On PIX 501 6.3 intermittent Internet access (5)
Hello
I have a problem of access to the Internet from the local network behind a PIX 501. It worked for months, but suddenly, I discovered that Internet access is intermittent. Internet access works for about 10-15 minutes and then goes down. When I reboot the firewall or disable ARP Internet works again. I turn on debugging with 'debug arp' and I get an error message "arp-in: Dropping request outside the unsolicited nonadjacent ROUTEOUTSIDE 0002.cf69.50cf for 82.x.137.x 0000.0000.0000»
Any ideas on what could be the problem?
Thank you for your help.
Kind regards.
Hello, Couple of things to check.
You have ICMP permitted on the external interface of the PIX. If so, can ask you someone to ping from the internet to the external IP address.
When they ping, can you unplug the external interface and see if they receive a response in return.
If so, then there is a problem with the access provider. They could give your IP address to another person.
If this isn't the issue, then you open a TAC case and resolve this problem.
See you soon,.
Gilbert
The rate of this post, if that helps.
Tags: Cisco Security
Similar Questions
-
Intermittent internet access?
Using a rogers wireless plant, works very well for 30 minutes about then cannot access internet unless I re - start the hub. Message "Windows... political Firewall may need to be adjusted." How can I do this, have you tried touobleshooter without success. After re-booting of the hub it will work well for topic another 30 min. hard plugged into the hub.
Hi Dakdude,
· What store did you try?
· You did changes to the computer before the show?
I suggest you temporarily disable the antivirus software (and other security such as anti-malware software, etc.) and the firewall on the computer and see if that fixes the problem.
If disabling the antivirus/firewall resolves the issue, you may need to configure the settings of the antivirus as a result program. Please contact the software vendor for assistance in this regard.
Note: Make sure that you enable the antivirus software, other security and firewall after the test programs.
Warning: Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not disable your antivirus software. If you need to disable temporarily to install other software, you must reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software is disabled, your computer is vulnerable to attacks.
Let us know the results.
-
Cisco PIX 501 to Cisco 3005 concentrator via remote access
Hello people,
I need your help.
We got a Cisco PIX 501 in one place and this pix is configured for pppoe connection. The pix connects to internet via the pppoe client. an official ip address ping works well.
So what I want to do is to establish a tunnel von between this pix and a cisco 3005 concentrator.
But I failed to establish it.
Here are the pix config. the acl? s are only for the test and will be replaced if it works.
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxx
passwd xxx
hostname PIX - to THE
domain araukraine.ua
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
outside ip access list allow a whole
inside_access_in ip access list allow a whole
pager lines 24
opening of session
Monitor logging warnings
logging warnings put in buffered memory
MTU outside 1456
MTU inside 1456
IP address outside pppoe setroute
IP address inside 192.168.x.x 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM location 192.168.x.x 255.255.255.224 inside
forest warnings of PDM 500
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
outside access-group in external interface
inside_access_in access to the interface inside group
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
Enable http server
255.255.x.x 192.168.x.x http inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
255.255.x.x telnet inside 192.168.x.x
Telnet timeout 5
SSH 194.39.97.0 255.255.255.0 outside
SSH timeout 5
management-access inside
Console timeout 0
VPDN group pppoe_group request dialout pppoe
VPDN group pppoe_group localname [email protected] / * /
VPDN group ppp authentication pap pppoe_group
VPDN username [email protected] / * / password *.
encrypted privilege 15
vpnclient Server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpntest vpngroup vpnclient password *.
vpnclient username pixtest password *.
Terminal width 80
the hub, I created a user pixtest, a group vpntest and I? ve created the rules of the network for example to what server, users behind the pix will be able to access.
And that? s all.
I couldn't send you exit pix or hub because I don't have an error or a message that the tunnel will be established.
What can be wrong?
Thanks for the replies
This configuration example shows how to create an IPsec tunnel to a computer that is running the Client VPN Cisco's (4.x and later versions) to a Cisco VPN concentrator 3000 to allow the user to safely access the network inside the VPN concentrator.
-
IPSec VPN pix 501 no LAN access
I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:
: Saved
:
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
nameif ethernet0 WAN security0
nameif ethernet1 LAN security99
enable encrypted password xxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx encrypted passwd
host name snowball
domain xxxxxxxxxxxx.local
clock timezone PST - 8
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_in list of access permit udp any any eq field
acl_in list of access permit udp any eq field all
acl_in list access permit tcp any any eq field
acl_in tcp allowed access list any domain eq everything
acl_in list access permit icmp any any echo response
access-list acl_in allow icmp all once exceed
acl_in list all permitted access all unreachable icmp
acl_in list access permit tcp any any eq ssh
acl_in list access permit tcp any any eq www
acl_in tcp allowed access list everything all https eq
acl_in list access permit tcp any host 192.168.5.30 eq 81
acl_in list access permit tcp any host 192.168.5.30 eq 8081
acl_in list access permit tcp any host 192.168.5.22 eq 8081
acl_in list access permit icmp any any echo
access-list acl_in permit tcp host 76.248.x.x a
access-list acl_in permit tcp host 76.248.x.x a
allow udp host 76.248.x.x one Access-list acl_in
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
acl_out list access permit icmp any any echo response
acl_out list access permit icmp any any source-quench
allowed any access list acl_out all unreachable icmp
access-list acl_out permit icmp any once exceed
acl_out list access permit icmp any any echo
Allow Access-list no. - nat icmp a whole
access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0
access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any
access-list no. - nat permit icmp any any echo response
access-list no. - nat permit icmp any any source-quench
access-list no. - nat icmp permitted all all inaccessible
access-list no. - nat allow icmp all once exceed
access-list no. - nat permit icmp any any echo
pager lines 24
MTU 1500 WAN
MTU 1500 LAN
IP address WAN 65.74.x.x 255.255.255.240
address 192.168.5.1 LAN IP 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool pptppool 172.16.0.2 - 172.16.0.13
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global (WAN) 1 interface
NAT (LAN) - access list 0 no - nat
NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0
static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0
acl_in access to the WAN interface group
access to the LAN interface group acl_out
Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
NTP server 72.14.188.195 source WAN
survey of 76.248.x.x WAN host SNMP Server
location of Server SNMP Sacramento
SNMP Server contact [email protected] / * /
SNMP-Server Community xxxxxxxxxxxxx
SNMP-Server enable traps
enable floodguard
the string 1 WAN fragment
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
client configuration address map mymap crypto initiate
client configuration address map mymap crypto answer
card crypto mymap WAN interface
ISAKMP enable WAN
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup myvpn address pptppool pool
vpngroup myvpn Server dns 192.168.5.44
vpngroup myvpn by default-field xxxxxxxxx.local
vpngroup split myvpn No. - nat tunnel
vpngroup idle 1800 myvpn-time
vpngroup myvpn password *.
Telnet 192.168.5.0 255.255.255.0 LAN
Telnet timeout 5
SSH 192.168.5.0 255.255.255.0 LAN
SSH timeout 30
Console timeout 0
VPDN group pptpusers accept dialin pptp
VPDN group ppp authentication pap pptpusers
VPDN group ppp authentication chap pptpusers
VPDN group ppp mschap authentication pptpusers
VPDN group ppp encryption mppe 128 pptpusers
VPDN group pptpusers client configuration address local pptppool
VPDN group pptpusers customer 192.168.5.44 dns configuration
VPDN group pptpusers pptp echo 60
VPDN group customer pptpusers of local authentication
VPDN username password xxx *.
VPDN username password xxx *.
VPDN enable WAN
dhcpd address 192.168.5.200 - 192.168.5.220 LAN
dhcpd 192.168.5.44 dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable LAN
username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx
username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx
Terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxx
: end
I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!Thank you very muchTrevor"No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:
do not allow any No. - nat icmp access list a whole
No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any
No No. - nat access list permit icmp any any echo response
No No. - nat access list permit icmp any any source-quench
No No. - nat access list permit all all unreachable icmp
No No. - nat access list do not allow icmp all once exceed
No No. - nat access list only allowed icmp no echo
You must have 1 line as follows:
access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0
Please 'clear xlate' after the changes described above.
In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.
Hope that helps.
-
Termination of the client PIX VPN and Internet access from the same interface
Hello
VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?
Yes, public internet on a stick
-
VPN site-to-site between two PIX 501 with Client VPN access
Site A and site B are connected with VPN Site to Site between two PIX 501.
Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.
How is that possible for a VPN client connected to Site A to Site B?
Thank you very much.
Alex
Bad and worse news:
Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.
Even worse: PIX 501 can not be upgraded to 7.0...
A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.
HTH Please assess whether this is the case.
Thank you
-
PIX 501 to allow access to the ftp server
Hello
We have a public ip address of the pix 501 and the other, I want to access the ftp server on the internal network from the outside. I tried to configure the PDM by a static nat, which translate to the address of the FTP to the public address, but then none of the stations networks could out - how can I configure it?
I would also like to know what ports should I open on the acl for access to the ftp server.
Thank you, daguech
Yes, sorry... You must use the unique host for addresses command. The access list is applied to your external interface?
for example, the command would be:
Access-group acl_out in interface outside
Also, can you connect to the local ftp server behind a firewall?
-
PIX 501 and pcAnywhere access rules
Hello
I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings
static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255
static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255
list of allowed inbound tcp access any host 172.16.x.x eq 5631
list of allowed inbound udp access any host 172.16.x.x eq 5632
Access-group interface incoming outside
Version 6.3 of the PIX using
I also tried access server list terminal server because another method of access, but not go either.
There are no other rules.
Any ideas why this would not work?
TIA
Vince
your external ACL must mention the public IP address of your server:
list of allowed inbound tcp access any host 7x.x.x.x eq 5631
list of allowed inbound udp access any host 7x.x.x.x eq 5632
-
Help the PIX 501 - cannot access startup.html
I'm new to the network and has received a job to configure the PIX 501 firewall.
The fact is:
We use IP table rules as a firewall on a linux machine. My pc is connected to a switch. So I use the yellow network cable to connect the port of the Pix 501 0 to the port in the switch. Then I disconnect my pc of swich cable and plug into the port of the Pix 501 1.
My pc is to use a static ip address before. I try to change to automatically get an IP address, but it will not work. So I changed the setting and use the IP address originally. Pop up message network connection icon says that the local connection is enabled. But when I try to ping 192.168.1.1, request time-out. Also I can't acess the https://192.168.1.1/startup.html.
I have a look at Books Online cisco and shootings of disorder, but most of them talk about the configuration or more advance features. I'm still on the very basic level to try to connect to the firewall.
I hope someone can help me. All ideas and questions are welcome. Thank you.
Your IP address should be fine. You do not want to have the PIX connected to your local network, even if you have the Linux firewall as well as this will cause a conflict. Keep the PIX the LAN for now. Your DNS configuration will have no effect because the url you are trying to reach is based on the IP address and not the domain name if your PC has nothing to look for.
You have to check the cable that you use - if your PIX has only an 'inside' interface, then you must use a crossover cable. If he has four so it's built in switch for a straight cable will be fine. Is what PIX model?
After checking the cable - see if you can console in the firewall - use the blue cable that came with the PIX and set up a connection (hyper terminal) terminal with the help of 9600, 8, no 1. If you can console and then you can stick in a basic configuration you can get.
-
Connectivity random Cisco Pix 501
Hello. I'm having some trouble with my CISCO PIX 501 Setup.
A few months I started having random disconnects on my network (from inside to outside). The machines can ping the DC or the Pix, but impossible to surf the internet. The only way to make them go outside is a reboot of Pix.
My configuration is:
-----------
See the ACE - pix config (config) #.
: Saved
: Written by enable_15 at 09:23:07.033 UTC Tuesday, June 3, 2014
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry34retyt7RR564 encrypted password
2fvbbfgdI.2KUOU encrypted passwd
hostname as pix
domain as.local
fixup protocol dns-length maximum 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
access-list acl_out permit tcp any one
Allow Access-list outside_access_in esp a whole
outside_access_in list access permit udp any eq isakmp everything
outside_access_in list of access permit udp any eq 1701 all
outside_access_in list of access permit udp any eq 4500 all
outside_access_in ip access list allow a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
outside 10.10.10.2 IP address 255.255.255.0
IP address inside 192.168.100.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 10.10.10.8 - 10.10.10.254 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
access to the interface inside group acl_out
Route outside 0.0.0.0 0.0.0.0 10.10.10.1 0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.10.2 255.255.255.255 inside
http 192.168.10.101 255.255.255.255 inside
http 192.168.100.2 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
ISAKMP nat-traversal 20
Telnet timeout 5
SSH 192.168.10.101 255.255.255.255 inside
SSH timeout 60
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:7f9bda5e534eaeb1328ab08a3c4d28a
------------Do you have any advice? I don't get what's wrong with my setup.
My DC is 192.168.100.2 and the network mask is 255.255.255.0
The network configuration is configured to set the IP of the gateway to 192.168.100.1 (i.e. the PIX 501).
I have about 50 + peers on the internal network.
Any help is apprecciate.
Hello
You have a license for 50 users +?
After the release of - Show version
RES
Paul
-
PAT on IPSEC VPN (Pix 501)
Hello
I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.
I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.
lines of current config interesting configuration with static mapping:
--------------------------------------------------------------------------
access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0
access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host
access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z
IP address outside w.w.w.1 255.255.255.248
IP address inside 10.0.0.1 255.255.255.0
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0
Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1
correspondence address card crypto mymap 10 103
mymap outside crypto map interface
ISAKMP allows outside
Thank you!
Dave
Dave,
(1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent
translation for your guests inside and they will always be this way natted. Use
NAT of politics, on the contrary, as shown here:
not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0
Global (outside) 2 z.z.z.z netmask 255.255.255.255
(Inside) NAT 2-list of access 101
(2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."
Delete this because you need to nat 2 nat/global card. (as a general rule, simply you
If you terminate VPN clients on your device and do not want inside the traffic which
is intended for the vpn clients to be natted on the external interface).
(3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first
translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which
sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.
I hope this helps. I have this work on many tunnels as you describe.
Jamison
-
Newbie Pix 501 HTTP authentication timeout
two issues here:
1. users that connect to the Internet through the Pix 501 ask about every three minutes to enter their user name and password. There must be a setting to change this, my dealer said there is no.
2. users that connect to the Internet, the first time have their IE session. By clicking Stop and then refresh or House brings to the top of the page. Any ideas.
Thanks in advance for any ideas you may have
Jeff Charland
Jeff,
First rule is to never trust your seller on technical issues;). Your dealer is wrong. You can indeed change the moment where a user is re - you are prompted to enter their credentials. There are basically 2 parameters, you need to know about the pix regarding delays of authentication:
(1) the inactivity timer. It's just like that. It expires an authenticated session via the PIX to hit X amount of time without all the traffic. The default timer on the PIX for this setting is 0, which means that we are no period of inactivity by the user (by default) monitor.
(2) the absoltue timer. Again, is to noise. This timer starts as soon as the user is authenticated and works continuously. When the time is reached, the user is obliged to to re-authenticate when they try to start a new connection (for example, by clicking a link in a web page). The default setting for the absolute timer is 5 minutes.
We recommend that you do not keep an absolute clock set for security purposes, but for ease of access, you can change these settings. Something like that would not be a 'off the wall' setting:
timeout uauth 01:00 absolute uauth 0: idle from 10:00
These settings will force the user to to re-authenticate every hour (absolute) or every 10 minutes after the connection becomes inactive.
And finally, no idea about #2 above. It happens with all users. Anyone who has tried to Netscape to see if it is a question only IE?
Scott
-
PIX 501 for Cisco 3640 VPN router
-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-
Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.
What Miss me? I added the configuration for the PIX and the router.
Here are the PIX config:
PIX Version 6.1 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable encrypted password xxxxxxxxxxxxxxxx
xxxxxxxxxxxxx encrypted passwd
pixfirewall hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXX
: end
Here is the router config
Router #sh runn
Building configuration...
Current configuration: 6500 bytes
!
version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
no password encryption service
!
router host name
!
start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system
queue logging limit 100
activate the password xxxxxxxxxxxxxxxxx
!
clock TimeZone Central - 6
clock summer-time recurring CENTRAL
IP subnet zero
no ip source route
!
!
no ip domain-lookup
!
no ip bootp Server
inspect the name smtp Internet IP
inspect the name Internet ftp IP
inspect the name Internet tftp IP
inspect the IP udp Internet name
inspect the tcp IP Internet name
inspect the name DMZ smtp IP
inspect the name ftp DMZ IP
inspect the name DMZ tftp IP
inspect the name DMZ udp IP
inspect the name DMZ tcp IP
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test
Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT
!
dynamic-map crypto dny - Sai 25
game of transformation-PIXRMT
match static address PIX1
!
!
static-card 10 map ipsec-isakmp crypto
the value of x.x.180.133 peer
the transform-set vpn-test value
match static address of Hunt
!
map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc
!
call the rsvp-sync
!
!
!
controller T1 0/0
framing ESF
linecode b8zs
Slots 1-12 channels-group 0 64 speed
Description controller to the remote frame relay
!
controller T1 0/1
framing ESF
linecode b8zs
Timeslots 1-24 of channel-group 0 64 speed
Description controller for internet link SBIS
!
interface Serial0/0:0
Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites
bandwidth 768
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0 / point to point 0:0.17
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 17 frame relay interface
!
interface Serial0 / point to point 0:0.18
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 18 frame relay interface
!
interface Serial0 / point to point 0:0.19
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 19 frame relay interface
!
interface Serial0 / point to point 0:0.20
Description Frame Relay to xxxxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 20 frame relay interface
!
interface Serial0 / point to point 0:0.21
Description Frame Relay to xxxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 21 frame relay interface
!
interface Serial0 / point to point 0:0.101
Description Frame Relay to xxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 101 frame relay interface
!
interface Serial0/1:0
CKT ID 14.HCGS.785383 T1 to ITT description
bandwidth 1536
IP address x.x.76.14 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the Internet IP on
no ip route cache
card crypto ISCMAP
!
interface Ethernet1/0
IP 10.1.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
interface Ethernet2/0
IP 10.100.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
router RIP
10.0.0.0 network
network 192.168.1.0
!
IP nat inside source list 112 interface Serial0/1: 0 overload
IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible
IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible
IP nat inside source 10.1.3.2 static 209.184.71.140
IP nat inside source static 10.1.3.6 209.184.71.139
IP nat inside source static 10.1.3.8 209.184.71.136
IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible
IP classless
IP route 0.0.0.0 0.0.0.0 x.x.76.13
IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19
IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18
IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17
IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20
IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21
IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101
no ip address of the http server
!
!
PIX1 static extended IP access list
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
IP access-list extended hunting-static
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
extended IP access vpn-static list
ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255
IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255
access-list 1 refuse 10.0.0.0 0.255.255.255
access-list 1 permit one
access-list 12 refuse 10.1.3.2
access-list 12 allow 10.1.0.0 0.0.255.255
access-list 12 allow 10.2.0.0 0.0.255.255
access-list 12 allow 10.3.0.0 0.0.255.255
access-list 12 allow 10.4.0.0 0.0.255.255
access-list 12 allow 10.5.0.0 0.0.255.255
access-list 12 allow 10.6.0.0 0.0.255.255
access-list 12 allow 10.7.0.0 0.0.255.255
access-list 112 deny ip host 10.1.3.2 everything
access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 112 allow ip 10.1.0.0 0.0.255.255 everything
access-list 112 allow ip 10.2.0.0 0.0.255.255 everything
access-list 112 allow ip 10.3.0.0 0.0.255.255 everything
access-list 112 allow ip 10.4.0.0 0.0.255.255 everything
access-list 112 allow ip 10.5.0.0 0.0.255.255 everything
access-list 112 allow ip 10.6.0.0 0.0.255.255 everything
access-list 112 allow ip 10.7.0.0 0.0.255.255 everything
access-list 120 allow ip host 10.100.1.10 10.1.3.7
not run cdp
!
Dial-peer cor custom
!
!
!
!
connection of the banner ^ CCC
******************************************************************
WARNING - Unauthorized USE strictly PROHIBITED!
******************************************************************
^ C
!
Line con 0
line to 0
password xxxxxxxxxxxx
local connection
Modem InOut
StopBits 1
FlowControl hardware
line vty 0 4
exec-timeout 15 0
password xxxxxxxxxxxxxx
opening of session
!
end
Router #.
Add the following to the PIX:
> permitted connection ipsec sysopt
This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.
-
Place a FIOS for VPN router behind PIX 501
I have a Verizon FIOS internet connection and one of their routers wide wireless broadband, and this is a configuration of base completely... their router DHCP and firewalls, and the connection has a dynamic address. I would put the PIX 501 behind the Verizon router as one of its clients and make the VPN PIX of other PIX 501 at other locations, such as my entire network has access to remote networks.
Is this possible, and if yes, any who could some suggest configurations (how to address internal and external, static routes ports that may be required somewhere, etc.)?
Thanks for any help.
When installing my FiOS, I had already asked that it be installed on the Ethernet cable. Don't know they need to do something for you to spend the coax to Ethernet.
The best way to test it would be to find the Media Converter (follow the coaxial cable between your FiOS router to the demarc and there should be a box with a coaxial port, some phone Sockets and an Ethernet port). If you unplug the coaxial cable and plug a laptop computer on the Ethernet port, see if your laptop takes a public IP address. If Yes, then you just have to run to your PIX501 Ethernet cable and you should be ready.
Just to note that Verizon, according to your region, reserved DHCP assignments. This means that you may need to call Verizon and ask them to release the previous assignment of DHCP-MAC addresses. I had this happen recently. They must release the assignment then your PIX will pull a new IP address and they will book your new IP - MAC address assignment. They do this to speed up the connection to a cold start time on the router.
Basically, they are filtering by MAC address, but rather through a sticky ARP where they clear the entry, and then the next device that connects records his MAC address and then only that device is permitted to connect to this leg of the cable. So there is a bit of work you have to do, but the most difficult part would be sitting on hold waiting for a tech, if you call to Verizon.
-
I can not configure a pix 501 as a firewall, I need to know if it comes with a default configuration. I connect the PIX of the LAN and it start´s to DHCP each machine on the network with no problem, but none of the user´s can access the internet.
I need to know what to do to get access to internet protection and network security.
Where can I go to configure the Pix, if I really need to configure it!
Hi... basically, you need the following basic steps to access your internal users to the internet
If you use 6.3 (5) PIX
interface ethernet0 100full
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
inside_access_in ip access list allow a whole
inside_access_in access to the interface inside group
NAT (inside) 1 access-list inside_access_in
Global 1 interface (outside)
NOTE: with the config ablove room your internal users will have FULL access to the internet. If you want to restrict access to only http, https, ftp, dns, etc then you need to change the access list for something like that...
inside_access_in list access permit tcp any any eq www
inside_access_in list access permit tcp any any eq 443
inside_access_in list access permit tcp any any eq ftp
inside_access_in list access permit tcp any any eq 53
inside_access_in udd allowed access list any any eq 53
I hope that helps... Rate if he does!
Maybe you are looking for
-
I have 2 computors how can I transfer my favorites from one to the other
How can I move all my favorites from one computer to another
-
Satellite L500-PSLS9A-02C012 F8 function works not
Hey guys basically I reinstalled windows 7 ultimate 32 bit on my laptop and my function key (FN) stopped working so I installed PVAT and flash card support and a few others on the Web site of Toshiba but here s my problem... When I press FN nothing a
-
Microsoft visual C ++ Runtime library R6034 An application has made an attempt to load ATL80. Incorrect DLL. For more information, contact the application support team.
-
My docs are not opening on top of previous ones.
Hi people, I don't know how or why, but I suddenly lost the default value 'new windows open on top', (paraphrase), ability. So whenever I open a folder or a document, the "thing" opens behind the one that is already open, (very irritating). I know th
-
Deleting empty folders: "Thumbs.db" - what is?
Advice on another thread I posted, I moved my photos of a large number of individual files to a folder, preferring to use the tags and other criteria to rank them in an organization "flat-file". Now I remove empty folders, those who used to store ind