On PIX 501 6.3 intermittent Internet access (5)

Hello

I have a problem of access to the Internet from the local network behind a PIX 501. It worked for months, but suddenly, I discovered that Internet access is intermittent. Internet access works for about 10-15 minutes and then goes down. When I reboot the firewall or disable ARP Internet works again. I turn on debugging with 'debug arp' and I get an error message "arp-in: Dropping request outside the unsolicited nonadjacent ROUTEOUTSIDE 0002.cf69.50cf for 82.x.137.x 0000.0000.0000»

Any ideas on what could be the problem?

Thank you for your help.

Kind regards.

Hello, Couple of things to check.

You have ICMP permitted on the external interface of the PIX. If so, can ask you someone to ping from the internet to the external IP address.

When they ping, can you unplug the external interface and see if they receive a response in return.

If so, then there is a problem with the access provider. They could give your IP address to another person.

If this isn't the issue, then you open a TAC case and resolve this problem.

See you soon,.

Gilbert

The rate of this post, if that helps.

Tags: Cisco Security

Similar Questions

Intermittent internet access?

Using a rogers wireless plant, works very well for 30 minutes about then cannot access internet unless I re - start the hub. Message "Windows... political Firewall may need to be adjusted." How can I do this, have you tried touobleshooter without success. After re-booting of the hub it will work well for topic another 30 min. hard plugged into the hub.

Hi Dakdude,

· What store did you try?

· You did changes to the computer before the show?

I suggest you temporarily disable the antivirus software (and other security such as anti-malware software, etc.) and the firewall on the computer and see if that fixes the problem.

If disabling the antivirus/firewall resolves the issue, you may need to configure the settings of the antivirus as a result program. Please contact the software vendor for assistance in this regard.

Note: Make sure that you enable the antivirus software, other security and firewall after the test programs.

Warning: Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not disable your antivirus software. If you need to disable temporarily to install other software, you must reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software is disabled, your computer is vulnerable to attacks.

Let us know the results.

Cisco PIX 501 to Cisco 3005 concentrator via remote access

Hello people,

I need your help.

We got a Cisco PIX 501 in one place and this pix is configured for pppoe connection. The pix connects to internet via the pppoe client. an official ip address ping works well.

So what I want to do is to establish a tunnel von between this pix and a cisco 3005 concentrator.

But I failed to establish it.

Here are the pix config. the acl? s are only for the test and will be replaced if it works.

6.3 (4) version PIX

interface ethernet0 10baset

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password xxx

passwd xxx

hostname PIX - to THE

domain araukraine.ua

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

outside ip access list allow a whole

inside_access_in ip access list allow a whole

pager lines 24

opening of session

Monitor logging warnings

logging warnings put in buffered memory

MTU outside 1456

MTU inside 1456

IP address outside pppoe setroute

IP address inside 192.168.x.x 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

PDM location 192.168.x.x 255.255.255.224 inside

forest warnings of PDM 500

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

outside access-group in external interface

inside_access_in access to the interface inside group

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

Enable http server

255.255.x.x 192.168.x.x http inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

255.255.x.x telnet inside 192.168.x.x

Telnet timeout 5

SSH 194.39.97.0 255.255.255.0 outside

SSH timeout 5

management-access inside

Console timeout 0

VPDN group pppoe_group request dialout pppoe

VPDN group pppoe_group localname [email protected] / * /

VPDN group ppp authentication pap pppoe_group

VPDN username [email protected] / * / password *.

encrypted privilege 15

vpnclient Server 212.xx.xx.xx

vpnclient mode network-extension-mode

vpntest vpngroup vpnclient password *.

vpnclient username pixtest password *.

Terminal width 80

the hub, I created a user pixtest, a group vpntest and I? ve created the rules of the network for example to what server, users behind the pix will be able to access.

And that? s all.

I couldn't send you exit pix or hub because I don't have an error or a message that the tunnel will be established.

What can be wrong?

Thanks for the replies

This configuration example shows how to create an IPsec tunnel to a computer that is running the Client VPN Cisco's (4.x and later versions) to a Cisco VPN concentrator 3000 to allow the user to safely access the network inside the VPN concentrator.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

IPSec VPN pix 501 no LAN access

I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

: Saved

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

nameif ethernet0 WAN security0

nameif ethernet1 LAN security99

enable encrypted password xxxxxxxxxxxxx

xxxxxxxxxxxxxxxxx encrypted passwd

host name snowball

domain xxxxxxxxxxxx.local

clock timezone PST - 8

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

acl_in list of access permit udp any any eq field

acl_in list of access permit udp any eq field all

acl_in list access permit tcp any any eq field

acl_in tcp allowed access list any domain eq everything

acl_in list access permit icmp any any echo response

access-list acl_in allow icmp all once exceed

acl_in list all permitted access all unreachable icmp

acl_in list access permit tcp any any eq ssh

acl_in list access permit tcp any any eq www

acl_in tcp allowed access list everything all https eq

acl_in list access permit tcp any host 192.168.5.30 eq 81

acl_in list access permit tcp any host 192.168.5.30 eq 8081

acl_in list access permit tcp any host 192.168.5.22 eq 8081

acl_in list access permit icmp any any echo

access-list acl_in permit tcp host 76.248.x.x a

access-list acl_in permit tcp host 76.248.x.x a

allow udp host 76.248.x.x one Access-list acl_in

access-list acl_out permit icmp any one

ip access list acl_out permit a whole

acl_out list access permit icmp any any echo response

acl_out list access permit icmp any any source-quench

allowed any access list acl_out all unreachable icmp

access-list acl_out permit icmp any once exceed

acl_out list access permit icmp any any echo

Allow Access-list no. - nat icmp a whole

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

access-list no. - nat permit icmp any any echo response

access-list no. - nat permit icmp any any source-quench

access-list no. - nat icmp permitted all all inaccessible

access-list no. - nat allow icmp all once exceed

access-list no. - nat permit icmp any any echo

pager lines 24

MTU 1500 WAN

MTU 1500 LAN

IP address WAN 65.74.x.x 255.255.255.240

address 192.168.5.1 LAN IP 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pptppool 172.16.0.2 - 172.16.0.13

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global (WAN) 1 interface

NAT (LAN) - access list 0 no - nat

NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

acl_in access to the WAN interface group

access to the LAN interface group acl_out

Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

NTP server 72.14.188.195 source WAN

survey of 76.248.x.x WAN host SNMP Server

location of Server SNMP Sacramento

SNMP Server contact [email protected] / * /

SNMP-Server Community xxxxxxxxxxxxx

SNMP-Server enable traps

enable floodguard

the string 1 WAN fragment

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

client configuration address map mymap crypto initiate

client configuration address map mymap crypto answer

card crypto mymap WAN interface

ISAKMP enable WAN

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup myvpn address pptppool pool

vpngroup myvpn Server dns 192.168.5.44

vpngroup myvpn by default-field xxxxxxxxx.local

vpngroup split myvpn No. - nat tunnel

vpngroup idle 1800 myvpn-time

vpngroup myvpn password *.

Telnet 192.168.5.0 255.255.255.0 LAN

Telnet timeout 5

SSH 192.168.5.0 255.255.255.0 LAN

SSH timeout 30

Console timeout 0

VPDN group pptpusers accept dialin pptp

VPDN group ppp authentication pap pptpusers

VPDN group ppp authentication chap pptpusers

VPDN group ppp mschap authentication pptpusers

VPDN group ppp encryption mppe 128 pptpusers

VPDN group pptpusers client configuration address local pptppool

VPDN group pptpusers customer 192.168.5.44 dns configuration

VPDN group pptpusers pptp echo 60

VPDN group customer pptpusers of local authentication

VPDN username password xxx *.

VPDN username password xxx *.

VPDN enable WAN

dhcpd address 192.168.5.200 - 192.168.5.220 LAN

dhcpd 192.168.5.44 dns 8.8.8.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable LAN

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

Terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxx

: end

I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!

Thank you very much

Trevor

"No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

do not allow any No. - nat icmp access list a whole

No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

No No. - nat access list permit icmp any any echo response

No No. - nat access list permit icmp any any source-quench

No No. - nat access list permit all all unreachable icmp

No No. - nat access list do not allow icmp all once exceed

No No. - nat access list only allowed icmp no echo

You must have 1 line as follows:

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

Please 'clear xlate' after the changes described above.

In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

Hope that helps.

Termination of the client PIX VPN and Internet access from the same interface

Hello

VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?

Yes, public internet on a stick

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

VPN site-to-site between two PIX 501 with Client VPN access

Site A and site B are connected with VPN Site to Site between two PIX 501.

Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

How is that possible for a VPN client connected to Site A to Site B?

Thank you very much.

Alex

Bad and worse news:

Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

Even worse: PIX 501 can not be upgraded to 7.0...

A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

HTH Please assess whether this is the case.

Thank you

PIX 501 to allow access to the ftp server

Hello

We have a public ip address of the pix 501 and the other, I want to access the ftp server on the internal network from the outside. I tried to configure the PDM by a static nat, which translate to the address of the FTP to the public address, but then none of the stations networks could out - how can I configure it?

I would also like to know what ports should I open on the acl for access to the ftp server.

Thank you, daguech

Yes, sorry... You must use the unique host for addresses command. The access list is applied to your external interface?

for example, the command would be:

Access-group acl_out in interface outside

Also, can you connect to the local ftp server behind a firewall?

PIX 501 and pcAnywhere access rules

Hello

I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings

static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255

static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255

list of allowed inbound tcp access any host 172.16.x.x eq 5631

list of allowed inbound udp access any host 172.16.x.x eq 5632

Access-group interface incoming outside

Version 6.3 of the PIX using

I also tried access server list terminal server because another method of access, but not go either.

There are no other rules.

Any ideas why this would not work?

TIA

Vince

your external ACL must mention the public IP address of your server:

list of allowed inbound tcp access any host 7x.x.x.x eq 5631

list of allowed inbound udp access any host 7x.x.x.x eq 5632

Help the PIX 501 - cannot access startup.html

I'm new to the network and has received a job to configure the PIX 501 firewall.

The fact is:

We use IP table rules as a firewall on a linux machine. My pc is connected to a switch. So I use the yellow network cable to connect the port of the Pix 501 0 to the port in the switch. Then I disconnect my pc of swich cable and plug into the port of the Pix 501 1.

My pc is to use a static ip address before. I try to change to automatically get an IP address, but it will not work. So I changed the setting and use the IP address originally. Pop up message network connection icon says that the local connection is enabled. But when I try to ping 192.168.1.1, request time-out. Also I can't acess the https://192.168.1.1/startup.html.

I have a look at Books Online cisco and shootings of disorder, but most of them talk about the configuration or more advance features. I'm still on the very basic level to try to connect to the firewall.

I hope someone can help me. All ideas and questions are welcome. Thank you.

Your IP address should be fine. You do not want to have the PIX connected to your local network, even if you have the Linux firewall as well as this will cause a conflict. Keep the PIX the LAN for now. Your DNS configuration will have no effect because the url you are trying to reach is based on the IP address and not the domain name if your PC has nothing to look for.

You have to check the cable that you use - if your PIX has only an 'inside' interface, then you must use a crossover cable. If he has four so it's built in switch for a straight cable will be fine. Is what PIX model?

After checking the cable - see if you can console in the firewall - use the blue cable that came with the PIX and set up a connection (hyper terminal) terminal with the help of 9600, 8, no 1. If you can console and then you can stick in a basic configuration you can get.

Connectivity random Cisco Pix 501

Hello. I'm having some trouble with my CISCO PIX 501 Setup.

A few months I started having random disconnects on my network (from inside to outside). The machines can ping the DC or the Pix, but impossible to surf the internet. The only way to make them go outside is a reboot of Pix.

My configuration is:

-----------

See the ACE - pix config (config) #.
: Saved
: Written by enable_15 at 09:23:07.033 UTC Tuesday, June 3, 2014
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry34retyt7RR564 encrypted password
2fvbbfgdI.2KUOU encrypted passwd
hostname as pix
domain as.local
fixup protocol dns-length maximum 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
access-list acl_out permit tcp any one
Allow Access-list outside_access_in esp a whole
outside_access_in list access permit udp any eq isakmp everything
outside_access_in list of access permit udp any eq 1701 all
outside_access_in list of access permit udp any eq 4500 all
outside_access_in ip access list allow a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
outside 10.10.10.2 IP address 255.255.255.0
IP address inside 192.168.100.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 10.10.10.8 - 10.10.10.254 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
access to the interface inside group acl_out
Route outside 0.0.0.0 0.0.0.0 10.10.10.1 0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.10.2 255.255.255.255 inside
http 192.168.10.101 255.255.255.255 inside
http 192.168.100.2 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
ISAKMP nat-traversal 20
Telnet timeout 5
SSH 192.168.10.101 255.255.255.255 inside
SSH timeout 60
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:7f9bda5e534eaeb1328ab08a3c4d28a
------------

Do you have any advice? I don't get what's wrong with my setup.

My DC is 192.168.100.2 and the network mask is 255.255.255.0

The network configuration is configured to set the IP of the gateway to 192.168.100.1 (i.e. the PIX 501).

I have about 50 + peers on the internal network.

Any help is apprecciate.

Hello

You have a license for 50 users +?

After the release of - Show version

RES

Paul

PAT on IPSEC VPN (Pix 501)

Hello

I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.

I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.

lines of current config interesting configuration with static mapping:

--------------------------------------------------------------------------

access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host

access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z

IP address outside w.w.w.1 255.255.255.248

IP address inside 10.0.0.1 255.255.255.0

Global 1 interface (outside)

NAT (inside) - 0 102 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0

Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

correspondence address card crypto mymap 10 103

mymap outside crypto map interface

ISAKMP allows outside

Thank you!

Dave

Dave,

(1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent

translation for your guests inside and they will always be this way natted. Use

NAT of politics, on the contrary, as shown here:

not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

Global (outside) 2 z.z.z.z netmask 255.255.255.255

(Inside) NAT 2-list of access 101

(2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."

Delete this because you need to nat 2 nat/global card. (as a general rule, simply you

If you terminate VPN clients on your device and do not want inside the traffic which

is intended for the vpn clients to be natted on the external interface).

(3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first

translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which

sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.

I hope this helps. I have this work on many tunnels as you describe.

Jamison

Newbie Pix 501 HTTP authentication timeout

two issues here:

1. users that connect to the Internet through the Pix 501 ask about every three minutes to enter their user name and password. There must be a setting to change this, my dealer said there is no.

2. users that connect to the Internet, the first time have their IE session. By clicking Stop and then refresh or House brings to the top of the page. Any ideas.

Thanks in advance for any ideas you may have

Jeff Charland

Jeff,

First rule is to never trust your seller on technical issues;). Your dealer is wrong. You can indeed change the moment where a user is re - you are prompted to enter their credentials. There are basically 2 parameters, you need to know about the pix regarding delays of authentication:

(1) the inactivity timer. It's just like that. It expires an authenticated session via the PIX to hit X amount of time without all the traffic. The default timer on the PIX for this setting is 0, which means that we are no period of inactivity by the user (by default) monitor.

(2) the absoltue timer. Again, is to noise. This timer starts as soon as the user is authenticated and works continuously. When the time is reached, the user is obliged to to re-authenticate when they try to start a new connection (for example, by clicking a link in a web page). The default setting for the absolute timer is 5 minutes.

We recommend that you do not keep an absolute clock set for security purposes, but for ease of access, you can change these settings. Something like that would not be a 'off the wall' setting:

timeout uauth 01:00 absolute uauth 0: idle from 10:00

These settings will force the user to to re-authenticate every hour (absolute) or every 10 minutes after the connection becomes inactive.

And finally, no idea about #2 above. It happens with all users. Anyone who has tried to Netscape to see if it is a question only IE?

Scott

PIX 501 for Cisco 3640 VPN router

-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-

Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.

What Miss me? I added the configuration for the PIX and the router.

Here are the PIX config:

PIX Version 6.1 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable encrypted password xxxxxxxxxxxxxxxx

xxxxxxxxxxxxx encrypted passwd

pixfirewall hostname

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

Telnet timeout 5

SSH timeout 5

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXXX

: end

Here is the router config

Router #sh runn

Building configuration...

Current configuration: 6500 bytes

!

version 12.2

no service button

tcp KeepAlive-component snap-in service

a tcp-KeepAlive-quick service

horodateurs service debug datetime localtime

Log service timestamps datetime localtime

no password encryption service

!

router host name

!

start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system

queue logging limit 100

activate the password xxxxxxxxxxxxxxxxx

!

clock TimeZone Central - 6

clock summer-time recurring CENTRAL

IP subnet zero

no ip source route

!

!

no ip domain-lookup

!

no ip bootp Server

inspect the name smtp Internet IP

inspect the name Internet ftp IP

inspect the name Internet tftp IP

inspect the IP udp Internet name

inspect the tcp IP Internet name

inspect the name DMZ smtp IP

inspect the name ftp DMZ IP

inspect the name DMZ tftp IP

inspect the name DMZ udp IP

inspect the name DMZ tcp IP

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 20

BA 3des

preshared authentication

Group 2

ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx

ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test

Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT

!

dynamic-map crypto dny - Sai 25

game of transformation-PIXRMT

match static address PIX1

!

!

static-card 10 map ipsec-isakmp crypto

the value of x.x.180.133 peer

the transform-set vpn-test value

match static address of Hunt

!

map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc

!

call the rsvp-sync

!

!

!

controller T1 0/0

framing ESF

linecode b8zs

Slots 1-12 channels-group 0 64 speed

Description controller to the remote frame relay

!

controller T1 0/1

framing ESF

linecode b8zs

Timeslots 1-24 of channel-group 0 64 speed

Description controller for internet link SBIS

!

interface Serial0/0:0

Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites

bandwidth 768

no ip address

no ip redirection

no ip unreachable

no ip proxy-arp

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0 / point to point 0:0.17

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 17 frame relay interface

!

interface Serial0 / point to point 0:0.18

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 18 frame relay interface

!

interface Serial0 / point to point 0:0.19

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 19 frame relay interface

!

interface Serial0 / point to point 0:0.20

Description Frame Relay to xxxxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 20 frame relay interface

!

interface Serial0 / point to point 0:0.21

Description Frame Relay to xxxxxxxxxxxx

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 21 frame relay interface

!

interface Serial0 / point to point 0:0.101

Description Frame Relay to xxxxxxxxxxx

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 101 frame relay interface

!

interface Serial0/1:0

CKT ID 14.HCGS.785383 T1 to ITT description

bandwidth 1536

IP address x.x.76.14 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the Internet IP on

no ip route cache

card crypto ISCMAP

!

interface Ethernet1/0

IP 10.1.1.1 255.255.0.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

no ip route cache

no ip mroute-cache

Half duplex

!

interface Ethernet2/0

IP 10.100.1.1 255.255.0.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

no ip route cache

no ip mroute-cache

Half duplex

!

router RIP

10.0.0.0 network

network 192.168.1.0

!

IP nat inside source list 112 interface Serial0/1: 0 overload

IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible

IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible

IP nat inside source 10.1.3.2 static 209.184.71.140

IP nat inside source static 10.1.3.6 209.184.71.139

IP nat inside source static 10.1.3.8 209.184.71.136

IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible

IP classless

IP route 0.0.0.0 0.0.0.0 x.x.76.13

IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19

IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18

IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17

IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20

IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21

IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101

no ip address of the http server

!

!

PIX1 static extended IP access list

IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

IP access-list extended hunting-static

IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

extended IP access vpn-static list

ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255

access-list 1 refuse 10.0.0.0 0.255.255.255

access-list 1 permit one

access-list 12 refuse 10.1.3.2

access-list 12 allow 10.1.0.0 0.0.255.255

access-list 12 allow 10.2.0.0 0.0.255.255

access-list 12 allow 10.3.0.0 0.0.255.255

access-list 12 allow 10.4.0.0 0.0.255.255

access-list 12 allow 10.5.0.0 0.0.255.255

access-list 12 allow 10.6.0.0 0.0.255.255

access-list 12 allow 10.7.0.0 0.0.255.255

access-list 112 deny ip host 10.1.3.2 everything

access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

access-list 112 allow ip 10.1.0.0 0.0.255.255 everything

access-list 112 allow ip 10.2.0.0 0.0.255.255 everything

access-list 112 allow ip 10.3.0.0 0.0.255.255 everything

access-list 112 allow ip 10.4.0.0 0.0.255.255 everything

access-list 112 allow ip 10.5.0.0 0.0.255.255 everything

access-list 112 allow ip 10.6.0.0 0.0.255.255 everything

access-list 112 allow ip 10.7.0.0 0.0.255.255 everything

access-list 120 allow ip host 10.100.1.10 10.1.3.7

not run cdp

!

Dial-peer cor custom

!

!

!

!

connection of the banner ^ CCC

******************************************************************

WARNING - Unauthorized USE strictly PROHIBITED!

******************************************************************

^ C

!

Line con 0

line to 0

password xxxxxxxxxxxx

local connection

Modem InOut

StopBits 1

FlowControl hardware

line vty 0 4

exec-timeout 15 0

password xxxxxxxxxxxxxx

opening of session

!

end

Router #.

Add the following to the PIX:

> permitted connection ipsec sysopt

This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.

Place a FIOS for VPN router behind PIX 501

I have a Verizon FIOS internet connection and one of their routers wide wireless broadband, and this is a configuration of base completely... their router DHCP and firewalls, and the connection has a dynamic address. I would put the PIX 501 behind the Verizon router as one of its clients and make the VPN PIX of other PIX 501 at other locations, such as my entire network has access to remote networks.

Is this possible, and if yes, any who could some suggest configurations (how to address internal and external, static routes ports that may be required somewhere, etc.)?

Thanks for any help.

When installing my FiOS, I had already asked that it be installed on the Ethernet cable. Don't know they need to do something for you to spend the coax to Ethernet.

The best way to test it would be to find the Media Converter (follow the coaxial cable between your FiOS router to the demarc and there should be a box with a coaxial port, some phone Sockets and an Ethernet port). If you unplug the coaxial cable and plug a laptop computer on the Ethernet port, see if your laptop takes a public IP address. If Yes, then you just have to run to your PIX501 Ethernet cable and you should be ready.

Just to note that Verizon, according to your region, reserved DHCP assignments. This means that you may need to call Verizon and ask them to release the previous assignment of DHCP-MAC addresses. I had this happen recently. They must release the assignment then your PIX will pull a new IP address and they will book your new IP - MAC address assignment. They do this to speed up the connection to a cold start time on the router.

Basically, they are filtering by MAC address, but rather through a sticky ARP where they clear the entry, and then the next device that connects records his MAC address and then only that device is permitted to connect to this leg of the cable. So there is a bit of work you have to do, but the most difficult part would be sitting on hold waiting for a tech, if you call to Verizon.

Pix 501 problem

I can not configure a pix 501 as a firewall, I need to know if it comes with a default configuration. I connect the PIX of the LAN and it start´s to DHCP each machine on the network with no problem, but none of the user´s can access the internet.

I need to know what to do to get access to internet protection and network security.

Where can I go to configure the Pix, if I really need to configure it!

Hi... basically, you need the following basic steps to access your internal users to the internet

If you use 6.3 (5) PIX

interface ethernet0 100full

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

inside_access_in ip access list allow a whole

inside_access_in access to the interface inside group

NAT (inside) 1 access-list inside_access_in

Global 1 interface (outside)

NOTE: with the config ablove room your internal users will have FULL access to the internet. If you want to restrict access to only http, https, ftp, dns, etc then you need to change the access list for something like that...

inside_access_in list access permit tcp any any eq www

inside_access_in list access permit tcp any any eq 443

inside_access_in list access permit tcp any any eq ftp

inside_access_in list access permit tcp any any eq 53

inside_access_in udd allowed access list any any eq 53

I hope that helps... Rate if he does!

On PIX 501 6.3 intermittent Internet access (5)

Similar Questions

Maybe you are looking for