP on the PIX inside interface with:
> sysopt noproxyarp inside
Tags: Cisco Security
Similar Questions
-
I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.
In the router, I have the configuration option
AAA authentication login default group Ganymede + local
that tells the router first looking for a radius server and if is not available connect through the local database.
Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?
Thanks in advance
Hello
PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.
Kind regards
Mahmoud Singh
-
Hello
I'm without a firewall PIX 7.0 to 6.3 decommissioning. I faced the problem during the restart of the PIX.
The error given below,
Start the first image in flash
Image must be at least 7-0-0-0 error in the flash file: / pix635.bin
No bootable Flash image. Please download an image from a network server
in monitor mode
CISCO PIX FIREWALL SYSTEMS
BIOS version shipped 4.3.207 01/02/02 16:12:22.73
Compiled by Manu
128 MB OF RAM
Did you follow the exact downgrade procedure indicated on this link... you point the image as shown 6.3.x
downgrade tftp://tftpserverip/pix63x.bin
PIX downgrade procedure 7.x to 6.3.x
http://www.Cisco.com/en/us/docs/security/ASA/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1810347
in any case, you can always redownload the 6.3.5 new code in monitor mode.
Let us know how it works.
Rgds
Jorge
-
506th 3.6.3 VPN client and PIX
Hello
I am trying to build a VPN between Ver of Client VPN 3.6.3 and a 6.2 (2) running of PIX 506e with 3DES.
Firewall # sh ver
Cisco PIX Firewall Version 6.2 (2)
Cisco PIX Device Manager Version 2.1 (1)
Updated Saturday, June 7 02 17:49 by Manu
Firewall up to 7 days 4 hours
Material: PIX-506E, 32 MB RAM, Pentium II 300 MHz processor
Flash E28F640J3 @ 0 x 300, 8 MB
BIOS Flash AM29F400B @ 0xfffd8000, 32 KB
Features licensed:
Failover: disabled
VPN - A: enabled
VPN-3DES: enabled
Maximum Interfaces: 2
Cut - through Proxy: enabled
Guardians: enabled
URL filtering: enabled
Internal hosts: unlimited
Flow: limited
Peer IKE: unlimited
Modified configuration of enable_15 to 22:59:47.355 UTC Friday, December 13, 2002
Firewall #.
I get the following errors:
Firewall #.
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: approved new addition: ip:Mike Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 1 Total peer VPN: 1
Exchange OAK_AG
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 2 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform against the policy of priority 10 5
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): delete SA: CBC Mike, dst 198.143.226.158
ISADB: Reaper checking HIS 0x812ba828, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 0 Total of VPN peer: 1
Peer VPN: ISAKMP: deleted peer: ip:Mike VPN peer Total: 0
Looks like I have a problem of encryption. Here is the biggest part of my setup:
: Saved
:
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
Firewall host name
domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
names of
access-list outside_access_in.255.255.224 all
access-list outside_access_in 255.255.255.224 all
outside_access_in tcp allowed access list all hosteq smtp
outside_access_in list access permit tcp any host eq pop3
outside_access_in list access permit tcp any host eq 5993
outside_access_in tcp allowed access list all hostq smtp
outside_access_in tcp allowed access list all pop3 hosteq
outside_access_in list access permit tcp any host eq www
outside_access_in tcp allowed access list any ftp hosteq
outside_access_in tcp allowed access list all www hosteq
outside_access_in tcp allowed access list all www hosteq
allow the ip host Toronto one access list outside_access_in
permit outside_access_in ip access list host Mike everything
outside_access_in deny ip access list a whole
pager lines 24
opening of session
monitor debug logging
buffered logging critical
logging trap warnings
history of logging warnings
host of logging inside
interface ethernet0 car
Auto interface ethernet1
ICMP allow all outside
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside some 255.255.255.248
IP address inside 10.1.1.1 255.255.255.0
IP verify reverse path to the outside interface
IP verify reverse path inside interface
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 192.168.1.50 - 192.168.1.75
PDM location 255.255.255.255 inside xxx
location of router PDM 255.255.255.255 outside
PDM location 255.255.255.255 inside xxx
location of PDM Mike 255.255.255.255 outside
location of PDM Web1 255.255.255.255 inside
PDM location 255.255.255.255 inside xxx
PDM location 255.255.255.255 inside xxx
PDM location 255.255.255.224 out xxx
PDM location 255.255.255.224 out xxx
xxx255.255.255.224 PDM location outdoors
PDM location 255.255.255.255 out xxx
location of PDM 10.1.1.153 255.255.255.255 inside
location of PDM 10.1.1.154 255.255.255.255 inside
PDM logging 100 reviews
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Several static inside servers...
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 Router 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 30 transform-set RIGHT
map newmap 20-isakmp ipsec crypto dynamic dynmap
newmap outside crypto map interface
ISAKMP allows outside
ISAKMP key * address Mike netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup mycompany vpnpool address pool
vpngroup mycompany SERVER101 dns server
vpngroup wins SERVER101 mycompany-Server
mycompany vpngroup default-domain whatever.com
vpngroup idle time 1800 mycompany
mycompany vpngroup password *.
SSH timeout 15
dhcpd address 10.1.1.50 - 10.1.1.150 inside
dhcpd dns Skhbhb
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd field ljkn
dhcpd allow inside
Terminal width 80
Cryptochecksum:0e4c08a9e834d03338974105bb73355f
: end
[OK]
Firewall #.
Any ideas?
Thank you
Mike
Hi Mike,.
You are welcome at any time. Will wait for your update
Kind regards
Arul
-
Windows Vista SP2 fails to install and Windows Firewall will not stay
Hello, I have problems with Vista 64-bit, it will not install service pack 2 and Windows Firewall will not stay. I tried to manually enable ICF manually and it won't turn. It gave me error 6x9D. I ran several antivirus scans malware byte and pc cleaner pro 2012 and the issue has not been resolved. If I could get help would be much appreciated. Thank you
Hello
What do you use for security?
If you are using an Internet Security Suite, it will have its own firewall and disables the default Windows Firewall.
And you should have only one firewall to avoid problems related to the operating system.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
You have not installed SP1?
If so, try a direct download of SP2.
Vista SP2 64-bit: http://www.microsoft.com/en-us/download/details.aspx?id=17669
And if you have any problems:
There is a Forum that Microsoft has put in place for problems with Vista Service Packs. If repost you the Forum they will definitely try to help you here...
http://social.technet.Microsoft.com/forums/en/itprovistasp/threads
See you soon.
-
I was told that the PIX 515E firewall is capable of BLOCKING malicious attacks as attack Dinal of Service. I learned again by CA engineers that it not are a NO product out there that is able to block attacks but rather notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attack or not. Thanks in advance.
The PIX has some features to prevent DOS attacks, but he can't block everything. For example, if someone launches an attack smurf or something that uses all of your available bandwidth, then the PIX obviously cannot do anything about it because the damage is already done at the time wherever traffic allows you the PIX.
For something like a TCP SYN attack on a host inside the PIX, then you can configure the static command to allow only a total number of connections through, and/or a number of half-open connections through the internal host, effectively protecting the Server internal. The PIX will refuse further attempts to connect over this limit.
The PIX also has a built-in limited to IDS. It can detect signatures of 59 common packages and can be configured to block these if they are considered. Signatures that he seeks only are based a package signatures, wide as a real IDS device can get nothing.
In short, no one can say yes, "The PIX prevents all attacks back", no box cannot do that, because it depends on what the attack back. If someone is flooding your available circuit bandwidth, you really get your ISP involved to block this traffic BEFORE it happens to you. Yes, host-based DOS attacks, the PIX should be able to block most of them with standard configuration controls.
-
I have two servers, one in pix inside and the other in the demilitarized zone. I wanted to set them up so that they can communicate with routers and switches
Located outside the pix firewall.
My inner Server works fine, able to go Internet and able to comminicate with all devices located outside the Pix Firewall. Here is reference configuration
of insideserver.
outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.32.50 ip
outside_acl list extended access permit ip host host x.219.212.217 172.28.32.50
access-list extended sheep permit ip host 172.28.32.50 host x.219.212.217
access-list extended sheep permit ip host 172.28.32.50 x.223.188.0 255.255.255.0
inside_acl list extended access permit ip host 172.28.32.50 all
But my DMZ server does not work. However, I made the same configuration with respect to the server on the inside. Not able to communicate with outside DMZ server
network.
outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.92.72 ip
outside_acl list extended access permit ip host host x.219.212.217 172.28.92.72
access-list extended sheep permit ip host 172.28.92.72 host x.219.212.217
access-list extended sheep permit ip host 172.28.92.72 x.223.188.0 255.255.255.0
dmz_acl list extended access permit ip host 172.28.92.72 all
If I create a static entry for your DMZ SNMP server.
static (edn, external) 172.28.92.72 172.28.92.72 netmask 255.255.255.255
He starts to communicate with external devices, but stops Internet run on this server. same configuration
works with the server on the inside, but not with dmz server.
NAT (inside) 0 access-list sheep
NAT (inside) 3 172.28.32.0 255.255.255.0
NAT (dmz) 3 172.28.92.0 255.255.255.0
Global interface 3 (external)
Your static entry is bypassing your nat (dmz) 3 entry. You can do NAT exemption instead, as you do to your home
1. remove the static entry (followed by clear xlate)
Add - nat 0 access-list sheep (dmz)
I suggest to use two acl different sheep, one for each interface.
Ex: nonat_inside
nonat_dmz
-
Hi guys,.
I am looking to download IOS ver 4,0000 for PIX 515E, but can't seem to find anywhere in the downloads/security section. The only version they have is 8.0.4.
Anyone know where I could find all earlier versions?
Thank you very much
Elena
Elena, when you go to download box, choose any version 8.0, then window right side you will see a text saying previous software release click on this hyperlink and it will take you to all versions including 7.x
but here's the direct link
http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX
Concerning
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
We ids4210 (version 4) and a PIX firewall. We monitor the IDS with the IDS event viewer. We would like to find a how-to article that shows how to set the ID and the PIX so that when the ID sees an attack there the PIX to block. The only articles I could find cover Director Unix or IDS sensor version 3.
Understood.
Thank you.
-
I have AVG Internet Security installed 2013 and I want to use the windows firewall, but when I updated fw windows setting does not stay.
I reboot and the firewall is disabled. It's windows 7, in that what is happening.Hello
Please contact the Microsoft Community.
With the help of a third-party anti-virus will automatically disable Windows Firewall. I would like you try to disable the AVG antivirus and check if you are able to make the changes.
Back to us for any issues related to Windows in the future. We will be happy to help you.
-
To block P2P traffic on the PIX firewall
What will be the mechanism, and how we can block the traffic of P2P applications like eDonkey, KaZaa and Imesh etc on the PIX firewall.
Hello
You can find the info here:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00801e419a.shtml
I hope this helps.
Jay
-
Hello.
My question is this.
It is possible to establish a VPN between a PIX Firewall and Sonicwall firewall?.
To be like that, where I can find documentation on the matter?
Thanks in advance.
Dear.
Both Sonicwall conforms to standards, which they do, then Yes, you can create a VPN between them.
I don't think we have PIX, Sonicwall example config specifically, but the config on the PIX is still pretty standard, no matter what you connect to.
SonicWALL has an example here: ftp://ftp.sonicwall.com/pub/info/vpn/CiscoPIX.pdf
-
How to limit the ICMP on the PIX firewall.
Guys good day!
I have a dilemma with regard to limiting ICMP users browsing to other networks such as other demilitarized interns.
I know that, to allow ICMP to pass through interfaces, you will need to create an ACL such as below:
access-list DMZACL allow icmp a whole
Users require this config ping a server on the DMZ, but it is a security risk.
To minimize, I have a group of objects created in order to identify hosts and networks is allowed to have access to the echo-replies.
Again, this is a problem since many host who extended pings just to monitor the connectivity server and its application.
Do you have other ideas guys?
As to limiting the echo answers on the PIX. As first 5 echo request succeed with 5 echo-replies and the rest would be removed.
This could be done?
Thank you
Chris
Hello.. I don't think you can do this by using an ACL on the PIX, however, you might be able to stop the ICMP sweeps by activating CODES signatures using the check ip command you... For more information see the link below
Guidelines of use Cisco Intrusion Detection System (IDS Cisco) provides the following for IP-based systems:
? Audit of traffic. The application of signatures will be audited only as part of an active session.
? Apply to the verification of an interface.
? Supports different auditing policies. Traffic that matches a signature triggers a range of configurable
actions.
? Disables signature verification.
? Always turns the shares of a class of signature and allows IDS (information, attack).
The audit is performed by looking at IP packets to their arrival at an input interface, if a packet triggers
a signature and the action configured does not have the package, and then the same package may trigger another
signatures.
Firewall PIX supports inbound and outbound audit.
For a complete list signatures of Cisco IDS supported, their wording and whether they are attacking or
informational messages, see Messages in Log System Cisco PIX Firewall.
See the User Guide for the Cisco Secure Intrusion Detection System Version 2.2.1 for more information
on each signature. You can view the? NSDB and Signatures? Chapter of this guide at the following
website:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids1/csidsug/SIGs.htm
-
Place a server behind a PIX firewall production
Hi all
We currently have a web server that is connected to the Internet directly (multiple addressable IPs belonging to 5 different ranges of class C, with a soft firewall).
There are several Web sites, some of them with their own IP addresses, some of them sharing IPs with other sites.
We intend to put a server behind a PIX firewall and convert addressable IP addresses to private IPs with the static mapping on the PIX.
We plan use a PIX with two (2) interfaces.
You think it of feasible or are there things that I'm on?
Some things I'm not sure about:
Since there are several C class IPs assigned to the server and therefore 5 gateways defined on a NIC, one for each class, how that is defined on the PIX? 5 separate roads or...?
We need to use a kind of "virtual interfaces", one for each class C subnet?
This is an example of a "final product":
Web request to the 204.xxx.85.10 IP addressable would be directed to the private IP address: 10.xxx.85.10.
Web request to the 204.xxx.86.10 IP addressable would go to 10.xxx.86.10 etc etc.
Any help you could provide in this regard will be GREATLY apprechiated!
Hello
Please provide a topology (plain text would work). I can't tell from your description, if you have a perimeter router in front of the Pix. In addition, when you write statements of static road on the Pix, you must include an interface as follows
Route if_name IPAddress netmask gateway_ip
Once you post this information, I'll take another reading to better understand your situation.
Thank you
Maybe you are looking for
-
Settings icon is missing. Please spare me self-righteous excuses, denial and nonsense. The settings option is simply gone, kaput, no more. Rather than assuming that the user is always bad, consider resolved the bug instead.
-
Infinity focusing problem on my SX700
I always infinity focusing problems with my SX700. I have the yellow box indicating that the image will be sweet if taken. This happens on at least 1 other point cannon and shoot that I know. I can focus to several hundred feet but not 10 000. Do
-
OfficeJet Pro 8600 analysis stops at Midway
With the help of a relatively new in Officejet Pro 8600 on my iMac with OSX Mavericks. Printer is set up wireless, printing works fine. Scanning did too, until yesterday. When I scan a document through HP application scanning, or Mac "scanner" that a
-
Set up administrator features.
I am trying to activate a feature with my administrator profile, I use it mainly security for nothing to install behind the operations. But Im getting bombarded when I boot with windows to login to the admin profile allow some programs, now I am able
-
How to edit several groups in Secure ACS?
I have 20 or if groups of users with GBA and I want to edit a field in each of them (say I want to change the primary [3076\005] DNS domain in each of them having the same). Is there a way to do this only once (either through download a txt using csu