Limited SMTP outgoing with PIX

I want to restrict SMTP out to our mail server in the DMZ. We have a PIX 515E between our internal network and an external router 2650. I want to restrict all machines except the sending SMTP outgoing mail server but always allow SMTP to the mail server. As the PIX only supports the inbound ACL that I have to configure the ACL on the external router or is there a way of WHAT PIX for this? Thank you.

If the SMTP box is on the DMZ of the 515e int, you can write an ACL for indoor int the 515e that blocks all the tcp any any EQ 25.

That's assuming that you do not use SMTP from the client PC to the e-mail server in dmz, if you start the acl by a statement authorizing the smtp to smtp server traffic and the following statement must be a refusal all to smtp 25.

Finally, if you do not have an existing ACL inside int, probably have an ip address allowed any any statement to permit all other traffic to proceed

Tags: Cisco Security

Similar Questions

  • Port redirection with pix

    Hi, I am trying set up port forwarding on a PIX 515 running version 6.3 (3) and nowhere fast.

    The idea is to redirect the traffic from port 25 to port 2525 and the static command, I tried is as follows:-

    static (inside, outside) tcp 25 X.X.X.X Y.Y.Y.Y 2525 netmask 255.255.255.255 0 100

    Where X.X.X.X is a public address and Y.Y.Y.Y is a private address.

    Also, I added a line of the access list to port 25 for incoming host X.X.X.X.

    The redirect does not work. I even went as far as the test on a web server, forwarding port 80 to 8080, but traffic is sent to port 80, regardless of the static command.

    Can someone please tell me what I'm doing wrong? My understanding is that the port redirects were possible with the later pix 6.0 or version software.

    Thanks in advance,

    Rick

    No sweat. I almost always overlook the simplest things so when someone else has a problem, I start easy and move up. Usually solves the problem more quickly.

    As for your other question, Yes, it is normal. Remember that static is bi-directional translations. Thus, when you added the port information in the static command to the SMTP server, the PIX only knows now to translate packets from TCP/2525 (I think that's how you had it). When your mail server tries to send outgoing mail, the source port will be an ephemeral port (IE not 2525 probably). So, I usually people do something like this:

    static (inside, outside) tcp 1.1.1.1 25 10.1.1.1 2525 netmask 255.255.255.255

    NAT (inside) 2 10.1.1.1 255.255.255.255

    Global 2 1.1.1.1 (outside)

    It takes care of everything in both directions of the 10.1.1.1 host (for example).

    Hope that this helps explain the issues. Good luck.

    Scott

  • 802 1 q tagging with PIX 6.3 (1)

    Someone uses VLAN tagging with PIX 6.3 (1)? I could make an ethernet (eth0, for example) as port trunking to carry vlan2, vlan3/vlan4. But the PIX does not define ethernet as an access port 1 belongs to the vlan 2. Or if I try to assign ethernet3 belongs to vlan3, it would be rejected by the PIX also.

    I thought that the concept of PIX to award port trunking and a VLAN access port must be the same happening with catalyst, but it looks like I'm wrong. Anyone can point the right direction?

    Best regards

    Engel

    Engel: Configure the VLAN on the PIX is not the same what to do on the switch. The PIX interfaces are not configured as 'trunk' or 'access' ports ports. With the PIX, you can assign a vlan is a physical interface - or assign a vlan as a logical on a physical interface interface. And vlan is limited to a single PIX - physical or logical interface, here's an example configuration:

    interface ethernet1 100full

    physical interface ethernet1 vlan50

    logical interface ethernet1 vlan60

    logical interface ethernet1 vlan70

    logical interface ethernet1 vlan90

    interface ethernet2 100full

    physical interface ethernet2 vlan20

    interface vlan1 ethernet2 logical

    logical ethernet2 vlan30 interface

    logical interface ethernet2 vlan40

    !

    nameif ethernet1 Win2K security52

    nameif ethernet2 NT4 security90

    nameif vlan60 User60 security53

    nameif vlan70 utilisateur70 security54

    nameif vlan90 User90 security55

    nameif vlan1 management security91

    nameif vlan30 Novell security50

    nameif vlan40 various security51

    !

    address IP Win2K 10.2.50.1 255.255.255.0

    address IP NT4 10.2.20.1 255.255.255.0

    address IP User60 10.2.60.1 255.255.255.0

    IP utilisateur70 10.2.70.1 255.255.255.0

    address IP User90 10.1.90.1 255.255.255.0

    10.2.1.1 management IP address 255.255.255.0

    address IP Novell 10.2.30.1 255.255.255.0

    address IP Misc 10.2.40.1 255.255.255.0

    I hope this helps!

  • is compatible with PIX SSM - 4GE manufacturer?

    proposed replacement of PIX - 1FE is SSM - 4GE. This means that it is compatible with PIX?

    http://Cisco.com/en/us/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_for_cisco_pix_sec_app_cards_and_hwacc.html

    No it's not. The PIX now being EoS, assume you have / will upgrad to the ASA.

    HTH

  • Is it possible to set up SMTP authentication with the vCSA 5.5?

    Hello.

    I have a vCenter Server Virtual Appliance 5.5 and SMTP server that requires SMTP authentication with port 587.

    I found the advanced settings "mail.smtp.port", but I found no parameters as 'mail.smtp.username' and 'mail.smtp.password '.

    Is it possible to set up SMTP authentication with the vCSA 5.5?


    Best regards.

    No, can't be done.

    Set up a separate SMTP relay that would make authentication for you. as explanation then post

    Configuring vCenter for e-mail with SMTP authentication. Adventures in a virtual world

  • Limitations of architecture with replication of VM with physical RDM Mode

    What are the Limitations of Architecture with replication of VM connected with physical RDM Mode in vsphere replication. Why VMware does not support this?

    I will add some colors to the response of GS. A particular interest with regard to the physical path RDM (pRDM) works, summarize these two chips of the article:

    • Physical mode specifies minimal virtualization SCSI of the mapped device, allowing greater flexibility for SAN management software.
    • VMkernel passes all SCSI commands to the device, with one exception - the REPORT LUNS command is virtualized, so that the VMkernel can isolate the LUN to the virtual machine owner. Otherwise, all the physical characteristics of the underlying hardware are exposed.

    There is an integrated in vSphere vSphere (RV) replication agent that has several functions. In particular, she keeps track of the Scriptures to the virtual machine. When a replication cycle occurs, the changed data is replicated to the target location. The VR agent should be able to 'see' These Scriptures to follow. Given that the physical mode all SCSI commands directly to the device, the VR agent is unable to follow these changes for replication.

  • SMTP outgoing on several accounts FAIL

    I'm new to Thunderbird. With the keys v 31.0

    I have several e-mail accounts hooked, all with separate outgoing SMTP defined. They all work... and then they don't.

    What is happening is that no matter what email account I use to send an e-mail, the SMTP protocol changes by default, that will not work unless I'm on default e-mail account.

    I'm going on the specific account settings, and of course the SMTP is by default off. I have change. I can send my email.

    I'm going to send another and this process repeats.

    It is incredibly difficult to have specific manually the SMTP protocol every time I want to send an email.

    Why - what is forgetting its individual account settings?

    How can I fix it?

    You use or you use multiple identities for accounts?

    Each account can have multiple identities using a specific SMTP server each. Make sure they are on what you want.

    There is full information on this configuration to this MozillaZine page.

  • Problem of recovery of password with pix 501

    Hello

    my organization uses a firewall 501 pix with version 6.2 of the software. After I lost the password I tried earasing using the faq provided on this site (using the file np62.bin through a TFTP server).

    Unfortunately, I can not connect using the password default "cisco."

    Thank you

    Raphaël Cohen, University of Tel Aviv

    Hello Raphael,.

    You need to connect to the PIX via the port on the PIX console. If you deleted the passwords, then (as mentioned before), there is NO password to access privileged EXEC access just don't hit back, now, you will need to configure a password to "enable" with command > pix # enable password - the password is case-sensitive and can be a combination of characters and numbers the length of the password is limited to 16 characters.

    You can now set access telnet as well i.e. config mode > pix (config) # telnet [masque_sous] [interface_name]

    example: (in config mode) telnet 192.168.10.10 255.255.255.0 inside

    Good idea to use the static IP address for the above, makesure to save your config with cmd: write memory

    Hope this helps - Jay

    PS. Thanks to vote this post if it helped you so that other members can use it if they have the same problem you have - that helps! Thank you.

  • Problem with PIX 501-> L2L 1721 VPN

    I am setting up a site to site vpn according to the http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml.

    I want to connect 192.168.105.0/24 and 192.168.106.0/24.

    PIX01 is 192.168.106.1, with dynamic external IP (B.B.B.B)

    RTR01 is 192.168.105.1, with dynamic external IP address (I'm just using DHCP current address of the ISP as A.A.A.A in the config of PIX01 - this is a temporary application, not critical where I can update the address if necessary)

    It seems that the VPN tunnel is established but traffic does not return the router to the pix.  I temporarily hosted all of the traffic on indoor/outdoor PIX interfaces (and icmp).

    If I enable icmp debug I see ping requests from the client to 192.168.106.100 internal interface of the router (192.168.105.1), but no return icmp:

    On PIX01:

    180:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 298 192.168.106.100
    181:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 299 192.168.106.100
    182:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 300 192.168.106.100
    183:-Interior ICMP echo request: 192.168.105.1 ID = 1 seq = length 301 = 40 192.168.106.100

    On RTR01:
    * 03:40:46.885 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
    * 03:40:51.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
    * 03:40:56.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
    * 03:41:01.709 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100

    Output of running sh crypto isakmp his:

    PIX01 (config) # sh crypto isakmp his
    Total: 1
    Embryonic: 0
    Src DST in the meantime created State
    A.A.A.A B.B.B.B 0 1 QM_IDLE

    RTR01 #sh crypto isakmp his
    status of DST CBC State conn-id slot
    A.A.A.A B.B.B.B QM_IDLE 1 0 ACTIVE

    Out of HS crypto ipsec his:

    PIX01 (config) # sh crypto ipsec his

    Interface: outside
    Crypto map tag: IPSEC, local addr. B.B.B.B

    local ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
    current_peer: A.A.A.A:500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 103, #pkts encrypt: collection of #pkts 103, 103
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
    #send 12, #recv errors 0

    local crypto endpt. : B.B.B.B, remote Start crypto. : A.A.A.A
    Path mtu 1500, overload ipsec 56, media, mtu 1500
    current outbound SPI: 7cb75998

    SAS of the esp on arrival:
    SPI: 0xb896f6c6 (3096901318)
    transform: esp - esp-md5-hmac.
    running parameters = {Tunnel}
    slot: 0, conn id: 1, crypto card: IPSEC
    calendar of his: service life remaining (k/s) key: (4608000/3151)
    Size IV: 8 bytes
    support for replay detection: Y

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x7cb75998 (2092390808)
    transform: esp - esp-md5-hmac.
    running parameters = {Tunnel}
    slot: 0, conn id: 2, crypto card: IPSEC
    calendar of his: service life remaining (k/s) key: (4607999/3151)
    Size IV: 8 bytes
    support for replay detection: Y

    outgoing ah sas:

    outgoing CFP sas:

    RTR01 #sh crypto ipsec his

    Interface: Vlan600
    Crypto map tag: IPSEC, local addr A.A.A.A

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
    current_peer B.B.B.B port 500
    LICENCE, flags is {}
    program #pkts: 10, #pkts encrypt: 10, #pkts digest: 10
    decaps #pkts: 10, #pkts decrypt: 10, #pkts check: 10
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : A.A.A.A, remote Start crypto. : B.B.B.B
    Path mtu 1500, mtu 1500 ip, ip mtu BID Vlan600
    current outbound SPI: 0xB896F6C6 (3096901318)

    SAS of the esp on arrival:
    SPI: 0x7CB75998 (2092390808)
    transform: esp - esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 2002, flow_id: SW:2, crypto card: IPSEC
    calendar of his: service life remaining (k/s) key: (4556997/3076)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB896F6C6 (3096901318)
    transform: esp - esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 2001, flow_id: SW:1, crypto card: IPSEC
    calendar of his: service life remaining (k/s) key: (4556997/3076)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    I can provide more information if necessary.

    Thanks in advance for any help,

    CJ

    ISAKMP uses UDP/500 and it is true he helped through phase 1 being upwards (QM_IDLE).

    IPSec uses ESP or UDP/4500, and this is what must be authorized by the FW.

  • Remote VPN with PIX without access to the local network

    Hi @all,

    I ve running into problems and I have not found any solution. Can someone check my config?

    Facts:

    PIX 501 6.3 (3)

    4.04 VPN client

    Wanted solution: access to HO via VPN

    VPN tunnel will be established, I get an IP address, but I can´t the systems behind the pix and the pix of access itself.

    To the VPN Client Staticts, I see outgoing packets, but no entrant (if I send a ping to peer behind the pix)

    I hope someone can help me

    Attached is my config:

    PIX 501 and 506/506e pix are not supported in v7 due to the fact that the cpu is not able to deal with the extended features of v7.

    PIX 520 is not supported I guess it's because of the fact that the model is discontinued.

  • Cannot access the internal network of VPN with PIX 506th

    Hello

    I seem to have a problem with the configuration of my PIX. I ping the VPN client from the network in-house, but cannot cannot access all the resources of the vpn client. My running configuration is the following:

    Building configuration...

    : Saved

    :

    6.3 (5) PIX version

    interface ethernet0 car

    Auto interface ethernet1

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password of N/JZnmeC2l5j3YTN

    2KFQnbNIdI.2KYOU encrypted passwd

    hostname SwantonFw2

    domain name * *.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list outside_access_in allow icmp a whole

    allow_ping list access permit icmp any any echo response

    allow_ping list all permitted access all unreachable icmp

    access-list allow_ping allow icmp all once exceed

    the INSIDE-IN access list allow inside the interface tcp interface outside

    list access to the INSIDE-IN permit udp any any eq field

    list access to the INSIDE-IN permit tcp any any eq www

    list access to the INSIDE-IN permit tcp any any eq ftp

    list access to the INSIDE-IN permit icmp any any echo

    the INSIDE-IN permit tcp access list everything all https eq

    permit access ip 192.168.0.0 list inside_outbound_nat0_acl 255.255.255.0 192.168.240.0 255.255.255.0

    swanton_splitTunnelAcl ip access list allow a whole

    outside_cryptomap_dyn_20 ip access list allow any 192.168.240.0 255.255.255.0

    no pager

    Outside 1500 MTU

    Within 1500 MTU

    192.168.1.150 outside IP address 255.255.255.0

    IP address inside 192.168.0.35 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP pool local VPN_Pool 192.168.240.1 - 192.168.240.254

    location of PDM 0.0.0.0 255.255.255.0 outside

    location of PDM 192.168.1.26 255.255.255.255 outside

    location of PDM 192.168.240.0 255.255.255.0 outside

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

    Access-group outside_access_in in interface outside

    group-access INTERIOR-IN in the interface inside

    Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

    Timeout xlate 0:05:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 192.168.0.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    client authentication card crypto outside_map LOCAL

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 20

    encryption of ISAKMP policy 20

    ISAKMP policy 20 md5 hash

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    Swanton vpngroup address pool VPN_Pool

    vpngroup swanton 192.168.1.1 dns server

    vpngroup swanton splitting swanton_splitTunnelAcl tunnel

    vpngroup idle 1800 swanton-time

    swanton vpngroup password *.

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd address 192.168.0.36 - 192.168.0.254 inside

    dhcpd dns 8.8.8.8 8.8.4.4

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    dhcpd allow inside

    scott hwDnqhIenLiwIr9B of encrypted privilege 15 password username

    username password encrypted ET3skotcnISwb3MV privilege 2 norm

    username password tarmbrecht Zre8euXN6HxXaSdE encrypted privilege 2

    username, password jlillevik 9JMTvNZm3dLhQM/W encrypted privilege 2

    username privilege 15 encrypted password 49ikl05C8VE6k1jG ruralogic

    username bzeiter 1XjpdpkwnSENzfQ0 encrypted password privilege 2

    name of user mwalla encrypted password privilege 2 l5frk9obrNMGOiOD

    username heavyfab1 6.yy0ys7BifWsa9k encrypted password privilege 2

    username heavyfab3 6.yy0ys7BifWsa9k encrypted password privilege 2

    username heavyfab2 6.yy0ys7BifWsa9k encrypted password privilege 2

    username djet encrypted password privilege 2 wj13fSF4BPQzUzB8

    username, password cmorgan y/NeUfNKehh/Vzj6 encrypted privilege 2

    username password cmayfield Pe/felGx7VQ3I7ls encrypted privilege 2

    username privilege 2 encrypted password zQEQceRITRrO4wJa jeffg

    Terminal width 80

    Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8

    : end

    [OK]

    Any help will be greatly appreciated

    BJ,

    You try to access resources behind the inside interface network?

    IP address inside 192.168.0.35 255.255.255.0

    If so, please make the following changes:

    1 SWANTON_VPN_SPLIT permit access ip 192.168.0.0 list 255.255.255.0 192.168.240.0 255.255.255.0

    2-no vpngroup swanton splitting swanton_splitTunnelAcl tunnel

    Swanton vpngroup split tunnel SWANTON_VPN_SPLIT

    outside_cryptomap_dyn_20 3-no-list of ip access allowing any 192.168.240.0 255.255.255.0

    4 - isakmp nat-traversal 30

    Let me know how it goes.

    Portu.

    Please note all useful posts

  • SMTP problem with the recipient's address

    Hi, I made a copy of the function of SMTP Email message send to use it with another port smtp (as 587). Everything works well when the recipient's address is like [email protected] or any what normal address. The problem is when I'm trying to use this function to send an e-mail to an address like [email protected]. Each email to the address of the company is like the second example. Does anyone have an idea to solve this problem?

    I had the same problem with my mail server @msu.edu.

    The problem is that many companies use TLS or SSL security settings.

    There are ways around this problem.

    I have attached a VI that should work for you.

    I can't take credit for the VI, it was given to me by a person on the forums.

    I've just modified it a bit.

    Edit: If you look at the block diagram, upward, there is a node to invoke.

    It's for "SMTP Client", and the element is "host".
    You will need to change that to 'mail.msu.edu' to any server used by your company.

    And you may need to change the port as well.

    I also customized the VI icon, but you can leave if you like it

  • 4240 IPS blocking queries with Pix 515E

    I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John

    Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.

    Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.

    You have to look at what signatures you really want to block, and then enable blocking on them individually.

  • PDM with PIX 515 does not work

    I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

    Hello

    have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

    Enable http server

    http A.B.C.D 255.255.255.255 inside

    A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

    If you're still having problems after the addition of these two lines, you might have a look at this page:

    http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

    Kind regards

    Tom

  • site to site vpn with pix multiple tunnels

    Hello

    I have a vpn site-to-site between two PIX firewall tunnel.

    Is it possible to build on one side, another tunnel vpn site to site with the third PIX?

    Thank you

    Robert

    Robert

    You can use one card encryption on an interface, but you may have within your crypto card so your config sequence numbers

    The existing tunnel

    mykink1 card crypto ipsec isakmp 1

    correspondence address 1 card crypto mykink1 101

    mykink1 card crypto 1jeu peer 21.21.21.21

    mykink1 card crypto 1 set transform-set aesonly

    Your new tunnel

    mykink1 map ipsec-isakmp crypto 2

    card crypto mykink1 game 2 address "LCD number".

    mykink1 crypto map peer set 2 "new peer address.

    card crypto mykink1 2 the value transform-set "new transform set.

    card crypto mykink1 2 security association second life "number of seconds.

    You must complete the good values in the "" marks.

    Note that the sequence number is incremented by 1 in your first entry for 2 in the second entry.

    You can specify the duration of security association in the crypto map config that overrides the global settings.

    Add this config should not affect your existing tunnel.

    HTH

    Jon

Maybe you are looking for

  • Power Macintosh G3 with dual monitors high resolution

    I hope this info will help someone wanted to run two large screens monitors (4:3) on the Power Macintosh G3 Beige minitour. My results resonance of an earlier post that I started, which was DVI PCI Card/s for G3 minitour, but all ended up as I felt t

  • I can't open a section of cPanel for Awstats

    I use Mozilla Firefox, BUT all programs work properly with the exception of Awstats, which, once opened, all I get is all data and information on the left side of the page and I can't open any program.Any suggestions will be greatly appreciated. Than

  • Laptop computer PC SATA support 3 HP 1000-1140TU

    Hello I plan to buy a new SSD for laptop PC HP 1000-1140TU. But I don't know if it supports SATA 3 (6 Gb/s) standard or does not work. I'd appreciate any help about the case.

  • Vista drivers

    I put a new hard drive in my notebook HP60230US and installed Vista Ultimate. I had already downloaded all the drivers and software on the HP site and saved on a USB key. After you have installed all the drivers, I have a problem with a couple of ite

  • On computer portable plug-and-play monitor is primary and is a secondary monitor to the laptop and I'm not able to spend their

    I had been using my laptop with a plug-and-play monitor. I disconnected and used my laptop on its own. I did something (not sure what) with the with default advanced settings and plug-and-play monitor. When I reconnected it the plug-and-play monitor