LT2P on PIX Version 7
Hello
I'm trying to set up a VPN L2TP on my PIX server to replace a PPTP server on a router.
I followed a few guides (though most seem to be for 6.3.x) and used what I have on a PIX VPN config knowledge, but I'm still to come against some issues.
I have debugging details that I hope someone can use to point me in the right direction.
Jun 30 11:38:54 [IKEv1]: IP = 84.93.217.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ISA_KE payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing Cisco Unity VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing xauth V6 VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send IOS VID
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Can't find a valid tunnel group, aborting...!
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE MM Responder FSM error history (struct &0x42ed788)
, : MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE SA MM:87377a60 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, sending delete/delete with reason message
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Removing peer from peer table failed, no match!
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Error: Unable to remove PeerTblEntry
Here is my config:
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA
crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
...
group-policy VPN-Policy internal
group-policy VPN-Policy attributes
wins-server value 10.0.1.250
dns-server value 10.0.1.250
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value xxxx.co.uk
username xxxxxx password xxx nt-encrypted privilege 3
tunnel-group L2TP-VPN type ipsec-ra
tunnel-group L2TP-VPN general-attributes
address-pool (Inside) L2TP-Pool
authentication-server-group (Inside) LOCAL
default-group-policy VPN-Policy
tunnel-group L2TP-VPN ipsec-attributes
pre-shared-key *
tunnel-group L2TP-VPN ppp-attributes
authentication ms-chap-v2
Thanks in advance
Paul
Hi Paul
I do not recommend to use the dynamic cards the way which I suggesting that it is the right way to configure on the SAA.
By default, Microsoft Windows does not support L2TP connections to servers behind a NAT, it is a
Limitation of Microsoft, not a limitation of the ASA or any Cisco device. On the links below you can find more information about how to edit the Windows registry so that it connects to a server behind a NAT, because editing the registry is dangerous to the computer, this must be done at your own risk:
http://support.Microsoft.com/kb/926179
http://support.Microsoft.com/kb/818043/
Tags: Cisco Security
Similar Questions
-
Remote access VPN pix version 8.0 (3)
Hi all
First of all, I would like to thank to all members of the forum who got help in several messages on the configuration of the pix 515.
I am now configuring remote VPN access with radius authentication to my network, but I can't connect.
I use the cisco vpn client 5.0.03.0560, I have also tested my pix radius (inside) server authentication and works very well.
I already tried to retype the key of the cli, but I still can't remote access vpn to work.
I also tried to create another remote vpn with another name and local authentication, but I have the same problem.
I use 8.0 (3) version pix.
Can someone help me
I attach the log file of the cisco vpn client to help solve the problem, as well a configuration of the pix folder.
Thank you very much in advance and I seek prior information.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/vpnadd.html#wp999516
[Pls RATE if HELP]
-
What version of PDM (PIX Version 6.2 (4))
Comrades, I am new to PIX 506 ongoing enforcement. I try to get the installed MDP, but I have a bad magic number when downloading ftp!
Have you tried "downgrading" of worm 6.3 (5) and 6.2 (4) worm. Should what version of PDMxxx.bin I use. Have you tried ver 6.3 (5) install pdm - 304.bin, but who doesn't either. I'm new on this and are studying for my CCNA!, so please have mercy!
For PIX OS 6.3.5 (pix635.bin), you will need the PDM (pdm - 304.bin).
Whan you download the FTP image on your PC do not forget that you are in binary mode, if you are in ASCII mode, the image will be corrupted (incorrect checksum).
FTP x.x.x.x
loged in...
bin
hash
get a pdm - 304.bin
#########...
output
You use TFTP to download the image to the pix.
For use PDM:
pixfirewall # copy tftp://Your_TFTP_Server_IP_Address/Your_pdmfile_name flash: pdm
Or you can enter the generic command and follow the instructions:
pixfirewall # copy tftp flash: pdm
For use of PIX OS:
Example - updated the PIX Firewall with the copy flash tftp command
pixfirewall # copy tftp flash
Address or name of remote host [127.0.0.1]? 172.18.125.3
Source [cdisk] file name? pix611.bin
copy of tftp://172.18.125.3/pix611.bin to Flash
[Yes | No | new]? Yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Receipt 2562048 bytes.
Delete the current image.
2469944 bytes of the image of the writing.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed.
pixfirewall #.
PIX and PDM upgrade guide:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
sincerely
Patrick
-
PIX version 6.3 and static priority
Hi all
This question concerns do differnet kinds of static on a pix6.3 (4).
I have a setup where I need static nat public IP address on a mail server on the network private.
It works very well. Now, I also want to expose the inside of the network to the public side (as shown in the example config)
inside the ip 192.168.1.x
Apart from the ip 55.55.44.x
public static 55.55.44.33 (Interior, exterior) 192.168.1.10 netmask 255.255.255.255 0 0<- mail="">->
static (inside, outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
Now... the mail server-specific static will resume precende the translation of net-to-net?
Kind regards
Hey Kevin,
Too much honing ip can be solved by leaving the 192.168.1.0/24 network at the end of the static instructions. When a packet arrives at the external interface, the pix treats all the static instructions from top to bottom. Because the mail server is configured before the net NET, this statement will be precende. (for code 6.3)
Mike
Mike
-
VPN site to site Pix 525 ver7.2 (2) and Pix 501 ver 6.3
Hello!!
I have problems to establish a vpn between two pix.
The first pix 525 a version 7.2 (2) an another Pix version 6.3 has this it is not run by myself.
The fixed phase 1 but send the associated messages
can help me
Thank you
I'm glad you got it working now :)
Please evaluate the useful messages.
Concerning
Farrukh
-
It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.
Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...
within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.
I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?
My current config is: (change of address, etc.)
SH run
: Saved
:
PIX Version 6.2 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
enable password xxxx
passwd xxxx
hostname fw
domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol 2000 skinny
No fixup protocol sip 5060
names of
name Inside_All 10.0.0.0
name 10.30.1.0 Ireland1_LAN
name 159.135.101.34 Ireland1_VPN
name 213.95.227.137 IrelandSt1_VPN
name 10.30.2.0 Cardiff_LAN
name 82.69.56.30 Cardiff_VPN
access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248
access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0
outside_interface list access permit icmp any any echo
outside_interface list access permit icmp any any echo response
outside_interface list of access permit icmp any any traceroute
outside_interface list access permit tcp any host 212.36.237.99 eq smtp
outside_interface ip access list allow any host 212.36.237.100
access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet
outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet
outside_interface list access permit tcp any any eq telnet
allow the ip host 82.69.108.125 access list outside_interface a
access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0
access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0
access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0
pager lines 24
opening of session
recording of debug console
monitor debug logging
interface ethernet0 10baset
interface ethernet1 10baset
Automatic stop of interface ethernet2
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP outdoor 212.36.237.98 255.255.255.240
IP address inside 10.1.1.250 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.1.1.88 - 10.1.1.95
IP local pool mspool 10.7.1.1 - 10.7.1.50
IP local pool mspools 192.168.253.1 - 192.168.253.50
location of PDM Inside_All 255.255.255.0 inside
location of PDM 82.69.108.125 255.255.255.255 outside
location of PDM 10.55.1.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0
public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0
public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0
Access-group outside_interface in interface outside
Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1
Route inside Inside_All 255.255.255.0 10.1.1.254 1
Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
AAA-server AuthInOut Protocol Ganymede +.
AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10
the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
Enable http server
http 82.69.108.125 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server SNMP community xxx
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2
Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2
card crypto home 9 ipsec-isakmp dynamic dynmap
card crypto ipsec-isakmp 10 home
address of 10 home game card crypto 102
set of 10 House card crypto peer IrelandSt1_VPN
House 10 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 15 home
address of home 15 game card crypto 103
set of 15 home map crypto peer Cardiff_VPN
House 15 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 30 home
address of 30 home game card crypto 104
crypto home 30 card set peer 212.242.143.147
House 30 game of transformation-VPNAccess crypto card
interface card crypto home outdoors
ISAKMP allows outside
ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255
ISAKMP key * address Cardiff_VPN netmask 255.255.255.255
ISAKMP key * address 212.242.143.147 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 5
ISAKMP strategy 5 3des encryption
ISAKMP strategy 5 md5 hash
5 2 ISAKMP policy group
ISAKMP life duration strategy 5 86400
part of pre authentication ISAKMP policy 7
ISAKMP strategy 7 3des encryption
ISAKMP strategy 7 sha hash
7 2 ISAKMP policy group
ISAKMP strategy 7 life 28800
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP policy 10 life 85000
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 85000
vpngroup client address mspools pool
vpngroup dns-server 194.153.0.18 client
vpngroup wins client-server 10.155.1.16
vpngroup idle time 1800 customer
vpngroup customer password *.
Telnet 82.69.108.125 255.255.255.255 outside
Telnet 10.55.1.0 255.255.255.0 inside
Telnet 10.1.1.0 255.255.255.0 inside
Telnet timeout 15
SSH 82.69.108.125 255.255.255.255 outside
SSH timeout 15
VPDN Group 6 accept dialin pptp
PAP VPDN Group 6 ppp authentication
VPDN Group 6 chap for ppp authentication
VPDN Group 6 ppp mschap authentication
VPDN Group 6 ppp encryption mppe auto
VPDN Group 6 client configuration address local mspools
VPDN Group 6 pptp echo 60
local 6 VPDN Group client authentication
VPDN username xxxx password *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username xxxx password *.
VPDN allow outside
username xxx pass xxx
Terminal width 80
Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa
: end
If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).
If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?
-
Hello
We have configured our PIX as below.
Here, I would like a clarification on implecation access lists.
I joined 'infinet1' crypto map and 'acl_out' - list access to the external interface, if any traffic entering under "infinet1" of the lists of access such as 101, 102, 103 etc. will again suffer conditions of access 'acl_out"list or not?
We have seen that this is not the case!
the conditions of "acl_out" work correctly with the rest of the traffic which is not under the control of IPSec accesses-lists.
I need to enforce these conditions "acl_out" IPSec traffic too... How can I do?
Concerning
K V star anise
Here is the configuration of my PIX:
PIX520 # sh config
: Saved
:
PIX Version 6.1 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 failover
nameif ethernet3 dialup security80
Select xxxxxxxx
passwd xxxxxxxx
hostname xxxxxxx
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
no correction 1720 h323 Protocol
<--- more="" ---="">
names of
access-list acl_out permit icmp any one
acl_out list access permit tcp any host 10.21.1.42 eq telnet
acl_out list access permit tcp any host 10.21.1.43 eq 1414
acl_out list access permit tcp any host 10.21.1.44 eq 1414
acl_out list access permit tcp any host 10.21.1.34 eq smtp
acl_out list access permit tcp any host 10.21.1.34 eq pop3
acl_out list access permit tcp any host 10.21.1.34 eq 389
acl_out list access permit tcp any host 10.21.1.34 eq 1414
acl_out list access permit tcp any host 10.21.1.45 eq 1414
acl_out list access permit tcp any host 10.21.1.59 eq telnet
acl_out list access permit tcp any host 10.21.1.34 eq www
acl_out list access permit tcp any host 10.21.1.57 eq 1414
acl_out list access permit tcp any host 10.21.1.56 eq 1414
acl_out list access permit tcp any host 10.21.1.55 eq telnet
acl_out list access permit tcp any host 10.21.1.49 eq ftp
acl_out list access permit tcp any host 10.21.1.49 eq ftp - data
access-list 101 permit ip 10.21.1.32 255.255.255.224 10.36.1.64 255.255.255.224
access-list 102 permit ip 10.21.1.32 255.255.255.224 10.36.1.32 255.255.255.224
access-list 103 allow ip 10.21.1.32 255.255.255.224 10.9.1.32 255.255.255.224
<--- more="" ---="">
access-list 104. allow ip 10.21.1.32 255.255.255.224 10.40.1.32 255.255.255.224
access-list 105 allow ip 10.21.1.32 255.255.255.224 10.64.1.32 255.255.255.224
access-list 106 allow ip 10.21.1.32 255.255.255.224 10.59.1.64 255.255.255.224
access-list 107 allow ip 10.21.1.32 255.255.255.224 10.59.1.32 255.255.255.224
access-list 108 allow ip 10.21.1.32 255.255.255.224 10.47.1.32 255.255.255.224
access-list 109 allow ip 10.21.1.32 255.255.255.224 10.5.1.32 255.255.255.224
access-list 110 permit ip 10.21.1.32 255.255.255.224 10.5.1.128 255.255.255.224
access-list 111 allow ip 10.21.1.32 255.255.255.224 10.5.1.96 255.255.255.224
access-list 112 allow ip 10.21.1.32 255.255.255.224 10.42.1.32 255.255.255.224
access-list 113 allow ip 10.21.1.32 255.255.255.224 10.42.1.64 255.255.255.224
access-list 114 allow ip 10.21.1.32 255.255.255.224 10.17.1.32 255.255.255.224
access-list acl_dialup allow icmp a whole
acl_dialup list access permit tcp any host 192.168.2.9 eq 1414
acl_dialup list access permit tcp any host 192.168.2.9 eq 1494
access-list 117 allow ip 10.21.1.32 255.255.255.224 10.1.1.32 255.255.255.224
access-list 118 allow ip 10.21.1.32 255.255.255.224 10.38.1.32 255.255.255.224
access-list 119 allow ip 10.21.1.32 255.255.255.224 10.49.1.32 255.255.255.224
access-list 120 allow ip 10.21.1.32 255.255.255.224 10.51.1.32 255.255.255.224
access-list 121 allow ip 10.21.1.32 255.255.255.224 10.15.1.32 255.255.255.224--->--->
access-list 122 allow ip 10.21.1.32 255.255.255.224 10.53.1.32 255.255.255.224
<--- more="" ---="">
access-list 123 allow ip 10.21.1.32 255.255.255.224 10.27.1.64 255.255.255.224
access-list 124 allow ip 10.21.1.32 255.255.255.224 10.27.1.32 255.255.255.224
access-list 125 allow ip 10.21.1.32 255.255.255.224 10.27.1.128 255.255.255.224
access-list 126 allow ip 10.21.1.32 255.255.255.224 10.21.1.96 255.255.255.224
access-list 128 allow ip 10.21.1.32 255.255.255.224 10.27.1.96 255.255.255.224
access-list 130 allow ip 10.21.1.32 255.255.255.224 10.24.1.128 255.255.255.224--->
access-list 132 allow ip 10.21.1.32 255.255.255.224 10.24.1.32 255.255.255.224
access-list 134 allow ip 10.21.1.32 255.255.255.224 10.24.1.96 255.255.255.224
access-list 135 allow ip 10.21.1.32 255.255.255.224 10.34.1.64 255.255.255.224
access-list 136 allow ip 10.21.1.32 255.255.255.224 10.34.1.32 255.255.255.224
access-list 137 allow ip 10.21.1.32 255.255.255.224 10.55.1.128 255.255.255.224
access-list 138 allow ip 10.21.1.32 255.255.255.224 10.55.1.64 255.255.255.224
access-list 139 allow ip 10.21.1.32 255.255.255.224 10.19.1.32 255.255.255.224
access-list 140 allow ip 10.21.1.32 255.255.255.224 10.13.1.32 255.255.255.224
access-list 198 allow ip 10.21.1.32 255.255.255.224 10.0.0.0 255.255.0.0
access-list 197 allow ip 10.21.1.32 255.255.255.224 10.21.1.64 255.255.255.224
access-list 191 allow ip 10.21.1.32 255.255.255.224 10.21.1.128 255.255.255.224
access-list 115 permit ip 10.21.1.32 255.255.255.224 10.57.1.32 255.255.255.224
pager lines 20
opening of session
<--- more="" ---="">
timestamp of the record
recording console alerts
monitor debug logging
recording of debug trap
debugging in the history record
logging out of the 10.0.67.250 host
interface ethernet0 car
Auto interface ethernet1
Auto interface ethernet2
Auto ethernet3 interface
Outside 1500 MTU
Within 1500 MTU
failover of MTU 1500
Dialup MTU 1500
IP outdoor 10.21.1.35 255.255.255.224
IP address inside 172.16.22.50 255.255.255.0
failover of address IP 192.168.1.1 255.255.255.0
dialup from IP 192.168.2.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
<--- more="" ---="">
failover
failover timeout 0:00:00
failover poll 15
ip address of switch outside the 10.21.1.36
IP Failover within the 172.16.22.51
failover failover of address ip 192.168.1.2
failover ip address 192.168.2.2 dialup
failover failover link
history of PDM activate
ARP timeout 14400
Global 1 10.21.1.62 (outside)
Global (dialup) 1 192.168.2.10 - 192.168.2.20
NAT (inside) 1 172.16.150.1 255.255.255.255 0 0
NAT (inside) 1 172.16.150.2 255.255.255.255 0 0
NAT (inside) 1 172.16.150.3 255.255.255.255 0 0
NAT (inside) 1 172.16.150.110 255.255.255.255 0 0
NAT (inside) 1 172.16.150.150 255.255.255.255 0 0
NAT (inside) 1 172.16.150.151 255.255.255.255 0 0
NAT (inside) 1 172.16.150.153 255.255.255.255 0 0
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
<--- more="" ---="">
NAT (dialup) 1 192.168.2.0 255.255.255.0 0 0
public static 10.21.1.43 (Interior, exterior) 172.16.150.2 netmask 255.255.255.255 0 0
public static 10.21.1.44 (Interior, exterior) 172.16.150.3 netmask 255.255.255.255 0 0
public static 10.21.1.34 (Interior, exterior) 172.16.12.50 netmask 255.255.255.255 0 0
public static 10.21.1.42 (Interior, exterior) 172.16.150.151 netmask 255.255.255.255 0 0
public static 10.21.1.59 (Interior, exterior) 172.16.3.251 netmask 255.255.255.255 0 0
public static 10.21.1.45 (Interior, exterior) 172.16.150.1 netmask 255.255.255.255 0 0
public static 10.21.1.57 (Interior, exterior) 172.16.7.151 netmask 255.255.255.255 0 0
public static 10.21.1.56 (Interior, exterior) 172.16.13.50 netmask 255.255.255.255 0 0
public static 10.21.1.47 (Interior, exterior) 172.16.22.200 netmask 255.255.255.255 0 0
public static 10.21.1.55 (Interior, exterior) 172.16.22.2 netmask 255.255.255.255 0 0
static (dialup, external) 10.21.1.46 192.168.2.3 netmask 255.255.255.255 0 0
static (inside, dialup) 192.168.2.9 172.16.150.2 netmask 255.255.255.255 0 0--->--->--->
public static 10.21.1.49 (Interior, exterior) 172.16.22.10 netmask 255.255.255.255 0 0
public static 10.21.1.58 (Interior, exterior) 172.16.10.58 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
acl_dialup in interface dialup access-group
TCP 0 1414 permitto tcp 1414 permitfrom tcp 1024-65535 has established
external route 10.0.0.0 255.0.0.0 10.21.1.41 1
external route 10.0.0.0 255.0.0.0 10.21.1.50 2
<--- more="" ---="">
external route 10.0.0.0 255.0.0.0 10.21.1.33 3
Route inside 172.16.0.0 255.255.0.0 172.16.22.243 1
Route outside 202.54.63.221 255.255.255.255 10.21.1.41 1
Route outside 203.197.140.9 255.255.255.255 10.21.1.41 1
Timeout xlate 23:59:59
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 172.16.25.2 255.255.255.255 inside
http 172.16.25.1 255.255.255.255 inside
SNMP-server host within the 10.0.67.250
SNMP-server host within the 172.16.7.206
No snmp server location
No snmp Server contact--->
CMC of SNMP-Server community
SNMP-Server enable traps
no activation floodguard
Permitted connection ipsec sysopt
<--- more="" ---="">
No sysopt route dnat
Crypto ipsec transform-set esp - esp-sha-hmac mumroset
Crypto ipsec transform-set esp - esp-sha-hmac mumroset1
infinet1 card crypto ipsec isakmp 1
correspondence address 1 card crypto infinet1 101
infinet1 card crypto 1jeu peer 10.36.254.10
infinet1 card crypto 1 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 2
correspondence address 2 card crypto infinet1 102
infinet1 crypto map peer set 2 10.36.254.6
infinet1 crypto map peer set 2 10.36.254.13
infinet1 card crypto 2 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 3
correspondence address 3 card crypto infinet1 103
infinet1 card crypto 3 peers set 10.1.254.18
infinet1 card crypto 3 peers set 10.1.254.21
infinet1 card crypto 3 peers set 10.5.254.5
infinet1 card crypto 3 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 4
correspondence address 4 card crypto infinet1 104
<--- more="" ---="">
infinet1 card crypto 4 peers set 10.36.254.41
infinet1 card crypto 4 peers set 10.36.254.22
infinet1 card crypto 4 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 5
address for correspondence 5 card crypto infinet1 105
infinet1 crypto card 5 peers set 10.51.254.33
infinet1 crypto card 5 peers set 10.51.254.26
infinet1 card crypto 5 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 6
correspondence address 6 infinet1 card crypto 106
infinet1 crypto card 6 peers set 10.51.254.42
infinet1 card crypto 6 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 7
address for correspondence 7 card crypto infinet1 107
infinet1 crypto map peer set 7 10.1.254.74
infinet1 card crypto 7 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 8
correspondence address 8 card crypto infinet1 108
infinet1 crypto card 8 peers set 10.36.254.34
infinet1 crypto card 8 peers set 10.36.254.38
<--- more="" ---="">
infinet1 card crypto 8 set transform-set mumroset1
infinet1 map ipsec-isakmp crypto 9
correspondence address 9 card crypto infinet1 109
infinet1 crypto map peer set 9 10.5.254.14
infinet1 crypto map peer set 9 10.5.1.205
infinet1 card crypto 9 set transform-set mumroset1
infinet1 card crypto ipsec-isakmp 10
correspondence address 10 card crypto infinet1 110
infinet1 card crypto 10 peers set 10.5.254.10
infinet1 card crypto 10 set transform-set mumroset1
11 infinet1 of ipsec-isakmp crypto map
correspondence address 11 card crypto infinet1 111
infinet1 11 crypto map set peer 10.1.254.54
card crypto infinet1 11 set transform-set mumroset1
12 infinet1 of ipsec-isakmp crypto map
correspondence address 12 card crypto infinet1 112
card crypto infinet1 12 set peer 10.36.254.26
card crypto infinet1 12 set transform-set mumroset1
13 infinet1 of ipsec-isakmp crypto map--->--->--->
correspondence address 13 card crypto infinet1 113
<--- more="" ---="">
crypto infinet1 13 card set peer 10.1.254.58
card crypto infinet1 13 set transform-set mumroset1
14 infinet1 of ipsec-isakmp crypto map
correspondence address 14 card crypto infinet1 114
infinet1 14 crypto map set peer 10.5.254.26
infinet1 14 crypto map set peer 10.5.254.29
card crypto infinet1 14 set transform-set mumroset1
15 infinet1 of ipsec-isakmp crypto map
correspondence address 15 card crypto infinet1 115
crypto infinet1 15 card set peer 10.51.254.21
crypto infinet1 15 card set peer 10.51.254.18
card crypto infinet1 15 set transform-set mumroset
16 infinet1 of ipsec-isakmp crypto map
correspondence address 16 card crypto infinet1 198
infinet1 16 crypto map set peer 10.1.254.46
card crypto infinet1 16 set transform-set mumroset1
17 infinet1 of ipsec-isakmp crypto map
correspondence address 17 card crypto infinet1 117
infinet1 17 crypto map set peer 10.2.254.6
card crypto infinet1 17 set transform-set mumroset1
<--- more="" ---="">
18 infinet1 ipsec-isakmp crypto map
correspondence address 18 card crypto infinet1 118
infinet1 18 crypto map set peer 10.36.254.17
infinet1 18 crypto map set peer 10.36.254.14
infinet1 18 crypto map set peer 10.36.254.21
card crypto infinet1 18 set transform-set mumroset1
19 infinet1 of ipsec-isakmp crypto map
correspondence address 19 card crypto infinet1 119
infinet1 19 crypto map set peer 10.36.254.30
infinet1 19 crypto map set peer 10.36.254.37
card crypto infinet1 19 set transform-set mumroset1
20 infinet1 of ipsec-isakmp crypto map
correspondence address 20 card crypto infinet1 120
crypto infinet1 20 card set peer 10.51.254.6
crypto infinet1 20 card set peer 10.51.254.13--->--->
card crypto infinet1 20 set transform-set mumroset1
21 infinet1 of ipsec-isakmp crypto map
correspondence address 21 card crypto infinet1 121
infinet1 21 crypto map set peer 10.5.254.6
infinet1 21 crypto map set peer 10.5.254.21
<--- more="" ---="">
infinet1 21 crypto map set peer 10.5.254.25
card crypto infinet1 21 set transform-set mumroset1
22 infinet1 of ipsec-isakmp crypto map
correspondence address 22 card crypto infinet1 122
crypto infinet1 22 card set peer 10.51.254.10
card crypto infinet1 22 set transform-set mumroset1
23 infinet1 of ipsec-isakmp crypto map
correspondence address 23 card crypto infinet1 123
infinet1 23 crypto map set peer 10.1.254.114
infinet1 23 crypto map set peer 10.1.254.110
card crypto infinet1 23 set transform-set mumroset1
24 infinet1 of ipsec-isakmp crypto map
correspondence address 24 card crypto infinet1 124
card crypto infinet1 24 set peer 10.1.254.117
card crypto infinet1 24 set peer 10.1.254.125
card crypto infinet1 24 set peer 10.1.254.121
card crypto infinet1 24 set peer 10.1.254.161
card crypto infinet1 24 set peer 10.1.254.157
card crypto infinet1 24 set peer 10.1.254.113
card crypto infinet1 24 set peer 10.1.254.145
<--- more="" ---="">
card crypto infinet1 24 set peer 10.1.254.141
card crypto infinet1 24 set transform-set mumroset1
25 infinet1 of ipsec-isakmp crypto map
correspondence address 25 card crypto infinet1 125
infinet1 25 crypto map set peer 10.1.254.142
infinet1 25 crypto map set peer 10.1.254.138
card crypto infinet1 25 set transform-set mumroset1
26 infinet1 of ipsec-isakmp crypto map
correspondence address 26 card crypto infinet1 126
infinet1 26 crypto map set peer 10.1.254.150
infinet1 26 crypto map set peer 10.1.254.162
card crypto infinet1 26 set transform-set mumroset1
27 infinet1 of ipsec-isakmp crypto map
address for correspondence 27 card crypto infinet1 197
infinet1 27 crypto map set peer 10.1.254.130
infinet1 27 crypto map set peer 10.1.254.118
infinet1 27 crypto map set peer 10.1.254.126
infinet1 27 crypto map set peer 10.1.254.153--->--->
card crypto infinet1 27 set transform-set mumroset1
28 infinet1 of ipsec-isakmp crypto map
<--- more="" ---="">
address for correspondence 28 card crypto infinet1 128
crypto infinet1 28 card set peer 10.1.254.146
crypto infinet1 28 card set peer 10.1.254.137
card crypto infinet1 28 set transform-set mumroset1
30 infinet1 of ipsec-isakmp crypto map
correspondence address 30 card crypto infinet1 130
crypto infinet1 30 card set peer 10.27.254.49
card crypto infinet1 30 set transform-set mumroset1
31 infinet1 of ipsec-isakmp crypto map
correspondence address 31 card crypto infinet1 191
infinet1 31 crypto map set peer 10.27.254.45
card crypto infinet1 31 set transform-set mumroset1
32 infinet1 of ipsec-isakmp crypto map
correspondence address 32 card crypto infinet1 132
crypto infinet1 32 card set peer 10.24.1.60
card crypto infinet1 32 set transform-set mumroset1
34 infinet1 ipsec-isakmp crypto map
correspondence address 34 card crypto infinet1 134
infinet1 34 crypto map set peer 10.1.254.154
infinet1 34 crypto map set peer 10.1.254.158
<--- more="" ---="">
card crypto infinet1 34 set transform-set mumroset1
35 infinet1 ipsec-isakmp crypto map
correspondence address 35 card crypto infinet1 135
infinet1 35 crypto map set peer 10.51.254.38
card crypto infinet1 35 set transform-set mumroset1
36 infinet1 of ipsec-isakmp crypto map
correspondence address 36 card crypto infinet1 136
infinet1 36 crypto map set peer 10.1.254.26
infinet1 36 crypto map set peer 10.1.254.29
infinet1 36 crypto map set peer 10.51.254.34
card crypto infinet1 36 set transform-set mumroset1
37 infinet1 ipsec-isakmp crypto map
correspondence address 37 card crypto 137 infinet1
infinet1 37 crypto map set peer 10.51.254.30
infinet1 37 crypto map set peer 10.51.254.14
infinet1 37 crypto map set peer 10.51.254.17
card crypto infinet1 37 set transform-set mumroset1
38 infinet1 ipsec-isakmp crypto map
correspondence address 38 card crypto 138 infinet1
infinet1 38 crypto map set peer 10.51.254.46
<--- more="" ---="">
card crypto infinet1 38 set transform-set mumroset1
39 infinet1 of ipsec-isakmp crypto map
correspondence address 39 card crypto 139 infinet1
infinet1 39 crypto map set peer 10.5.254.33
infinet1 39 crypto map set peer 10.5.254.30
card crypto infinet1 39 set transform-set mumroset1
40 infinet1 of ipsec-isakmp crypto map
correspondence address 40 card crypto infinet1 140
infinet1 40 crypto map set peer 10.5.254.18
infinet1 40 crypto map set peer 10.5.254.22
card crypto infinet1 40 set transform-set mumroset1--->--->--->
infinet1 interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 10.36.254.10 netmask 255.255.255.255
ISAKMP key * address 10.36.254.6 netmask 255.255.255.255
ISAKMP key * address 10.36.254.13 netmask 255.255.255.255
ISAKMP key * address 10.1.254.18 netmask 255.255.255.255
ISAKMP key * address 10.1.254.21 netmask 255.255.255.255
ISAKMP key * address 10.5.254.5 netmask 255.255.255.255
ISAKMP key * address 10.36.254.41 netmask 255.255.255.255
<--- more="" ---="">
ISAKMP key * address 10.36.254.22 netmask 255.255.255.255
ISAKMP key * address 10.51.254.33 netmask 255.255.255.255
ISAKMP key * address 10.51.254.26 netmask 255.255.255.255
ISAKMP key * address 10.51.254.42 netmask 255.255.255.255
ISAKMP key * address 10.1.254.74 netmask 255.255.255.255
ISAKMP key * address 10.36.254.34 netmask 255.255.255.255
ISAKMP key * address 10.36.254.38 netmask 255.255.255.255
ISAKMP key * address 10.5.254.14 netmask 255.255.255.255
ISAKMP key * address 10.5.254.10 netmask 255.255.255.255
ISAKMP key * address 10.1.254.54 netmask 255.255.255.255
ISAKMP key * address 10.36.254.26 netmask 255.255.255.255
ISAKMP key * address 10.1.254.58 netmask 255.255.255.255
ISAKMP key * address 10.5.254.26 netmask 255.255.255.255
ISAKMP key * address 10.5.254.29 netmask 255.255.255.255
ISAKMP key * address 10.1.254.46 netmask 255.255.255.255
ISAKMP key * address 10.2.254.6 netmask 255.255.255.255--->
ISAKMP key * address 10.36.254.17 netmask 255.255.255.255
ISAKMP key * address 10.36.254.14 netmask 255.255.255.255
ISAKMP key * address 10.36.254.21 netmask 255.255.255.255
ISAKMP key * address 10.36.254.30 netmask 255.255.255.255
<--- more="" ---="">
ISAKMP key * address 10.36.254.37 netmask 255.255.255.255
ISAKMP key * address 10.51.254.6 netmask 255.255.255.255
ISAKMP key * address 10.51.254.13 netmask 255.255.255.255
ISAKMP key * address 10.5.254.6 netmask 255.255.255.255
ISAKMP key * address 10.5.254.21 netmask 255.255.255.255
ISAKMP key * address 10.5.254.25 netmask 255.255.255.255
ISAKMP key * address 10.51.254.10 netmask 255.255.255.255
ISAKMP key * address 10.1.254.114 netmask 255.255.255.255
ISAKMP key * address 10.1.254.117 netmask 255.255.255.255
ISAKMP key * address 10.1.254.125 netmask 255.255.255.255
ISAKMP key * address 10.1.254.121 netmask 255.255.255.255
ISAKMP key * address 10.1.254.161 netmask 255.255.255.255
ISAKMP key * address 10.1.254.157 netmask 255.255.255.255
ISAKMP key * address 10.1.254.113 netmask 255.255.255.255
ISAKMP key * address 10.1.254.145 netmask 255.255.255.255
ISAKMP key * address 10.1.254.141 netmask 255.255.255.255
ISAKMP key * address 10.1.254.142 netmask 255.255.255.255
ISAKMP key * address 10.1.254.138 netmask 255.255.255.255
ISAKMP key * address 10.1.254.150 netmask 255.255.255.255
ISAKMP key * address 10.1.254.162 netmask 255.255.255.255
<--- more="" ---="">
ISAKMP key * address 10.1.254.130 netmask 255.255.255.255
ISAKMP key * address 10.1.254.118 netmask 255.255.255.255
ISAKMP key * address 10.1.254.126 netmask 255.255.255.255
ISAKMP key * address 10.1.254.153 netmask 255.255.255.255
ISAKMP key * address 10.1.254.146 netmask 255.255.255.255
ISAKMP key * address 10.1.254.137 netmask 255.255.255.255
ISAKMP key * address 10.27.254.49 netmask 255.255.255.255
ISAKMP key * address 10.27.254.45 netmask 255.255.255.255
ISAKMP key * address 10.24.1.60 netmask 255.255.255.255
ISAKMP key * address 10.1.254.154 netmask 255.255.255.255
ISAKMP key * address 10.1.254.158 netmask 255.255.255.255
ISAKMP key * address 10.51.254.38 netmask 255.255.255.255
ISAKMP key * address 10.1.254.26 netmask 255.255.255.255
ISAKMP key * address 10.1.254.29 netmask 255.255.255.255
ISAKMP key * address 10.51.254.34 netmask 255.255.255.255
ISAKMP key * address 10.51.254.30 netmask 255.255.255.255
ISAKMP key * address 10.51.254.14 netmask 255.255.255.255
ISAKMP key * address 10.51.254.17 netmask 255.255.255.255
ISAKMP key * address 10.51.254.46 netmask 255.255.255.255
ISAKMP key * address 10.5.254.33 netmask 255.255.255.255
<--- more="" ---="">--->--->--->
ISAKMP key * address 10.5.254.30 netmask 255.255.255.255
ISAKMP key * address 10.5.254.18 netmask 255.255.255.255
ISAKMP key * address 10.5.254.22 netmask 255.255.255.255
ISAKMP key * address 10.1.254.110 netmask 255.255.255.255
ISAKMP key * address 10.5.1.205 netmask 255.255.255.255
ISAKMP key * address 10.51.254.21 netmask 255.255.255.255
ISAKMP key * address 10.51.254.18 netmask 255.255.255.255
part of pre authentication ISAKMP policy 18
encryption of ISAKMP policy 18
ISAKMP policy 18 sha hash
18 1 ISAKMP policy group
ISAKMP duration strategy of life 18 86400
Telnet 172.16.0.0 255.255.0.0 inside
Telnet 172.16.0.0 255.255.0.0 failover
Telnet timeout 10
SSH timeout 5
Terminal width 80
Cryptochecksum:c7d3741007174e40b59a5b4e3c86fea7
PIX520 #.
The fact that you have:
> permitted connection ipsec sysopt
in your config file means that any IPSec packet is allowed in and ignores all the normal safety rules. You can delete this order, but you will then need to add a bunch of lines to your acl_out ACL to ensure that ISAKMP (UDP 500) and IPSec (IP prot 50) are allowed in each peer IPSec individual, more add incoming versions of all your ACL crypto.
-
PIX 515e no packets not transmitted on the web
What is the problem with my config?
PIX Version 6.1 (3)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of XXXXXXXXX
passwd encrypted XXXXXXXXXXX
hostname wall
XXXXXX.com domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
name 192.168.100.2 DC
access-list 100 permit icmp any any echo response
access-list 100 permit icmp any one time exceed
access-list 100 permit everything all unreachable icmp
frominisde list access permit tcp any any eq www
frominisde list access permit tcp any any eq smtp
inside ip access list allow a whole
access the inside to allow tcp a whole list
access the inside to allow udp a whole list
access-list internal permit tcp any any eq www
pager lines 24
opening of session
host of logging inside the 192.168.100.14
interface ethernet0 10full
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside 68.XX. XX. XX 255.255.255.248
IP address inside 192.168.100.250 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM DC 255.255.255.255 inside
location of PDM 192.168.100.14 255.255.255.255 inside
location of PDM 192.168.100.252 255.255.255.255 inside
location of PDM 192.168.200.0 255.255.255.255 inside
location of PDM 192.168.100.0 255.255.255.255 inside
PDM location 68.XX. XX. XX 255.255.255.255 outside
location of PDM 192.168.100.250 255.255.255.255 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 192.168.100.0 255.255.255.0 0 0
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 100 in external interface
RIP inside the default version 1
Route outside 0.0.0.0 0.0.0.0 68.157.126.233 1
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.100.14 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.252 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.100.0 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
vpngroup idle 1800 distance-time
Telnet 192.168.100.252 255.255.255.255 inside
Telnet 192.168.100.0 255.255.255.0 inside
Telnet 192.168.200.0 255.255.255.255 inside
Telnet timeout 10
SSH timeout 5
Wall (config) #.
Delete this line and it should work:
NAT (inside) 0 192.168.100.0 255.255.255.0 0 0
This line indicates the pix does not translate (nat 0) the source address of the packets from the pix, originating for the 192.168.100.0 network. You should only use the command nat 0 in VPN configs.
Kind regards
Tom
-
PIX-to-router VPN static-to-dynamic
Dear friends,
I'm trying to configure an IPSec tunnel between a router IOS and a PIX v7.0. I've seen some URL pointing here for a configuration example. However, this example only covers the v6.x PIX version, is not not helpful to resolve my case.
My situation is that the router connects to a DSL provider and obtain a dynamic IP address and my PIX device has a static (Leased line) connection to the Internet. So, I have to establish the tunnel using preshared keys.
How to make using v7.x on the PIX?
Appreciate the help,
Mauricio
Mauricio,
Here is an example for version 7.0 of PIX a tunnel L2L dynamic.
You must create a dynamic encryption card, and use the tunnel defaultL2L-group for pre-shared key settings.
The rate of this post, if that helps.
See you soon
Gilbert
-
Unable to connect to PDM on PIX 501
just cannot understand this. I have a PIX 501 I used to connect very well. Now I can't get the PDM to come up inside, outside, nothing. I use the same (old) of JAVA 1.4 version I always used. I can Telnet etc... Very well. The HTTP server is enabled and have granted access from my IP address. Any help would be greatly appreciated. See my config below.
See the pixfirewall # running
: Saved
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry2YjIyt7RRXU24 encrypted password
passwd encrypted XXXXXXXX
pixfirewall hostname
domain ciscopix.com
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 X 0
fixup protocol h323 ras X 18 - X 19
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
name admin_subnet X.X.X.X
inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow admin_
subnet 255.255.0.0
inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow X.X
. X.X 255.255.255.0
outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list permit admin_subn
and 255.255.0.0
outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list allow X.X.X
. X 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP outside X.X.X.X 255.255.255.128
inside X.X.X.X 255.255.255.0 IP address
alarm action IP verification of information
alarm action attack IP audit
PDM location admin_subnet 255.255.0.0 outside
location of PDM X.X.X.X 255.255.255.0 inside
PDM location x.x.x.x 255.255.255.255 outside
location of PDM X.X.X.X 255.255.255.0 outside
location of PDM X.X.X.X 255.255.255.255 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http X.X.X.X 255.255.255.0 inside
http admin_subnet 255.255.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map pfs set 20 group2
card crypto outside_map 20 game peers X.X.X.X
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address X.X.X.X 255.255.255.255 netmask No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 aes-256 encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 8 X 00
Telnet X.X.X.X 255.255.255.0 outside
Telnet X.X.X.X 255.255.255.0 inside
Telnet admin_subnet 255.255.0.0 inside
Telnet timeout 30
ssh X.X.X.X 255.255.255.255 outside
X.X.X.X 255.255.255.0 inside SSH
SSH timeout 30
management-access inside
Console timeout 30
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
username password XXXXXX XXXXXXXXXXX encrypted privilege 15
Terminal width 80
Cryptochecksum:
: endHello Mark,
lol Nice to know that everything works fine now
Don't forget to mark it as answered and to classify the useful messages (if you don't know how to evaluate a message just to get to the bottom of each answer and mark 1 being a wrong answer, being a great answer 5 stars)
Kind regards
Julio
PD: Some kudos for you (because of the answer)
-
I need help setting up a Cisco PIX 506th Version 6.3 (5)
I use the PDM to configure the device, because I don't know enough of CLI. I want to just the simplest of configurations.
Here is what is happening, I set up then I hang the Interface 1 to my laptop and use DHCP to get an ip address, but I can't get out to the internet like that. Thanks PDM tools, I can ping outside the IPS very well.
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of DkreNA9TaOYv27T8
c4EBnG8v5uKhu.PA encrypted passwd
hostname EWMS-PIX-630
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
object-group service udp test
port-object eq isakmp
inside_access_in ip access list allow a whole
access-list inside_access_in allow a tcp
access-list inside_access_in allow icmp a whole
Allow Access-list inside_access_in esp a whole
inside_access_in tcp allowed access list all eq www everything
inside_outbound_nat0_acl list of permitted access interface ip inside 10.10.10.96 255.255.255.240
inside_outbound_nat0_acl ip access list allow any 10.10.10.192 255.255.255.224
pager lines 24
timestamp of the record
recording of debug trap
host of logging inside the 10.10.10.13
Outside 1500 MTU
Within 1500 MTU
IP outdoor 75.146.94.109 255.255.255.248
IP address inside 10.10.10.250 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.1 255.255.255.255 inside
location of PDM 10.10.10.13 255.255.255.255 inside
location of PDM 10.10.10.253 255.255.255.255 inside
location of PDM 75.146.94.105 255.255.255.255 inside
location of PDM 75.146.94.106 255.255.255.255 inside
location of PDM 10.10.10.96 255.255.255.240 outside
location of PDM 10.10.10.192 255.255.255.224 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 75.146.94.110 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-RADIUS (inside) host 10.10.10.1 server timeout 10
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
ISAKMP allows outside
ISAKMP peer ip 206.196.18.227 No.-xauth No.-config-mode
ISAKMP nat-traversal 20
ISAKMP policy 20 authentication rsa - sig
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 1 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
encryption of ISAKMP policy 40
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP policy 60 authentication rsa - sig
encryption of ISAKMP policy 60
ISAKMP policy 60 md5 hash
60 2 ISAKMP policy group
ISAKMP strategy life 60 86400
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.10.10.2 - 10.10.10.5 inside
dhcpd dns 68.87.72.130
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
btork encrypted Ww3clvi.ynWeGweE privilege 15 password username
vpnclient Server 10.10.10.1
vpnclient-mode client mode
vpnclient GroupA vpngroup password *.
vpnclient username btork password *.
Terminal width 80
Cryptochecksum:5ef06e69c17b6128e1778e988d1b9f5d
: end
[OK]any HEP would be appreciated.
Brian
Brian
NAT is your problem, IE.
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0presumanly first NAT is fot your good VPN that acl looks a little funny, what exactly are you doing with that?
The second NAT is the real problem but for outgoing internet access - the NAT statement, you said not NAT one of your addresses 10.10.10.x which is a problem as 10.x.x.x address is not routable on the Internet.
You must change this setting IE. -
(1) remove the second NAT statement IE. "no nat (inside) 0 0.0.0.0 0.0.0.0.
(2) add a new statement of NAT - ' nat (inside) 1 0.0.0.0 0.0.0.0.
(3) add a corresponding statement global - global (outside) 1 interface.
This will be PAT all your 10.10.10.x to external IP addresses.
Apologies, but these are some CLI commands that I don't use PDM.
Jon
-
PIX 501 with public several IP addresses
Hi all
I have the following configuration:
audience of 6 IP addresses, for example: 123.123.123.1 - 6 255.255.255.248
My provider, I have a Zyxel modem which has the 123.123.123.1 IP address, which is also the default gateway for my PIX.
The PIX is connected to a modem Zyxel.
The external interface of the PIX, 123.123.123.2 and the inside interface 192.168.1.1 255.255.255.0
At my home I have several client computers and network servers 3.
Client computers must be able to connect to the internet.
Server should have the public IP 123.123.123.3 and 192.168.52.3 inside
Server B must have public IP 123.123.123.4 and 192.168.52.4 inside
Server C must have public IP 123.123.123.5 and 192.168.52.5 inside
Server 3 are Web servers and should be accessible from the outside on ports 80 and 443.
My current setup is:
See the pixfirewall (config) # executes
: Saved
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
object-group service tcp web
port-object eq www
EQ object of the https port
OUTSIDE of the ip access list allow any host 123.123.123.3
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP outdoor 123.123.123.2 255.255.255.248
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.1.0 255.255.255.0 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside, outside) tcp 123.123.123.3 www 192.168.1.3 www netmask 255.255.255.255 0 0
Access-group OUTSIDE in interface outside
Route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 192.168.2.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
: end
pixfirewall (config) #.This acutally configuration only allows connections from the inside to the outside but not from the outside to connect to the server.
I'm sure miss me something stupid, maybe someone could give me a hint?
Mike
Setup looks quite right, assuming that you only test connectivity to Server A (123.123.123.3) as it is the only one configured.
I suggest that you make 'clear xlate' and 'clear the arp' and test again. I would check to see if your modem has the ARP entry for 123.123.123.3 and it should point to the ethernet0 PIX MAC address.
-
PIX 515E and remote access VPN
I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.
I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.
Any help is appreciated,
Hello
Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7
Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18
There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue
-
PIX of Pix VPN easy - Almost there... Need help :(
I spent countless hours now implementing a VPN Pix Pix. I thought I would post this in the hope that someone could help me.
I can get my Pix 501 to open a tunnel to the 506th Pix. These are both on different ISPS.
I can ping from the Pix to the Pix 501 console 506e inside the IP Interface.
I can ping from the console of the 506th Pix to the Pix 501 inside the IP Interface.
I cannot ping hosts either pix beyond the inside interface.
With the active 7 recording console, I have the following error when ping to the host 172.16.54.5 from the console on the Pix 501.
305005: any group not found for icmp src, dst outside translation: 100.1.1.10 inside: 172.16.54.5 (type 8, code 0)
For reasons of confidentiality, I changed the IP addresses and passwords.
PIX506e outside (isps1): 200.1.1.10
Isps1 Gateway: 200.1.1.1PIX501 outdoors (PSI): 100.1.1.10
ISP2 Gateway: 100.1.1.1Here is my configuration:
506th PIX (server)
----------------------------------------------
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
hostname VPNServer
mydomain.com domain name
clock timezone CST - 6
clock to summer time recurring CDT
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit icmp any one
IP 172.16.54.0 allow Access - list SHEEP 255.255.255.0 192.168.6.0 255.255.255.0
access-list ip 192.168.6.0 SHEEP allow 255.255.255.0 172.16.54.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 110 permit ip 100.1.1.10 host 172.16.2.0 255.255.255.0
pager lines 24
opening of session
Outside 1500 MTU
Within 1500 MTU
IP outdoor 200.1.1.10 255.255.255.128
IP address inside 172.16.54.5 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 172.16.54.201 - 172.16.54.210
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 110 in the interface inside
Route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
Route inside 172.16.2.0 255.255.255.0 172.16.54.254 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
client authentication card crypto LOCAL mymap
mymap outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address vpnpool pool mygroup
vpngroup mygroup 172.16.2.1 dns server
vpngroup mygroup by default-domain mydomain.com
vpngroup idle time 1800 mygroup
mygroup vpngroup password *.
vpngroup idle-idle time 1800
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
management-access inside
Console timeout 0
VPDN username myuser password *.
VPDN allow outside
password username myuser * encrypted privilege 2
Terminal width 80
----------------------------------------------PIX 501 (Client)
----------------------------------------------
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
vpnclient hostname
mydomain.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 100 permit icmp any one
pager lines 24
opening of session
monitor debug logging
Outside 1500 MTU
Within 1500 MTU
external IP 100.1.1.10 255.255.255.0
IP address inside 192.168.6.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 192.168.6.0 255.255.255.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 30
management-access inside
Console timeout 0
dhcpd address 192.168.6.20 - 192.168.6.200 inside
dhcpd dns 172.16.2.1 172.16.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
vpnclient Server 200.1.1.10
vpnclient mode network-extension-mode
vpnclient mygroup vpngroup password *.
vpnclient username myuser password *.
vpnclient enable
Terminal width 80
----------------------------------------------assuming that you want to send traffic between the subnet 172.16.54.0/24 and 192.168.6.0/24 in the tunnel.
1 ip local pool vpnpool 172.16.54.201 - 172.16.54.210< please="" use="" ip="" in="" a="" different="" subnet.="" current="" ip="" is="" in="" the="" same="" subnet="" as="" inside="">
' 2. you have not 'need' ip 192.168.6.0 allow access-list SHEEP 255.255.255.0 172.16.54.0 255.255.255.0.
3. do not 501 directly ping, ping from a host behind 501 in subnet 192.168.6.0/24
-
ACL for PIX 6.3.1
Below is my list access I have an IP 211.181.198.201 on the Internet trying to access my web server frequently to me it not reliable I don't want this IP 211.181.198.201 access my web server, in any case, I applied the last statement the last statement will be effective. I assume that in the first statement will allow any host even this IP 211.181.198.201 access my web server, how can I block it please advice.
access-list 101 permit tcp any host xxx.187.66.197 eq www
access-list 101 permit udp any host xxx.187.66.195 EQ field
access-list 101 permit tcp any host xxx.187.66.198 eq www
access-list 101 deny host ip 211.181.198.201 all
If you want to block the 211.181.198.201 host access a server behind your PIX you put this before permit statements!
example:
access-list 101 deny host ip 211.181.198.201 all
access-list 101 permit tcp any host xxx.187.66.197 eq www
access-list 101 permit udp any host xxx.187.66.195 EQ field
access-list 101 permit tcp any host xxx.187.66.198 eq www
Depending on your OS PIX version that you just can add an access list entry on the statement line n"I think 6.3.3 introduced this feature.
Syntax:
[No] access-list [line] can't refuse | permit
| - Group of objects
| interface | object-group
[[] | object-group]
| interface | object-group
[[] | object-group]
[Log [disable | default] |] [] [interval]]
example:
No list access 101 don't deny ip host 211.181.198.201 all
access-list 101 deny ip host to line 1 211.181.198.201 all
Do a "clear xlate" if necessary! Ensure that resets all communications.
sincerely
Patrick
Maybe you are looking for
-
How can I do embedded in the PDF Viewer Firefox remember last position displayed in PDF file?
As for now, it doesn't. I have a big book PDF and I want to pick it up where I finished the last time.And there is no function "mark page in PDF format.
-
OWC offers a concert 64 for the iMac of 5K and application it works perfectly. Has anyone tried this before?
-
Separation of the characters in a string
I have a string in which all characters are separated by a space. I want to extract each of these characters to different substrings. Is there a way to do this? For example: a string of parent : 1 g 3: 00 p need => channel 1: 1 Channel 2: a Channel
-
Windows media player 0xc00d11cd error code
Problem reading video file (AVI type) on Media Player error code 10 get "0xC00D11CD - Windows Media Player has encountered an unknown error", originally they worked very well, but not now, what is the problem if someone can help. XP
-
BlackBerry smartphones, you can do the texts to vibrate when the phone is off?
Hi all Is there a way to have texts that a single person come through when my phone is off? I know I have a few exceptions already who can call me when the phone is switched off, but can you do this with text too? Thank you Arlene