LT2P on PIX Version 7

Hello

I'm trying to set up a VPN L2TP on my PIX server to replace a PPTP server on a router.

I followed a few guides (though most seem to be for 6.3.x) and used what I have on a PIX VPN config knowledge, but I'm still to come against some issues.

I have debugging details that I hope someone can use to point me in the right direction.

Jun 30 11:38:54 [IKEv1]: IP = 84.93.217.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ISA_KE payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing Cisco Unity VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing xauth V6 VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send IOS VID
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Can't find a valid tunnel group, aborting...!
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE MM Responder FSM error history (struct &0x42ed788)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE SA MM:87377a60 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, sending delete/delete with reason message
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Removing peer from peer table failed, no match!
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Error: Unable to remove PeerTblEntry

Here is my config:

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5

crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA

crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map

crypto map outside-map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

...

group-policy VPN-Policy internal

group-policy VPN-Policy attributes

wins-server value 10.0.1.250

dns-server value 10.0.1.250

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value xxxx.co.uk

username xxxxxx password xxx nt-encrypted privilege 3

tunnel-group L2TP-VPN type ipsec-ra

tunnel-group L2TP-VPN general-attributes

address-pool (Inside) L2TP-Pool

authentication-server-group (Inside) LOCAL

default-group-policy VPN-Policy

tunnel-group L2TP-VPN ipsec-attributes

pre-shared-key *

tunnel-group L2TP-VPN ppp-attributes

authentication ms-chap-v2

Thanks in advance

Paul

Hi Paul

I do not recommend to use the dynamic cards the way which I suggesting that it is the right way to configure on the SAA.

By default, Microsoft Windows does not support L2TP connections to servers behind a NAT, it is a
Limitation of Microsoft, not a limitation of the ASA or any Cisco device. On the links below you can find more information about how to edit the Windows registry so that it connects to a server behind a NAT, because editing the registry is dangerous to the computer, this must be done at your own risk:

http://support.Microsoft.com/kb/926179
http://support.Microsoft.com/kb/818043/

Tags: Cisco Security

Similar Questions

Remote access VPN pix version 8.0 (3)

Hi all

First of all, I would like to thank to all members of the forum who got help in several messages on the configuration of the pix 515.

I am now configuring remote VPN access with radius authentication to my network, but I can't connect.

I use the cisco vpn client 5.0.03.0560, I have also tested my pix radius (inside) server authentication and works very well.

I already tried to retype the key of the cli, but I still can't remote access vpn to work.

I also tried to create another remote vpn with another name and local authentication, but I have the same problem.

I use 8.0 (3) version pix.

Can someone help me

I attach the log file of the cisco vpn client to help solve the problem, as well a configuration of the pix folder.

Thank you very much in advance and I seek prior information.

http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/vpnadd.html#wp999516

[Pls RATE if HELP]

What version of PDM (PIX Version 6.2 (4))

Comrades, I am new to PIX 506 ongoing enforcement. I try to get the installed MDP, but I have a bad magic number when downloading ftp!

Have you tried "downgrading" of worm 6.3 (5) and 6.2 (4) worm. Should what version of PDMxxx.bin I use. Have you tried ver 6.3 (5) install pdm - 304.bin, but who doesn't either. I'm new on this and are studying for my CCNA!, so please have mercy!

For PIX OS 6.3.5 (pix635.bin), you will need the PDM (pdm - 304.bin).

Whan you download the FTP image on your PC do not forget that you are in binary mode, if you are in ASCII mode, the image will be corrupted (incorrect checksum).

FTP x.x.x.x

loged in...

bin

hash

get a pdm - 304.bin

#########...

output

You use TFTP to download the image to the pix.

For use PDM:

pixfirewall # copy tftp://Your_TFTP_Server_IP_Address/Your_pdmfile_name flash: pdm

Or you can enter the generic command and follow the instructions:

pixfirewall # copy tftp flash: pdm

For use of PIX OS:

Example - updated the PIX Firewall with the copy flash tftp command

pixfirewall # copy tftp flash

Address or name of remote host [127.0.0.1]? 172.18.125.3

Source [cdisk] file name? pix611.bin

copy of tftp://172.18.125.3/pix611.bin to Flash

[Yes | No | new]? Yes

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Receipt 2562048 bytes.

Delete the current image.

2469944 bytes of the image of the writing.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Image installed.

pixfirewall #.

PIX and PDM upgrade guide:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

sincerely

Patrick

PIX version 6.3 and static priority

Hi all

This question concerns do differnet kinds of static on a pix6.3 (4).

I have a setup where I need static nat public IP address on a mail server on the network private.

It works very well. Now, I also want to expose the inside of the network to the public side (as shown in the example config)

inside the ip 192.168.1.x

Apart from the ip 55.55.44.x

public static 55.55.44.33 (Interior, exterior) 192.168.1.10 netmask 255.255.255.255 0 0<- mail="">

static (inside, outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

Now... the mail server-specific static will resume precende the translation of net-to-net?

Kind regards

Hey Kevin,

Too much honing ip can be solved by leaving the 192.168.1.0/24 network at the end of the static instructions. When a packet arrives at the external interface, the pix treats all the static instructions from top to bottom. Because the mail server is configured before the net NET, this statement will be precende. (for code 6.3)

Mike

Mike

VPN site to site Pix 525 ver7.2 (2) and Pix 501 ver 6.3

Hello!!

I have problems to establish a vpn between two pix.

The first pix 525 a version 7.2 (2) an another Pix version 6.3 has this it is not run by myself.

The fixed phase 1 but send the associated messages

can help me

Thank you

I'm glad you got it working now :)

Please evaluate the useful messages.

Concerning

Farrukh

VPN to Pix problem

It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.

Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...

within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.

I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?

My current config is: (change of address, etc.)

SH run

: Saved

:

PIX Version 6.2 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 intf2

enable password xxxx

passwd xxxx

hostname fw

domain name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol 2000 skinny

No fixup protocol sip 5060

names of

name Inside_All 10.0.0.0

name 10.30.1.0 Ireland1_LAN

name 159.135.101.34 Ireland1_VPN

name 213.95.227.137 IrelandSt1_VPN

name 10.30.2.0 Cardiff_LAN

name 82.69.56.30 Cardiff_VPN

access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248

access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All

access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All

access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0

access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0

outside_interface list access permit icmp any any echo

outside_interface list access permit icmp any any echo response

outside_interface list of access permit icmp any any traceroute

outside_interface list access permit tcp any host 212.36.237.99 eq smtp

outside_interface ip access list allow any host 212.36.237.100

access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet

outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet

outside_interface list access permit tcp any any eq telnet

allow the ip host 82.69.108.125 access list outside_interface a

access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0

access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0

access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0

pager lines 24

opening of session

recording of debug console

monitor debug logging

interface ethernet0 10baset

interface ethernet1 10baset

Automatic stop of interface ethernet2

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

IP outdoor 212.36.237.98 255.255.255.240

IP address inside 10.1.1.250 255.255.255.0

intf2 IP address 127.0.0.1 255.255.255.255

alarm action IP verification of information

alarm action attack IP audit

IP local pool ippool 10.1.1.88 - 10.1.1.95

IP local pool mspool 10.7.1.1 - 10.7.1.50

IP local pool mspools 192.168.253.1 - 192.168.253.50

location of PDM Inside_All 255.255.255.0 inside

location of PDM 82.69.108.125 255.255.255.255 outside

location of PDM 10.55.1.0 255.255.255.0 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

(Inside) NAT 0-list of access 101

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0

public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0

public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0

Access-group outside_interface in interface outside

Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1

Route inside Inside_All 255.255.255.0 10.1.1.254 1

Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

AAA-server AuthInOut Protocol Ganymede +.

AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10

the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

Enable http server

http 82.69.108.125 255.255.255.255 outside

http 10.1.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server SNMP community xxx

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Sysopt route dnat

Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess

Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2

Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2

card crypto home 9 ipsec-isakmp dynamic dynmap

card crypto ipsec-isakmp 10 home

address of 10 home game card crypto 102

set of 10 House card crypto peer IrelandSt1_VPN

House 10 game of transformation-VPNAccess crypto card

card crypto ipsec-isakmp 15 home

address of home 15 game card crypto 103

set of 15 home map crypto peer Cardiff_VPN

House 15 game of transformation-VPNAccess crypto card

card crypto ipsec-isakmp 30 home

address of 30 home game card crypto 104

crypto home 30 card set peer 212.242.143.147

House 30 game of transformation-VPNAccess crypto card

interface card crypto home outdoors

ISAKMP allows outside

ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255

ISAKMP key * address Cardiff_VPN netmask 255.255.255.255

ISAKMP key * address 212.242.143.147 netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 5

ISAKMP strategy 5 3des encryption

ISAKMP strategy 5 md5 hash

5 2 ISAKMP policy group

ISAKMP life duration strategy 5 86400

part of pre authentication ISAKMP policy 7

ISAKMP strategy 7 3des encryption

ISAKMP strategy 7 sha hash

7 2 ISAKMP policy group

ISAKMP strategy 7 life 28800

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP policy 10 life 85000

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 85000

vpngroup client address mspools pool

vpngroup dns-server 194.153.0.18 client

vpngroup wins client-server 10.155.1.16

vpngroup idle time 1800 customer

vpngroup customer password *.

Telnet 82.69.108.125 255.255.255.255 outside

Telnet 10.55.1.0 255.255.255.0 inside

Telnet 10.1.1.0 255.255.255.0 inside

Telnet timeout 15

SSH 82.69.108.125 255.255.255.255 outside

SSH timeout 15

VPDN Group 6 accept dialin pptp

PAP VPDN Group 6 ppp authentication

VPDN Group 6 chap for ppp authentication

VPDN Group 6 ppp mschap authentication

VPDN Group 6 ppp encryption mppe auto

VPDN Group 6 client configuration address local mspools

VPDN Group 6 pptp echo 60

local 6 VPDN Group client authentication

VPDN username xxxx password *.

VPDN username password xxx *.

VPDN username password xxx *.

VPDN username password xxx *.

VPDN username xxxx password *.

VPDN allow outside

username xxx pass xxx

Terminal width 80

Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa

: end

If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).

If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?

PIX IPSec configuration

Hello

We have configured our PIX as below.

Here, I would like a clarification on implecation access lists.

I joined 'infinet1' crypto map and 'acl_out' - list access to the external interface, if any traffic entering under "infinet1" of the lists of access such as 101, 102, 103 etc. will again suffer conditions of access 'acl_out"list or not?

We have seen that this is not the case!

the conditions of "acl_out" work correctly with the rest of the traffic which is not under the control of IPSec accesses-lists.

I need to enforce these conditions "acl_out" IPSec traffic too... How can I do?

Concerning

K V star anise

Here is the configuration of my PIX:

PIX520 # sh config

: Saved

:

PIX Version 6.1 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 failover

nameif ethernet3 dialup security80

Select xxxxxxxx

passwd xxxxxxxx

hostname xxxxxxx

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

no correction 1720 h323 Protocol

<--- more="" ---="">

names of

access-list acl_out permit icmp any one

acl_out list access permit tcp any host 10.21.1.42 eq telnet

acl_out list access permit tcp any host 10.21.1.43 eq 1414

acl_out list access permit tcp any host 10.21.1.44 eq 1414

acl_out list access permit tcp any host 10.21.1.34 eq smtp

acl_out list access permit tcp any host 10.21.1.34 eq pop3

acl_out list access permit tcp any host 10.21.1.34 eq 389

acl_out list access permit tcp any host 10.21.1.34 eq 1414

acl_out list access permit tcp any host 10.21.1.45 eq 1414

acl_out list access permit tcp any host 10.21.1.59 eq telnet

acl_out list access permit tcp any host 10.21.1.34 eq www

acl_out list access permit tcp any host 10.21.1.57 eq 1414

acl_out list access permit tcp any host 10.21.1.56 eq 1414

acl_out list access permit tcp any host 10.21.1.55 eq telnet

acl_out list access permit tcp any host 10.21.1.49 eq ftp

acl_out list access permit tcp any host 10.21.1.49 eq ftp - data

access-list 101 permit ip 10.21.1.32 255.255.255.224 10.36.1.64 255.255.255.224

access-list 102 permit ip 10.21.1.32 255.255.255.224 10.36.1.32 255.255.255.224

access-list 103 allow ip 10.21.1.32 255.255.255.224 10.9.1.32 255.255.255.224

<--- more="" ---="">

access-list 104. allow ip 10.21.1.32 255.255.255.224 10.40.1.32 255.255.255.224

access-list 105 allow ip 10.21.1.32 255.255.255.224 10.64.1.32 255.255.255.224

access-list 106 allow ip 10.21.1.32 255.255.255.224 10.59.1.64 255.255.255.224

access-list 107 allow ip 10.21.1.32 255.255.255.224 10.59.1.32 255.255.255.224

access-list 108 allow ip 10.21.1.32 255.255.255.224 10.47.1.32 255.255.255.224

access-list 109 allow ip 10.21.1.32 255.255.255.224 10.5.1.32 255.255.255.224

access-list 110 permit ip 10.21.1.32 255.255.255.224 10.5.1.128 255.255.255.224

access-list 111 allow ip 10.21.1.32 255.255.255.224 10.5.1.96 255.255.255.224

access-list 112 allow ip 10.21.1.32 255.255.255.224 10.42.1.32 255.255.255.224

access-list 113 allow ip 10.21.1.32 255.255.255.224 10.42.1.64 255.255.255.224

access-list 114 allow ip 10.21.1.32 255.255.255.224 10.17.1.32 255.255.255.224

access-list acl_dialup allow icmp a whole

acl_dialup list access permit tcp any host 192.168.2.9 eq 1414

acl_dialup list access permit tcp any host 192.168.2.9 eq 1494

access-list 117 allow ip 10.21.1.32 255.255.255.224 10.1.1.32 255.255.255.224

access-list 118 allow ip 10.21.1.32 255.255.255.224 10.38.1.32 255.255.255.224

access-list 119 allow ip 10.21.1.32 255.255.255.224 10.49.1.32 255.255.255.224

access-list 120 allow ip 10.21.1.32 255.255.255.224 10.51.1.32 255.255.255.224

access-list 121 allow ip 10.21.1.32 255.255.255.224 10.15.1.32 255.255.255.224

access-list 122 allow ip 10.21.1.32 255.255.255.224 10.53.1.32 255.255.255.224

<--- more="" ---="">

access-list 123 allow ip 10.21.1.32 255.255.255.224 10.27.1.64 255.255.255.224

access-list 124 allow ip 10.21.1.32 255.255.255.224 10.27.1.32 255.255.255.224

access-list 125 allow ip 10.21.1.32 255.255.255.224 10.27.1.128 255.255.255.224

access-list 126 allow ip 10.21.1.32 255.255.255.224 10.21.1.96 255.255.255.224

access-list 128 allow ip 10.21.1.32 255.255.255.224 10.27.1.96 255.255.255.224

access-list 130 allow ip 10.21.1.32 255.255.255.224 10.24.1.128 255.255.255.224

access-list 132 allow ip 10.21.1.32 255.255.255.224 10.24.1.32 255.255.255.224

access-list 134 allow ip 10.21.1.32 255.255.255.224 10.24.1.96 255.255.255.224

access-list 135 allow ip 10.21.1.32 255.255.255.224 10.34.1.64 255.255.255.224

access-list 136 allow ip 10.21.1.32 255.255.255.224 10.34.1.32 255.255.255.224

access-list 137 allow ip 10.21.1.32 255.255.255.224 10.55.1.128 255.255.255.224

access-list 138 allow ip 10.21.1.32 255.255.255.224 10.55.1.64 255.255.255.224

access-list 139 allow ip 10.21.1.32 255.255.255.224 10.19.1.32 255.255.255.224

access-list 140 allow ip 10.21.1.32 255.255.255.224 10.13.1.32 255.255.255.224

access-list 198 allow ip 10.21.1.32 255.255.255.224 10.0.0.0 255.255.0.0

access-list 197 allow ip 10.21.1.32 255.255.255.224 10.21.1.64 255.255.255.224

access-list 191 allow ip 10.21.1.32 255.255.255.224 10.21.1.128 255.255.255.224

access-list 115 permit ip 10.21.1.32 255.255.255.224 10.57.1.32 255.255.255.224

pager lines 20

opening of session

<--- more="" ---="">

timestamp of the record

recording console alerts

monitor debug logging

recording of debug trap

debugging in the history record

logging out of the 10.0.67.250 host

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Auto ethernet3 interface

Outside 1500 MTU

Within 1500 MTU

failover of MTU 1500

Dialup MTU 1500

IP outdoor 10.21.1.35 255.255.255.224

IP address inside 172.16.22.50 255.255.255.0

failover of address IP 192.168.1.1 255.255.255.0

dialup from IP 192.168.2.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

<--- more="" ---="">

failover

failover timeout 0:00:00

failover poll 15

ip address of switch outside the 10.21.1.36

IP Failover within the 172.16.22.51

failover failover of address ip 192.168.1.2

failover ip address 192.168.2.2 dialup

failover failover link

history of PDM activate

ARP timeout 14400

Global 1 10.21.1.62 (outside)

Global (dialup) 1 192.168.2.10 - 192.168.2.20

NAT (inside) 1 172.16.150.1 255.255.255.255 0 0

NAT (inside) 1 172.16.150.2 255.255.255.255 0 0

NAT (inside) 1 172.16.150.3 255.255.255.255 0 0

NAT (inside) 1 172.16.150.110 255.255.255.255 0 0

NAT (inside) 1 172.16.150.150 255.255.255.255 0 0

NAT (inside) 1 172.16.150.151 255.255.255.255 0 0

NAT (inside) 1 172.16.150.153 255.255.255.255 0 0

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

<--- more="" ---="">

NAT (dialup) 1 192.168.2.0 255.255.255.0 0 0

public static 10.21.1.43 (Interior, exterior) 172.16.150.2 netmask 255.255.255.255 0 0

public static 10.21.1.44 (Interior, exterior) 172.16.150.3 netmask 255.255.255.255 0 0

public static 10.21.1.34 (Interior, exterior) 172.16.12.50 netmask 255.255.255.255 0 0

public static 10.21.1.42 (Interior, exterior) 172.16.150.151 netmask 255.255.255.255 0 0

public static 10.21.1.59 (Interior, exterior) 172.16.3.251 netmask 255.255.255.255 0 0

public static 10.21.1.45 (Interior, exterior) 172.16.150.1 netmask 255.255.255.255 0 0

public static 10.21.1.57 (Interior, exterior) 172.16.7.151 netmask 255.255.255.255 0 0

public static 10.21.1.56 (Interior, exterior) 172.16.13.50 netmask 255.255.255.255 0 0

public static 10.21.1.47 (Interior, exterior) 172.16.22.200 netmask 255.255.255.255 0 0

public static 10.21.1.55 (Interior, exterior) 172.16.22.2 netmask 255.255.255.255 0 0

static (dialup, external) 10.21.1.46 192.168.2.3 netmask 255.255.255.255 0 0

static (inside, dialup) 192.168.2.9 172.16.150.2 netmask 255.255.255.255 0 0

public static 10.21.1.49 (Interior, exterior) 172.16.22.10 netmask 255.255.255.255 0 0

public static 10.21.1.58 (Interior, exterior) 172.16.10.58 netmask 255.255.255.255 0 0

Access-group acl_out in interface outside

acl_dialup in interface dialup access-group

TCP 0 1414 permitto tcp 1414 permitfrom tcp 1024-65535 has established

external route 10.0.0.0 255.0.0.0 10.21.1.41 1

external route 10.0.0.0 255.0.0.0 10.21.1.50 2

<--- more="" ---="">

external route 10.0.0.0 255.0.0.0 10.21.1.33 3

Route inside 172.16.0.0 255.255.0.0 172.16.22.243 1

Route outside 202.54.63.221 255.255.255.255 10.21.1.41 1

Route outside 203.197.140.9 255.255.255.255 10.21.1.41 1

Timeout xlate 23:59:59

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 172.16.25.2 255.255.255.255 inside

http 172.16.25.1 255.255.255.255 inside

SNMP-server host within the 10.0.67.250

SNMP-server host within the 172.16.7.206

No snmp server location

No snmp Server contact

CMC of SNMP-Server community

SNMP-Server enable traps

no activation floodguard

Permitted connection ipsec sysopt

<--- more="" ---="">

No sysopt route dnat

Crypto ipsec transform-set esp - esp-sha-hmac mumroset

Crypto ipsec transform-set esp - esp-sha-hmac mumroset1

infinet1 card crypto ipsec isakmp 1

correspondence address 1 card crypto infinet1 101

infinet1 card crypto 1jeu peer 10.36.254.10

infinet1 card crypto 1 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 2

correspondence address 2 card crypto infinet1 102

infinet1 crypto map peer set 2 10.36.254.6

infinet1 crypto map peer set 2 10.36.254.13

infinet1 card crypto 2 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 3

correspondence address 3 card crypto infinet1 103

infinet1 card crypto 3 peers set 10.1.254.18

infinet1 card crypto 3 peers set 10.1.254.21

infinet1 card crypto 3 peers set 10.5.254.5

infinet1 card crypto 3 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 4

correspondence address 4 card crypto infinet1 104

<--- more="" ---="">

infinet1 card crypto 4 peers set 10.36.254.41

infinet1 card crypto 4 peers set 10.36.254.22

infinet1 card crypto 4 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 5

address for correspondence 5 card crypto infinet1 105

infinet1 crypto card 5 peers set 10.51.254.33

infinet1 crypto card 5 peers set 10.51.254.26

infinet1 card crypto 5 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 6

correspondence address 6 infinet1 card crypto 106

infinet1 crypto card 6 peers set 10.51.254.42

infinet1 card crypto 6 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 7

address for correspondence 7 card crypto infinet1 107

infinet1 crypto map peer set 7 10.1.254.74

infinet1 card crypto 7 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 8

correspondence address 8 card crypto infinet1 108

infinet1 crypto card 8 peers set 10.36.254.34

infinet1 crypto card 8 peers set 10.36.254.38

<--- more="" ---="">

infinet1 card crypto 8 set transform-set mumroset1

infinet1 map ipsec-isakmp crypto 9

correspondence address 9 card crypto infinet1 109

infinet1 crypto map peer set 9 10.5.254.14

infinet1 crypto map peer set 9 10.5.1.205

infinet1 card crypto 9 set transform-set mumroset1

infinet1 card crypto ipsec-isakmp 10

correspondence address 10 card crypto infinet1 110

infinet1 card crypto 10 peers set 10.5.254.10

infinet1 card crypto 10 set transform-set mumroset1

11 infinet1 of ipsec-isakmp crypto map

correspondence address 11 card crypto infinet1 111

infinet1 11 crypto map set peer 10.1.254.54

card crypto infinet1 11 set transform-set mumroset1

12 infinet1 of ipsec-isakmp crypto map

correspondence address 12 card crypto infinet1 112

card crypto infinet1 12 set peer 10.36.254.26

card crypto infinet1 12 set transform-set mumroset1

13 infinet1 of ipsec-isakmp crypto map

correspondence address 13 card crypto infinet1 113

<--- more="" ---="">

crypto infinet1 13 card set peer 10.1.254.58

card crypto infinet1 13 set transform-set mumroset1

14 infinet1 of ipsec-isakmp crypto map

correspondence address 14 card crypto infinet1 114

infinet1 14 crypto map set peer 10.5.254.26

infinet1 14 crypto map set peer 10.5.254.29

card crypto infinet1 14 set transform-set mumroset1

15 infinet1 of ipsec-isakmp crypto map

correspondence address 15 card crypto infinet1 115

crypto infinet1 15 card set peer 10.51.254.21

crypto infinet1 15 card set peer 10.51.254.18

card crypto infinet1 15 set transform-set mumroset

16 infinet1 of ipsec-isakmp crypto map

correspondence address 16 card crypto infinet1 198

infinet1 16 crypto map set peer 10.1.254.46

card crypto infinet1 16 set transform-set mumroset1

17 infinet1 of ipsec-isakmp crypto map

correspondence address 17 card crypto infinet1 117

infinet1 17 crypto map set peer 10.2.254.6

card crypto infinet1 17 set transform-set mumroset1

<--- more="" ---="">

18 infinet1 ipsec-isakmp crypto map

correspondence address 18 card crypto infinet1 118

infinet1 18 crypto map set peer 10.36.254.17

infinet1 18 crypto map set peer 10.36.254.14

infinet1 18 crypto map set peer 10.36.254.21

card crypto infinet1 18 set transform-set mumroset1

19 infinet1 of ipsec-isakmp crypto map

correspondence address 19 card crypto infinet1 119

infinet1 19 crypto map set peer 10.36.254.30

infinet1 19 crypto map set peer 10.36.254.37

card crypto infinet1 19 set transform-set mumroset1

20 infinet1 of ipsec-isakmp crypto map

correspondence address 20 card crypto infinet1 120

crypto infinet1 20 card set peer 10.51.254.6

crypto infinet1 20 card set peer 10.51.254.13

card crypto infinet1 20 set transform-set mumroset1

21 infinet1 of ipsec-isakmp crypto map

correspondence address 21 card crypto infinet1 121

infinet1 21 crypto map set peer 10.5.254.6

infinet1 21 crypto map set peer 10.5.254.21

<--- more="" ---="">

infinet1 21 crypto map set peer 10.5.254.25

card crypto infinet1 21 set transform-set mumroset1

22 infinet1 of ipsec-isakmp crypto map

correspondence address 22 card crypto infinet1 122

crypto infinet1 22 card set peer 10.51.254.10

card crypto infinet1 22 set transform-set mumroset1

23 infinet1 of ipsec-isakmp crypto map

correspondence address 23 card crypto infinet1 123

infinet1 23 crypto map set peer 10.1.254.114

infinet1 23 crypto map set peer 10.1.254.110

card crypto infinet1 23 set transform-set mumroset1

24 infinet1 of ipsec-isakmp crypto map

correspondence address 24 card crypto infinet1 124

card crypto infinet1 24 set peer 10.1.254.117

card crypto infinet1 24 set peer 10.1.254.125

card crypto infinet1 24 set peer 10.1.254.121

card crypto infinet1 24 set peer 10.1.254.161

card crypto infinet1 24 set peer 10.1.254.157

card crypto infinet1 24 set peer 10.1.254.113

card crypto infinet1 24 set peer 10.1.254.145

<--- more="" ---="">

card crypto infinet1 24 set peer 10.1.254.141

card crypto infinet1 24 set transform-set mumroset1

25 infinet1 of ipsec-isakmp crypto map

correspondence address 25 card crypto infinet1 125

infinet1 25 crypto map set peer 10.1.254.142

infinet1 25 crypto map set peer 10.1.254.138

card crypto infinet1 25 set transform-set mumroset1

26 infinet1 of ipsec-isakmp crypto map

correspondence address 26 card crypto infinet1 126

infinet1 26 crypto map set peer 10.1.254.150

infinet1 26 crypto map set peer 10.1.254.162

card crypto infinet1 26 set transform-set mumroset1

27 infinet1 of ipsec-isakmp crypto map

address for correspondence 27 card crypto infinet1 197

infinet1 27 crypto map set peer 10.1.254.130

infinet1 27 crypto map set peer 10.1.254.118

infinet1 27 crypto map set peer 10.1.254.126

infinet1 27 crypto map set peer 10.1.254.153

card crypto infinet1 27 set transform-set mumroset1

28 infinet1 of ipsec-isakmp crypto map

<--- more="" ---="">

address for correspondence 28 card crypto infinet1 128

crypto infinet1 28 card set peer 10.1.254.146

crypto infinet1 28 card set peer 10.1.254.137

card crypto infinet1 28 set transform-set mumroset1

30 infinet1 of ipsec-isakmp crypto map

correspondence address 30 card crypto infinet1 130

crypto infinet1 30 card set peer 10.27.254.49

card crypto infinet1 30 set transform-set mumroset1

31 infinet1 of ipsec-isakmp crypto map

correspondence address 31 card crypto infinet1 191

infinet1 31 crypto map set peer 10.27.254.45

card crypto infinet1 31 set transform-set mumroset1

32 infinet1 of ipsec-isakmp crypto map

correspondence address 32 card crypto infinet1 132

crypto infinet1 32 card set peer 10.24.1.60

card crypto infinet1 32 set transform-set mumroset1

34 infinet1 ipsec-isakmp crypto map

correspondence address 34 card crypto infinet1 134

infinet1 34 crypto map set peer 10.1.254.154

infinet1 34 crypto map set peer 10.1.254.158

<--- more="" ---="">

card crypto infinet1 34 set transform-set mumroset1

35 infinet1 ipsec-isakmp crypto map

correspondence address 35 card crypto infinet1 135

infinet1 35 crypto map set peer 10.51.254.38

card crypto infinet1 35 set transform-set mumroset1

36 infinet1 of ipsec-isakmp crypto map

correspondence address 36 card crypto infinet1 136

infinet1 36 crypto map set peer 10.1.254.26

infinet1 36 crypto map set peer 10.1.254.29

infinet1 36 crypto map set peer 10.51.254.34

card crypto infinet1 36 set transform-set mumroset1

37 infinet1 ipsec-isakmp crypto map

correspondence address 37 card crypto 137 infinet1

infinet1 37 crypto map set peer 10.51.254.30

infinet1 37 crypto map set peer 10.51.254.14

infinet1 37 crypto map set peer 10.51.254.17

card crypto infinet1 37 set transform-set mumroset1

38 infinet1 ipsec-isakmp crypto map

correspondence address 38 card crypto 138 infinet1

infinet1 38 crypto map set peer 10.51.254.46

<--- more="" ---="">

card crypto infinet1 38 set transform-set mumroset1

39 infinet1 of ipsec-isakmp crypto map

correspondence address 39 card crypto 139 infinet1

infinet1 39 crypto map set peer 10.5.254.33

infinet1 39 crypto map set peer 10.5.254.30

card crypto infinet1 39 set transform-set mumroset1

40 infinet1 of ipsec-isakmp crypto map

correspondence address 40 card crypto infinet1 140

infinet1 40 crypto map set peer 10.5.254.18

infinet1 40 crypto map set peer 10.5.254.22

card crypto infinet1 40 set transform-set mumroset1

infinet1 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.36.254.10 netmask 255.255.255.255

ISAKMP key * address 10.36.254.6 netmask 255.255.255.255

ISAKMP key * address 10.36.254.13 netmask 255.255.255.255

ISAKMP key * address 10.1.254.18 netmask 255.255.255.255

ISAKMP key * address 10.1.254.21 netmask 255.255.255.255

ISAKMP key * address 10.5.254.5 netmask 255.255.255.255

ISAKMP key * address 10.36.254.41 netmask 255.255.255.255

<--- more="" ---="">

ISAKMP key * address 10.36.254.22 netmask 255.255.255.255

ISAKMP key * address 10.51.254.33 netmask 255.255.255.255

ISAKMP key * address 10.51.254.26 netmask 255.255.255.255

ISAKMP key * address 10.51.254.42 netmask 255.255.255.255

ISAKMP key * address 10.1.254.74 netmask 255.255.255.255

ISAKMP key * address 10.36.254.34 netmask 255.255.255.255

ISAKMP key * address 10.36.254.38 netmask 255.255.255.255

ISAKMP key * address 10.5.254.14 netmask 255.255.255.255

ISAKMP key * address 10.5.254.10 netmask 255.255.255.255

ISAKMP key * address 10.1.254.54 netmask 255.255.255.255

ISAKMP key * address 10.36.254.26 netmask 255.255.255.255

ISAKMP key * address 10.1.254.58 netmask 255.255.255.255

ISAKMP key * address 10.5.254.26 netmask 255.255.255.255

ISAKMP key * address 10.5.254.29 netmask 255.255.255.255

ISAKMP key * address 10.1.254.46 netmask 255.255.255.255

ISAKMP key * address 10.2.254.6 netmask 255.255.255.255

ISAKMP key * address 10.36.254.17 netmask 255.255.255.255

ISAKMP key * address 10.36.254.14 netmask 255.255.255.255

ISAKMP key * address 10.36.254.21 netmask 255.255.255.255

ISAKMP key * address 10.36.254.30 netmask 255.255.255.255

<--- more="" ---="">

ISAKMP key * address 10.36.254.37 netmask 255.255.255.255

ISAKMP key * address 10.51.254.6 netmask 255.255.255.255

ISAKMP key * address 10.51.254.13 netmask 255.255.255.255

ISAKMP key * address 10.5.254.6 netmask 255.255.255.255

ISAKMP key * address 10.5.254.21 netmask 255.255.255.255

ISAKMP key * address 10.5.254.25 netmask 255.255.255.255

ISAKMP key * address 10.51.254.10 netmask 255.255.255.255

ISAKMP key * address 10.1.254.114 netmask 255.255.255.255

ISAKMP key * address 10.1.254.117 netmask 255.255.255.255

ISAKMP key * address 10.1.254.125 netmask 255.255.255.255

ISAKMP key * address 10.1.254.121 netmask 255.255.255.255

ISAKMP key * address 10.1.254.161 netmask 255.255.255.255

ISAKMP key * address 10.1.254.157 netmask 255.255.255.255

ISAKMP key * address 10.1.254.113 netmask 255.255.255.255

ISAKMP key * address 10.1.254.145 netmask 255.255.255.255

ISAKMP key * address 10.1.254.141 netmask 255.255.255.255

ISAKMP key * address 10.1.254.142 netmask 255.255.255.255

ISAKMP key * address 10.1.254.138 netmask 255.255.255.255

ISAKMP key * address 10.1.254.150 netmask 255.255.255.255

ISAKMP key * address 10.1.254.162 netmask 255.255.255.255

<--- more="" ---="">

ISAKMP key * address 10.1.254.130 netmask 255.255.255.255

ISAKMP key * address 10.1.254.118 netmask 255.255.255.255

ISAKMP key * address 10.1.254.126 netmask 255.255.255.255

ISAKMP key * address 10.1.254.153 netmask 255.255.255.255

ISAKMP key * address 10.1.254.146 netmask 255.255.255.255

ISAKMP key * address 10.1.254.137 netmask 255.255.255.255

ISAKMP key * address 10.27.254.49 netmask 255.255.255.255

ISAKMP key * address 10.27.254.45 netmask 255.255.255.255

ISAKMP key * address 10.24.1.60 netmask 255.255.255.255

ISAKMP key * address 10.1.254.154 netmask 255.255.255.255

ISAKMP key * address 10.1.254.158 netmask 255.255.255.255

ISAKMP key * address 10.51.254.38 netmask 255.255.255.255

ISAKMP key * address 10.1.254.26 netmask 255.255.255.255

ISAKMP key * address 10.1.254.29 netmask 255.255.255.255

ISAKMP key * address 10.51.254.34 netmask 255.255.255.255

ISAKMP key * address 10.51.254.30 netmask 255.255.255.255

ISAKMP key * address 10.51.254.14 netmask 255.255.255.255

ISAKMP key * address 10.51.254.17 netmask 255.255.255.255

ISAKMP key * address 10.51.254.46 netmask 255.255.255.255

ISAKMP key * address 10.5.254.33 netmask 255.255.255.255

<--- more="" ---="">

ISAKMP key * address 10.5.254.30 netmask 255.255.255.255

ISAKMP key * address 10.5.254.18 netmask 255.255.255.255

ISAKMP key * address 10.5.254.22 netmask 255.255.255.255

ISAKMP key * address 10.1.254.110 netmask 255.255.255.255

ISAKMP key * address 10.5.1.205 netmask 255.255.255.255

ISAKMP key * address 10.51.254.21 netmask 255.255.255.255

ISAKMP key * address 10.51.254.18 netmask 255.255.255.255

part of pre authentication ISAKMP policy 18

encryption of ISAKMP policy 18

ISAKMP policy 18 sha hash

18 1 ISAKMP policy group

ISAKMP duration strategy of life 18 86400

Telnet 172.16.0.0 255.255.0.0 inside

Telnet 172.16.0.0 255.255.0.0 failover

Telnet timeout 10

SSH timeout 5

Terminal width 80

Cryptochecksum:c7d3741007174e40b59a5b4e3c86fea7

PIX520 #.

The fact that you have:

> permitted connection ipsec sysopt

in your config file means that any IPSec packet is allowed in and ignores all the normal safety rules. You can delete this order, but you will then need to add a bunch of lines to your acl_out ACL to ensure that ISAKMP (UDP 500) and IPSec (IP prot 50) are allowed in each peer IPSec individual, more add incoming versions of all your ACL crypto.

PIX 515e no packets not transmitted on the web

What is the problem with my config?

PIX Version 6.1 (3)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of XXXXXXXXX

passwd encrypted XXXXXXXXXXX

hostname wall

XXXXXX.com domain name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

name 192.168.100.2 DC

access-list 100 permit icmp any any echo response

access-list 100 permit icmp any one time exceed

access-list 100 permit everything all unreachable icmp

frominisde list access permit tcp any any eq www

frominisde list access permit tcp any any eq smtp

inside ip access list allow a whole

access the inside to allow tcp a whole list

access the inside to allow udp a whole list

access-list internal permit tcp any any eq www

pager lines 24

opening of session

host of logging inside the 192.168.100.14

interface ethernet0 10full

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside 68.XX. XX. XX 255.255.255.248

IP address inside 192.168.100.250 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM DC 255.255.255.255 inside

location of PDM 192.168.100.14 255.255.255.255 inside

location of PDM 192.168.100.252 255.255.255.255 inside

location of PDM 192.168.200.0 255.255.255.255 inside

location of PDM 192.168.100.0 255.255.255.255 inside

PDM location 68.XX. XX. XX 255.255.255.255 outside

location of PDM 192.168.100.250 255.255.255.255 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 192.168.100.0 255.255.255.0 0 0

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Access-group 100 in external interface

RIP inside the default version 1

Route outside 0.0.0.0 0.0.0.0 68.157.126.233 1

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 192.168.100.14 255.255.255.255 inside

http 192.168.100.0 255.255.255.0 inside

http 192.168.100.252 255.255.255.255 inside

http 192.168.200.0 255.255.255.255 inside

http 192.168.100.0 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

vpngroup idle 1800 distance-time

Telnet 192.168.100.252 255.255.255.255 inside

Telnet 192.168.100.0 255.255.255.0 inside

Telnet 192.168.200.0 255.255.255.255 inside

Telnet timeout 10

SSH timeout 5

Wall (config) #.

Delete this line and it should work:

NAT (inside) 0 192.168.100.0 255.255.255.0 0 0

This line indicates the pix does not translate (nat 0) the source address of the packets from the pix, originating for the 192.168.100.0 network. You should only use the command nat 0 in VPN configs.

Kind regards

Tom

PIX-to-router VPN static-to-dynamic

Dear friends,

I'm trying to configure an IPSec tunnel between a router IOS and a PIX v7.0. I've seen some URL pointing here for a configuration example. However, this example only covers the v6.x PIX version, is not not helpful to resolve my case.

My situation is that the router connects to a DSL provider and obtain a dynamic IP address and my PIX device has a static (Leased line) connection to the Internet. So, I have to establish the tunnel using preshared keys.

How to make using v7.x on the PIX?

Appreciate the help,

Mauricio

Mauricio,

Here is an example for version 7.0 of PIX a tunnel L2L dynamic.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

You must create a dynamic encryption card, and use the tunnel defaultL2L-group for pre-shared key settings.

The rate of this post, if that helps.

See you soon

Gilbert

Unable to connect to PDM on PIX 501

just cannot understand this. I have a PIX 501 I used to connect very well. Now I can't get the PDM to come up inside, outside, nothing. I use the same (old) of JAVA 1.4 version I always used. I can Telnet etc... Very well. The HTTP server is enabled and have granted access from my IP address. Any help would be greatly appreciated. See my config below.

See the pixfirewall # running
: Saved
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry2YjIyt7RRXU24 encrypted password
passwd encrypted XXXXXXXX
pixfirewall hostname
domain ciscopix.com
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 X 0
fixup protocol h323 ras X 18 - X 19
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
name admin_subnet X.X.X.X
inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow admin_
subnet 255.255.0.0
inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow X.X
. X.X 255.255.255.0
outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list permit admin_subn
and 255.255.0.0
outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list allow X.X.X
. X 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP outside X.X.X.X 255.255.255.128
inside X.X.X.X 255.255.255.0 IP address
alarm action IP verification of information
alarm action attack IP audit
PDM location admin_subnet 255.255.0.0 outside
location of PDM X.X.X.X 255.255.255.0 inside
PDM location x.x.x.x 255.255.255.255 outside
location of PDM X.X.X.X 255.255.255.0 outside
location of PDM X.X.X.X 255.255.255.255 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http X.X.X.X 255.255.255.0 inside
http admin_subnet 255.255.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map pfs set 20 group2
card crypto outside_map 20 game peers X.X.X.X
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address X.X.X.X 255.255.255.255 netmask No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 aes-256 encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 8 X 00
Telnet X.X.X.X 255.255.255.0 outside
Telnet X.X.X.X 255.255.255.0 inside
Telnet admin_subnet 255.255.0.0 inside
Telnet timeout 30
ssh X.X.X.X 255.255.255.255 outside
X.X.X.X 255.255.255.0 inside SSH
SSH timeout 30
management-access inside
Console timeout 30
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
username password XXXXXX XXXXXXXXXXX encrypted privilege 15
Terminal width 80
Cryptochecksum:
: end

Hello Mark,

lol Nice to know that everything works fine now

Don't forget to mark it as answered and to classify the useful messages (if you don't know how to evaluate a message just to get to the bottom of each answer and mark 1 being a wrong answer, being a great answer 5 stars)

Kind regards

Julio

PD: Some kudos for you (because of the answer)

Help with Cisco PIX 506th

I need help setting up a Cisco PIX 506th Version 6.3 (5)

I use the PDM to configure the device, because I don't know enough of CLI. I want to just the simplest of configurations.

Here is what is happening, I set up then I hang the Interface 1 to my laptop and use DHCP to get an ip address, but I can't get out to the internet like that. Thanks PDM tools, I can ping outside the IPS very well.

6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of DkreNA9TaOYv27T8
c4EBnG8v5uKhu.PA encrypted passwd
hostname EWMS-PIX-630
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
object-group service udp test
port-object eq isakmp
inside_access_in ip access list allow a whole
access-list inside_access_in allow a tcp
access-list inside_access_in allow icmp a whole
Allow Access-list inside_access_in esp a whole
inside_access_in tcp allowed access list all eq www everything
inside_outbound_nat0_acl list of permitted access interface ip inside 10.10.10.96 255.255.255.240
inside_outbound_nat0_acl ip access list allow any 10.10.10.192 255.255.255.224
pager lines 24
timestamp of the record
recording of debug trap
host of logging inside the 10.10.10.13
Outside 1500 MTU
Within 1500 MTU
IP outdoor 75.146.94.109 255.255.255.248
IP address inside 10.10.10.250 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.1 255.255.255.255 inside
location of PDM 10.10.10.13 255.255.255.255 inside
location of PDM 10.10.10.253 255.255.255.255 inside
location of PDM 75.146.94.105 255.255.255.255 inside
location of PDM 75.146.94.106 255.255.255.255 inside
location of PDM 10.10.10.96 255.255.255.240 outside
location of PDM 10.10.10.192 255.255.255.224 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 75.146.94.110 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-RADIUS (inside) host 10.10.10.1 server timeout 10
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
ISAKMP allows outside
ISAKMP peer ip 206.196.18.227 No.-xauth No.-config-mode
ISAKMP nat-traversal 20
ISAKMP policy 20 authentication rsa - sig
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 1 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
encryption of ISAKMP policy 40
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP policy 60 authentication rsa - sig
encryption of ISAKMP policy 60
ISAKMP policy 60 md5 hash
60 2 ISAKMP policy group
ISAKMP strategy life 60 86400
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.10.10.2 - 10.10.10.5 inside
dhcpd dns 68.87.72.130
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
btork encrypted Ww3clvi.ynWeGweE privilege 15 password username
vpnclient Server 10.10.10.1
vpnclient-mode client mode
vpnclient GroupA vpngroup password *.
vpnclient username btork password *.
Terminal width 80
Cryptochecksum:5ef06e69c17b6128e1778e988d1b9f5d
: end
[OK]

any HEP would be appreciated.

Brian

Brian

NAT is your problem, IE.

NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

presumanly first NAT is fot your good VPN that acl looks a little funny, what exactly are you doing with that?

The second NAT is the real problem but for outgoing internet access - the NAT statement, you said not NAT one of your addresses 10.10.10.x which is a problem as 10.x.x.x address is not routable on the Internet.

You must change this setting IE. -

(1) remove the second NAT statement IE. "no nat (inside) 0 0.0.0.0 0.0.0.0.

(2) add a new statement of NAT - ' nat (inside) 1 0.0.0.0 0.0.0.0.

(3) add a corresponding statement global - global (outside) 1 interface.

This will be PAT all your 10.10.10.x to external IP addresses.

Apologies, but these are some CLI commands that I don't use PDM.

Jon

PIX 501 with public several IP addresses

Hi all

I have the following configuration:

audience of 6 IP addresses, for example: 123.123.123.1 - 6 255.255.255.248

My provider, I have a Zyxel modem which has the 123.123.123.1 IP address, which is also the default gateway for my PIX.

The PIX is connected to a modem Zyxel.

The external interface of the PIX, 123.123.123.2 and the inside interface 192.168.1.1 255.255.255.0

At my home I have several client computers and network servers 3.

Client computers must be able to connect to the internet.

Server should have the public IP 123.123.123.3 and 192.168.52.3 inside

Server B must have public IP 123.123.123.4 and 192.168.52.4 inside

Server C must have public IP 123.123.123.5 and 192.168.52.5 inside

Server 3 are Web servers and should be accessible from the outside on ports 80 and 443.

My current setup is:

See the pixfirewall (config) # executes
: Saved
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
object-group service tcp web
port-object eq www
EQ object of the https port
OUTSIDE of the ip access list allow any host 123.123.123.3
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP outdoor 123.123.123.2 255.255.255.248
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.1.0 255.255.255.0 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside, outside) tcp 123.123.123.3 www 192.168.1.3 www netmask 255.255.255.255 0 0
Access-group OUTSIDE in interface outside
Route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 192.168.2.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
: end
pixfirewall (config) #.

This acutally configuration only allows connections from the inside to the outside but not from the outside to connect to the server.

I'm sure miss me something stupid, maybe someone could give me a hint?

Mike

Setup looks quite right, assuming that you only test connectivity to Server A (123.123.123.3) as it is the only one configured.

I suggest that you make 'clear xlate' and 'clear the arp' and test again. I would check to see if your modem has the ARP entry for 123.123.123.3 and it should point to the ethernet0 PIX MAC address.

PIX 515E and remote access VPN

I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

Any help is appreciated,

Hello

Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

PIX of Pix VPN easy - Almost there... Need help :(

I spent countless hours now implementing a VPN Pix Pix. I thought I would post this in the hope that someone could help me.

I can get my Pix 501 to open a tunnel to the 506th Pix. These are both on different ISPS.

I can ping from the Pix to the Pix 501 console 506e inside the IP Interface.

I can ping from the console of the 506th Pix to the Pix 501 inside the IP Interface.

I cannot ping hosts either pix beyond the inside interface.

With the active 7 recording console, I have the following error when ping to the host 172.16.54.5 from the console on the Pix 501.

305005: any group not found for icmp src, dst outside translation: 100.1.1.10 inside: 172.16.54.5 (type 8, code 0)

For reasons of confidentiality, I changed the IP addresses and passwords.

PIX506e outside (isps1): 200.1.1.10
Isps1 Gateway: 200.1.1.1

PIX501 outdoors (PSI): 100.1.1.10
ISP2 Gateway: 100.1.1.1

Here is my configuration:

506th PIX (server)
----------------------------------------------
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
hostname VPNServer
mydomain.com domain name
clock timezone CST - 6
clock to summer time recurring CDT
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit icmp any one
IP 172.16.54.0 allow Access - list SHEEP 255.255.255.0 192.168.6.0 255.255.255.0
access-list ip 192.168.6.0 SHEEP allow 255.255.255.0 172.16.54.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 110 permit ip 100.1.1.10 host 172.16.2.0 255.255.255.0
pager lines 24
opening of session
Outside 1500 MTU
Within 1500 MTU
IP outdoor 200.1.1.10 255.255.255.128
IP address inside 172.16.54.5 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 172.16.54.201 - 172.16.54.210
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 110 in the interface inside
Route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
Route inside 172.16.2.0 255.255.255.0 172.16.54.254 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
client authentication card crypto LOCAL mymap
mymap outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address vpnpool pool mygroup
vpngroup mygroup 172.16.2.1 dns server
vpngroup mygroup by default-domain mydomain.com
vpngroup idle time 1800 mygroup
mygroup vpngroup password *.
vpngroup idle-idle time 1800
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
management-access inside
Console timeout 0
VPDN username myuser password *.
VPDN allow outside
password username myuser * encrypted privilege 2
Terminal width 80
----------------------------------------------

PIX 501 (Client)
----------------------------------------------
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
vpnclient hostname
mydomain.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 100 permit icmp any one
pager lines 24
opening of session
monitor debug logging
Outside 1500 MTU
Within 1500 MTU
external IP 100.1.1.10 255.255.255.0
IP address inside 192.168.6.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 192.168.6.0 255.255.255.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 30
management-access inside
Console timeout 0
dhcpd address 192.168.6.20 - 192.168.6.200 inside
dhcpd dns 172.16.2.1 172.16.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
vpnclient Server 200.1.1.10
vpnclient mode network-extension-mode
vpnclient mygroup vpngroup password *.
vpnclient username myuser password *.
vpnclient enable
Terminal width 80
----------------------------------------------

assuming that you want to send traffic between the subnet 172.16.54.0/24 and 192.168.6.0/24 in the tunnel.

1 ip local pool vpnpool 172.16.54.201 - 172.16.54.210< please="" use="" ip="" in="" a="" different="" subnet.="" current="" ip="" is="" in="" the="" same="" subnet="" as="" inside="">

' 2. you have not 'need' ip 192.168.6.0 allow access-list SHEEP 255.255.255.0 172.16.54.0 255.255.255.0.

3. do not 501 directly ping, ping from a host behind 501 in subnet 192.168.6.0/24

ACL for PIX 6.3.1

Below is my list access I have an IP 211.181.198.201 on the Internet trying to access my web server frequently to me it not reliable I don't want this IP 211.181.198.201 access my web server, in any case, I applied the last statement the last statement will be effective. I assume that in the first statement will allow any host even this IP 211.181.198.201 access my web server, how can I block it please advice.

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 EQ field

access-list 101 permit tcp any host xxx.187.66.198 eq www

access-list 101 deny host ip 211.181.198.201 all

If you want to block the 211.181.198.201 host access a server behind your PIX you put this before permit statements!

example:

access-list 101 deny host ip 211.181.198.201 all

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 EQ field

access-list 101 permit tcp any host xxx.187.66.198 eq www

Depending on your OS PIX version that you just can add an access list entry on the statement line n"I think 6.3.3 introduced this feature.

Syntax:

[No] access-list [line] can't refuse | permit

| - Group of objects

| interface | object-group

[[] | object-group]

| interface | object-group

[[] | object-group]

[Log [disable | default] |] [] [interval]]

example:

No list access 101 don't deny ip host 211.181.198.201 all

access-list 101 deny ip host to line 1 211.181.198.201 all

Do a "clear xlate" if necessary! Ensure that resets all communications.

sincerely

Patrick

LT2P on PIX Version 7

Similar Questions

Maybe you are looking for