Network of heel by PIX

Similar Questions

• Cannot access the internal network of VPN with PIX 506th

  Hello

  I seem to have a problem with the configuration of my PIX. I ping the VPN client from the network in-house, but cannot cannot access all the resources of the vpn client. My running configuration is the following:

  Building configuration...

  : Saved

  :

  6.3 (5) PIX version

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of N/JZnmeC2l5j3YTN

  2KFQnbNIdI.2KYOU encrypted passwd

  hostname SwantonFw2

  domain name * *.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list outside_access_in allow icmp a whole

  allow_ping list access permit icmp any any echo response

  allow_ping list all permitted access all unreachable icmp

  access-list allow_ping allow icmp all once exceed

  the INSIDE-IN access list allow inside the interface tcp interface outside

  list access to the INSIDE-IN permit udp any any eq field

  list access to the INSIDE-IN permit tcp any any eq www

  list access to the INSIDE-IN permit tcp any any eq ftp

  list access to the INSIDE-IN permit icmp any any echo

  the INSIDE-IN permit tcp access list everything all https eq

  permit access ip 192.168.0.0 list inside_outbound_nat0_acl 255.255.255.0 192.168.240.0 255.255.255.0

  swanton_splitTunnelAcl ip access list allow a whole

  outside_cryptomap_dyn_20 ip access list allow any 192.168.240.0 255.255.255.0

  no pager

  Outside 1500 MTU

  Within 1500 MTU

  192.168.1.150 outside IP address 255.255.255.0

  IP address inside 192.168.0.35 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP pool local VPN_Pool 192.168.240.1 - 192.168.240.254

  location of PDM 0.0.0.0 255.255.255.0 outside

  location of PDM 192.168.1.26 255.255.255.255 outside

  location of PDM 192.168.240.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

  Access-group outside_access_in in interface outside

  group-access INTERIOR-IN in the interface inside

  Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  client authentication card crypto outside_map LOCAL

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 20

  encryption of ISAKMP policy 20

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  Swanton vpngroup address pool VPN_Pool

  vpngroup swanton 192.168.1.1 dns server

  vpngroup swanton splitting swanton_splitTunnelAcl tunnel

  vpngroup idle 1800 swanton-time

  swanton vpngroup password *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.0.36 - 192.168.0.254 inside

  dhcpd dns 8.8.8.8 8.8.4.4

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  scott hwDnqhIenLiwIr9B of encrypted privilege 15 password username

  username password encrypted ET3skotcnISwb3MV privilege 2 norm

  username password tarmbrecht Zre8euXN6HxXaSdE encrypted privilege 2

  username, password jlillevik 9JMTvNZm3dLhQM/W encrypted privilege 2

  username privilege 15 encrypted password 49ikl05C8VE6k1jG ruralogic

  username bzeiter 1XjpdpkwnSENzfQ0 encrypted password privilege 2

  name of user mwalla encrypted password privilege 2 l5frk9obrNMGOiOD

  username heavyfab1 6.yy0ys7BifWsa9k encrypted password privilege 2

  username heavyfab3 6.yy0ys7BifWsa9k encrypted password privilege 2

  username heavyfab2 6.yy0ys7BifWsa9k encrypted password privilege 2

  username djet encrypted password privilege 2 wj13fSF4BPQzUzB8

  username, password cmorgan y/NeUfNKehh/Vzj6 encrypted privilege 2

  username password cmayfield Pe/felGx7VQ3I7ls encrypted privilege 2

  username privilege 2 encrypted password zQEQceRITRrO4wJa jeffg

  Terminal width 80

  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8

  : end

  [OK]

  Any help will be greatly appreciated

  BJ,

  You try to access resources behind the inside interface network?

  IP address inside 192.168.0.35 255.255.255.0

  If so, please make the following changes:

  1 SWANTON_VPN_SPLIT permit access ip 192.168.0.0 list 255.255.255.0 192.168.240.0 255.255.255.0

  2-no vpngroup swanton splitting swanton_splitTunnelAcl tunnel

  Swanton vpngroup split tunnel SWANTON_VPN_SPLIT

  outside_cryptomap_dyn_20 3-no-list of ip access allowing any 192.168.240.0 255.255.255.0

  4 - isakmp nat-traversal 30

  Let me know how it goes.

  Portu.

  Please note all useful posts

• Customer Cisco PIX 501 VPN connects but no connection to the local network

  Hi all:

  I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

  I have attached the PIX configuration.

  Advice will be greatly appreciated.

  ********************

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxxx

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 192.168.2.1 - 192.168.2.5

  location of PDM 192.168.2.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup vpn3000 ippool address pool

  vpngroup vpn3000 Server dns 68.87.72.130

  vpngroup vpn3000-wins 192.168.1.100 Server

  vpngroup vpn3000 split tunnel 101

  vpngroup vpn3000 downtime 1800

  password vpngroup vpn3000 *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:xxxx

  ****************

  The DNS server is the one assigned to me by my ISP.

  My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

  "isakmp nat-traversal 20" can do the trick.

• Passive routes with OSPF on the PIX

  Hello

  Having just upgraded my PIX to software v8 finally hoping to participate in OSPF on the network.

  The PIX have all many DMZ I want to advertise on OSPF to remove a * much * of fragile static routes but of course I would * not * advertise or get OSPF of these demilitarized. I thought I could do these interfaces passive - or better still, question:

  router ospf 1
  passive-interface default

  And then exempt only the internal interface.

  However, (unlike IOS) it seems to be without notion of passive in the implementation of OSPF from the PIX - a place where I thought it would be very useful...

  How to distribute the these DMZ on OSPF without advertising OSPF in them?

  I had planned to use:

  redistributed connected subnets

  However, which redistributes things like the public interface of the Internet, I don't want to. In addition, even if there is a way to stop there including the public interface, it seems more prone to the error of the user than passive by default with one exception.

  Any ideas? If this is not the case, can I restrict the interfaces in connected subnets redrawn?

  Thanks for all the ideas!

  Hi Peter,.

  Thank you, Yes... I was suggesting to remove network dmz under the OSPF process commands.  As you said, it used to really do what you want to do with the removal of the static since its disabling ospf for this network.

  Start-up eigrp would seem to be a lot of extra work just to eliminate the static if that's what it will be used for, but it would allow you to make the passive interface that would not accomplish snd/RRs eigrp on the specific interface.

  I just re-read your first message and I think I understand now what you're after - which goes back to your first survey of redistribution... you can redistribute static electricity and use a road map to control what roads you want to redistribute.  You can then remove the networks for the demilitarized zone under router ospf process.

  example:

  access-list ospfredist standard permit 10.10.10.0 255.255.255.0
  
  access-list ospfredist standard permit 192.168.10.0 255.255.255.0
  
  route-map static-ospf
  
    match ip address ospfredist
  router ospf 10
  
    redistribute static subnets route-map static-ospf
  this should redistribute only the statics that you listed above.
  hope this helps a bit.
  -scott

• PIX501 customer VPN - cannot access inside the network with VPN Session

  What follows is based on the config on the attached link:

  http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_configuration_example09186a008009442e.shtml

  PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC

  We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.

  Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!

  We have the same problem with the customer 4.0.3(c)

  Thanks in advance for any help!

  =======================================

  AKCPIX00 # sh run

  : Saved

  :

  6.2 (3) version PIX

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  hostname AKCPIX00

  domain.com domain name

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  fixup protocol sip udp 5060

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  external IP address #. #. #. # 255.255.240.0

  IP address inside 192.168.1.5 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool akcpool 10.0.0.1 - 10.0.0.10

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address akcpool pool akcgroup

  vpngroup dns 192.168.1.10 Server akcgroup

  vpngroup akcgroup by default-domain domain.com

  vpngroup split tunnel 101 akcgroup

  vpngroup idle 1800 akcgroup-time

  vpngroup password akcgroup *.

  vpngroup idle 1800 akc-time

  Telnet timeout 5

  SSH #. #. #. # 255.255.255.255 outside

  SSH timeout 15

  dhcpd address 192.168.1.100 - 192.168.1.130 inside

  dhcpd dns 192.168.1.10

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:XXXXX

  : end

  AKCPIX00 #.

  Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:

  mymap outside crypto map interface

  ISAKMP allows outside

  Enter these two commands should be enough to reset the ipsec and isakmp.

• 3 interfaces and routing PIX

  Hi all

  I have a PIX 515E configured with 3 interfaces, exterior, Interior and a Tunnel interface to my VPN clients. VPN clients not only access within the network, I have to move them to other networks through the external interface. As you cannot route the IPSEC packets from the same interface its entry, which is why I used a separate interface for VPN clients. Default gateway is set to the external interface. Now the problem is that when the vpn users try to connect to Internet, Tunnel interface is getting traffic but does not send back as default route traffic is defined on the external interface.

  Tunnel interface is 192.168.32.253 and if I connect from a pc with the ip address of 192.168.32.50, its works perfectly fine and also routing traffic to other networks through outside as PIX knows where to forward packets. Can someone please help me solve this problem of routing in PIX.

  the Interior is 192.168.33.254 security 0

  the outside is 192.168.34.254 security 100

  The tunnel is 192.168.32.253 security 90

  NAT (inside) - 0 110 access list

  access-list 110 permit ip 192.168.33.0 255.255.255.0 any

  Thanks in advance.

  KAZ

  Unless you know that networks, clients must connect to it may not be a solution, given that it looks like you need the default routes two, one for traffic encrypted clients and the other for traffic not encrypted Internet. You may be able to create a NAT pool in the router that provides Internet access to the Tunnel interface so that all incoming client traffic is coordinated in this router to an address from a pool. That would make all remote clients look like they came from a subnet, so you wouldn't need a default route on the interface of Tunnel in the PIX. You will probably need to do this router's Internet interface an interface 'ip nat inside' because I don't think that IOS supports dynamic NAT pools with 'ip nat outside source. It sounds backwards, but I think it would work. You'll probably also want to use an access list or with the pool route map, NAT to only apply to the traffic to the Tunnel from PIX interface (i.e. VPN traffic), as I'm assuming that the same router provides Internet connectivity for the interfaces from the outside and the Tunnel to the PIX.

  Good luck!

• Simple question PIX 501

  Hey guys,.

  The switch integrated on a PIX 501 will freely forward traffic between devices plugged into it, as long as they are on the same subnet? I assume that the answer is Yes. If so, is it possible to isolate one device other network traffic using the PIX only? I can t think in a certain way, but I'm not a guru PIX, so I figured that I d ask Mr. thanks a lot for any information that you may be able to provide.

  Do you hear them VLAN private?

  If so, then 'NO', it is not possible.

  There is no options at all to things like private VLAN on a PIX 501.

  Connect a Switch which suports as suppoorts this kind of features and a port of the switch to the pix.

  sincerely

  Patrick

• This allows traffic between two interfaces ethernet on a PIX

  I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

  I enclose my config. Any help would be greatly appreciated!

  OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

  You have this in your config file:

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

  Adding:

  Global (WTS) 1 interface

  will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

  static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

  Hope that helps.

• Question about VPN

  When you set up a private network virtual on the PIX, you use the command of "ip local pool" for many IP addresses to clients on the 'outside '.

  I'm confussed on these addresses. They need to be part of the local subnet on the inside interface of the PIX? i.e. If the inside of the interface subnet was 192.168.1.0 use you a lot a group of address for VPN connections as 192.168.1.10 - 15? Or are they just a distinct group of IPs?

  Probably a basic question, but I'm still confused. L2TP / IPsec is that much harder to work then PPTP?

  Thanks for any clarification.

  In fact if his readers any mapping desired, it can be done - a site and remote access. For remote access, things are much easier, because you can assign dns, wins, etc. through your vpn group settings. Your question is how do you get remote users to access things like files or applications servers. There, I think you're talking to users that VPN to and not from site to site? It is possible to be. But if you are referring to access remote vpn when a user connects, just assign wins and dns on the remote site, and when the VPN user, it's as he sits on this network (if no restrictions are applied to the VPN). For the site to site, it depends on your configuration. You have several Windows domains on each site? To make things easier to use, you would most likely want to replicate the wins databases on the site-site and creating domain trusts. It is a more complex method of implementation as the method for remote access. Let me know if you need help, setting this up. I have several configs saved from the past that I made it work with (for the piece of remote access and the site).

• to reach a server on a VLAN that is not directly connected to the inside interface

  scénarion

  PIX 515

  6506 core with VLAN A, B, c. (intervlan routing is ok)

  vlanC is directly connected to the inside interface of the fw

  question

  How a crowd outside could reach a server ServerA on vlanA.

  Hello

  Concerning Point 1, Yes if the roads required for networks connected inside the network is done on pix.

  Concerning Point 2, if the IP address that you use within the network is routable (public IP), the command you gave will work. The command indicates that when 10.10.1.10 inside the network host wants to go outside the network, use the same IP address. Because NAT does not occur, the actual address of the server presents itself as the visible address and the address of the host. So if the IP address you specify is not a public IP address, outside world can't access.

• Interface IDS 4215 control issue

  Int2 interface is connected to a switch 2950 (outside PIX).

  Int3 interface is connected to a switch 2950 (inside the network connected via a PIX).

  Event Viewer ID the ID is to find & blocking signatures that I have activated but only on the interface int2. I don't see anything coming from int3 interface.

  The port is enabled on the ID & is listed in the Group of the interface.

  Things to try:

  Check the output of 'show interfaces' wait a few minutes and re-run.

  Check that the increase in number of rx on the interface int3 package is close to the increase in number of package rx for the Group interface statistics.

  Looking at the statistics of the interface group, you can see if these packets are observed in the form of IP packets and even in some cases the TCP/UDP/ICMP protocol.

  So see if the number of packets for these protocols is increasing.

  In addition there are lines for packages not processed because the Protocol is different. See what is the percentage of packets with the editing in this category. Normal switch management protocols appear in this category. If it's the majority of the counties package then we can often indicate that the switch is not configured to correctly copy (span) packets to the sensor.

  In addition, the statistics for the group will show how many alarms were generated. You can watch to see if the number is up.

  Check your switch and make sure that your span session is configured correctly. The duration must be configured to copy traffic between the firewall as good traffic to the firewall. If the sensor sees that traffic in one direction then it will usually not be able to well monitor and generate alarms.

  Another thing to try is intentionally send an attack to test through your firewall. Before you send the attack you can enable iplogging for the ip address you are attacking from. Once the attack and the Log of IP full, then you can download the intellectual property journal and see if packets have been seen by the sensor.

• Refusing the outbound traffic

  Hey all, I'm a noobie to the PIX os.

  I read that by default, on PIX 501 all outbound traffic is allowed. I was wondering if that could be reversed. Refuse all outbound traffic except for specfic ports from the internal network.

  The pix is in an area of small office that needs just the port 80 and may 25. I want to reduce outgoing traffic to just what I said. A bit of luck to do this without an acl 100? I also read that acl is executed in the order of the config file, so if I deny all outbound traffic, will be all other acl be null and void?

  Thank you for your time and patience.

  Matt

  With the help of an ACL, all traffic may be refused.

  This ACL will stop all outbound traffic:

  access-list 100 deny ip any one

  Access-group 100 in the interface inside

  This ACL only allows outgoing HTTP and SMTP traffic:

  access list 100 permit tcp any any eq 80

  access list 100 permit tcp any any eq 25

  Access-group 100 in the interface inside

  It is true that the ACL is evaluated in the order. This ACL is the same as the first because no traffic would not be allowed. This is designed as an example and would have no real use in a production environment:

  access ip-list 100 permit a whole

  access list 100 permit tcp any any eq 80

  access list 100 permit tcp any any eq 25

  Access-group 100 in the interface inside

• question of redundency/design interface

  Sorry if this is a stupid question. I went through the forum and a bunch of google searches with no joy.

  I have:

  PIX-active - switch-a

  | ||

  PIX - fo - b switch

  unlikely, I know, but is it possible to configure the network/pix to take account of the active pix & switchb down?

  I was thinking something like backup cmd on IOS, to connect to a network adapter of each pix for both switches.

  Thanks for the research.

  Not a stupid question, but do not forget this: the commercially feasible thing to do when network solutions tolerant for lack of construction is to eliminate the SPFS (single points of failure). In this design, you have no single point of failure. Trying to limit to two points of failure will be very complex to predict behavior impossible. My advice is to move to other areas of your network where you have surely SPFS.  ;)

  HTH

• multivendor firewall issue...

  Hello

  I'm trying to find out if the other firewall products are better than Cisco firewall. I've experienced with Cisco PIX, but not other products such as Nortel firewall or 3com or Juniper Networks.

  On PIX, sound give you useful information such as the arp table, xlate, interface, static table information and routing information, etc.

  So, if anyone has any experience with other firewalls of the seller (networks, juniper, checkpoint firewall) please let me know if it gives similar information as Cisco PIX is.

  Thank you in advance,

  Merry Christmas and good luck for the new year.

  Helpme plssss so you know... I need the answer as soon as possible

  Yes, Netscreen firewall can give you similar information as PIX.

  See following samples CLI:

  NS-> get interface ethernet1 Protocol ospf

  VR: trust-vr RouterId: 212.1.1.1

  ----------------------------------

  Interface: ethernet2/1

  IpAddr: 20.20.20.20/16, OSPF: active, router: enabled

  Type: Region Ethernet: 0.0.0.10 priority: cost 100: 1

  Transit time: 60 s transmission interval: 5 sec interval of greeting: 10s

  Router dead interval: 40 years-Authentication Type: MD-5

  Authentication key: *.

  KeyId MD - 5: 1

  State: Designated router DR: 20.20.20.20 (self) BDR: 0.0.0.0

  Neighbors:

  Nearby Vrouter valid access list numbers (trust-vr)

  ----------------------------------------------------------------------

  NS-> set interface ethernet1 ospf of authentication protocol passes 12345678

  NS-> record

  NS-> set interface ethernet1 area trust

  NS-> set interface ethernet1 ip 180.10.10.1/24

  NS-> set interface ethernet1 route

  NS-> ethernet3 set interface untrust zone

  NS-> set interface ethernet3 ip 201.10.10.1/24

  NS-> vrouter set trust-vr route 0.0.0.0/0 interface ethernet3 door entry 201.10.10.2

  NS-> set address untrust dhcp_server 194.2.9.10/32

  NS-> set ike gateway dhcp server ip 194.2.9.1 primary interface outgoing ethernet3 proposal rsa-g2-3des-sha

  NS-> vpn set to_dhcp gateway dhcp server proposal g2-esp-3des-sha

  NS-> set interface ethernet1 dhcp relay servername 194.2.9.10

  NS-> set interface ethernet1 dhcp relay vpn

  NS-> policy determined trust to untrust any to_dhcp dhcp_server dhcp-relay tunnel vpn

  NS-> resolute policy of untrust to trust any relay dhcp vpn dhcp_server to_dhcp tunnel

  NS-> record

• VPN Hub and Spoke with NAT

  Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

  Hub (MEAN): 10.1.6.x

  PIX 515e (HUB): 172.16.3.x

  RV042 (SPOKEN): 192.168.71.x

  PIX 515e (HUB):

  Outside - 12.34.56.78

  Interior - 172.16.1.1

  Hub (TALK):

  Outside - 87.65.43.21

  Interior - 10.1.6.1

  RV042 (SPOKEN):

  Outside - 150.150.150.150

  Interior - 192.168.71.1

  The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

  On PIX you need a static policy statement,

  NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

  public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

  And modify the ACL of appropriately crypto to include natted address.