Ping on the PIX firewall

Similar Questions

• To block P2P traffic on the PIX firewall

  What will be the mechanism, and how we can block the traffic of P2P applications like eDonkey, KaZaa and Imesh etc on the PIX firewall.

  Hello

  You can find the info here:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00801e419a.shtml

  I hope this helps.

  Jay

• How to limit the ICMP on the PIX firewall.

  Guys good day!

  I have a dilemma with regard to limiting ICMP users browsing to other networks such as other demilitarized interns.

  I know that, to allow ICMP to pass through interfaces, you will need to create an ACL such as below:

  access-list DMZACL allow icmp a whole

  Users require this config ping a server on the DMZ, but it is a security risk.

  To minimize, I have a group of objects created in order to identify hosts and networks is allowed to have access to the echo-replies.

  Again, this is a problem since many host who extended pings just to monitor the connectivity server and its application.

  Do you have other ideas guys?

  As to limiting the echo answers on the PIX. As first 5 echo request succeed with 5 echo-replies and the rest would be removed.

  This could be done?

  Thank you

  Chris

  Hello.. I don't think you can do this by using an ACL on the PIX, however, you might be able to stop the ICMP sweeps by activating CODES signatures using the check ip command you... For more information see the link below

  Guidelines of use Cisco Intrusion Detection System (IDS Cisco) provides the following for IP-based systems:

  ? Audit of traffic. The application of signatures will be audited only as part of an active session.

  ? Apply to the verification of an interface.

  ? Supports different auditing policies. Traffic that matches a signature triggers a range of configurable

  actions.

  ? Disables signature verification.

  ? Always turns the shares of a class of signature and allows IDS (information, attack).

  The audit is performed by looking at IP packets to their arrival at an input interface, if a packet triggers

  a signature and the action configured does not have the package, and then the same package may trigger another

  signatures.

  Firewall PIX supports inbound and outbound audit.

  For a complete list signatures of Cisco IDS supported, their wording and whether they are attacking or

  informational messages, see Messages in Log System Cisco PIX Firewall.

  See the User Guide for the Cisco Secure Intrusion Detection System Version 2.2.1 for more information

  on each signature. You can view the? NSDB and Signatures? Chapter of this guide at the following

  website:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids1/csidsug/SIGs.htm

• ping for the pix vpn problem

  Hello

  I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

  I can open a vpn session.

  I can't ping from the remote pc to the LAN

  I can ping from any station on the LAN to the remote pc

  After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

  I am so newb, trying for 2 days changing ACLs, no way.

  I must say that I am in dynamic ip wan on the local network and the remote pc.

  Any idea about this problem?

  Any help is welcome.

  Here is the configuration of my pix:

  6.3 (4) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  pixfirewall hostname

  domain ciscopix.com

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  correction... /...

  fixup protocol tftp 69

  names of

  name 192.168.42.0 Dmi

  inside_access_in ip access list allow a whole

  inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

  outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

  access-list outside_cryptomap_dyn_20 allow icmp a whole

  pager lines 24

  opening of session

  logging trap information

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside the 209.x.x.x.255.255.224

  IP address inside 192.168.42.40 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

  location of PDM 192.168.229.1 255.255.255.255 outside

  209.165.x.x.x.255.255 PDM location inside

  209.x.x.x.255.255.255 PDM location outdoors

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  Dmi 255.255.255.0 inside http

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  TFTP server inside the 192.168.42.100.

  enable floodguard

  Permitted connection ipsec sysopt

  AUTH-prompt quick pass

  AUTH-guest accept good

  AUTH-prompt bad rejection

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  vpngroup address dmivpndhcp pool dmivpn

  vpngroup dns 192.168.42.20 Server dmivpn

  vpngroup dmivpn wins server - 192.168.42.20

  vpngroup dmivpn by default-field defi.local

  vpngroup idle 1800 dmivpn-time

  vpngroup password dmivpn *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN username vpnuser password *.

  VPDN allow outside

  VPDN allow inside

  dhcpd address 192.168.42.41 - 192.168.42.72 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  Terminal width 80

  Cryptochecksum: *.

  Noelle,

  Add the command: (in config mode): isakmp nat-traversal

  Let me know if it helps.

  Jay

• Username in the Pix Firewall

  When I do a command 'See logging' in my Cisco Pix Firewall (6.3), I am able to see the message below

  605005: x.x.x.x/33652 for eth1:y.y.y.y/telnet for the user authorized login «»

  In the message above, why the user name is not printed?

  your config has.

  Console telnet AAA authentication GANYMEDE + | RAY | LOCAL '?

• How to monitor connections dropped and rejected on the PIX Firewall / ASA?

  I need to monitor the SNMP OID of the connections dropped and rejected on the PIX and ASA firewalls. Is this possible?

  If this is the case, what SNMP OID should I monitor?

  Syslogs and Netflow (introduced in version 8.2) are your options.

  No MIB can give you the numbers of conn.

  PK

• The upgrade of the PIX firewall

  I currently have two firewalls Pix 515 (v4.4 and v6.2). I want to update the v4.4, but am unable to download the software from Cisco. Whenever I try to download using the link 'download pix software', it times out.

  I have already set up a tftp server and plan on the use of monitor mode to perform the upgrade. I already did a "write net:" to save the current configuration. " In addition, the original configuration remains intact, or they will be lost after the upgrade.

  Thanks in advance.

  Looks like you may have a problem with the download or the browser proxy. Try another host and/or browser and see if it works better.

  Since the PIX 4.4 software and versions later, you can go directly to any newer version of the software. To preserve your config, but it's always a good idea to back it up before an upgrade as you did. The config in the PIX is actually not get converted when PIX is restarted with the new software - what happens the first time you do a "write mem" under the new software, it is so important to remember to do as part of the upgrade process. You can then check the config freshly recorded against your configuration of backup for all differences. In addition, it is important to check the Release Notes before upgrading, but if you have a config PIX relatively simple it will probably be fine. One thing you want to do is migrate away from lines on access lists. Cisco is a utility that allows to convert them for you, and it does a very good job as long as your config is not too complex, so I might suggest to give it a try and see how it works for you. The downloadable version of this utility must be on the same page as other PIX software download, and there are versions for Windows and Sun Solaris.

  Good luck!

• VPN with usernames in the pix firewall

  Is there anyway to make my VPN connections in my specific user pix?

  I know it's possible with the concentrator 3000 but don't know if you can do it with a pix. I have about 10 people who need VPN in.

  Can each VPN cause a different password?

  Reason is: if I let go 1 person I don't want to have to worry about changing the passwords for all the world just deleting an account.

  Thank you

  Anthony

  In a PIX VPN connection should always be authenticated with a name of username/password extra for extra security. Up to v6.3 you used to have to store these names of user and password to an external Radius/GANYMEDE server, but to the point 6.3 now you can use the local user on the PIX database to store these.

  The commands are:

  > the client authentication card crypto LOCAL

  > user_name password

  You can have as many orders "... user name. "as you wish. If someone leaves your company simply remove it the name of the list.

• NAT order of operation on the PIX firewall

  Hi all.

  Can someone refer me to a document that clearly explains the order of operations on a PIX w firewall NAT / code 6.3 (3) or 6.3 (5)?

  The statements are first aveluated? Static Nat, static policy NAT, NAT/PAT dynamics and so forth, for outbound connections?

  And for incoming connections? I know that xlate table is checked on the first place for incoming connections, but, assuming that there is no entry corresponds to an incoming packet... What is the medal in which NAT set out are avaluated?

  TKS in advance.

  Diego

  Hello

  Refers to these positions. These are the same though...

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddb829a/0#selected_message

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddb999a/1#selected_message

  HTH

  AK

• Configuration of the PIX firewall Interface

  Hello

  On a PIX 525 running ver 6.3 4 port 10/100 card installed it will be possible to configure interfaces as follows:

  E0 - inside interface

  E1 - failover stateful Firewall

  E2 - Firewall failover monitoring link

  E5 - outside interface

  I'm basically is unsure as to if it is possible to move the external interface to its default configuration as e0 to E5, and even if it will be possible to specify e0 as the interface instead of the default E1 confiuration inside = inside.

  Another quickie - I guess that with the additional 4 port 10/100 card installed my interfaces will be numbered e0 - e5. Is this correct?

  Thank you.

  Said Cisco documentation is not possible to change the name and the security level of inside interface, but I experience it is possible:

  nameif ethernet1 failover security50

  nameif ethernet5 off security0

  etc...

  I would not recommend doing in a production environment because it would create a lot of confusion...

  525 has two fixed interfaces e0 e1 - card expansion port 4 should therefore be numbered e2, e3 (from left to right)

  M.

  Hope that helps the rate if it isn't

• Another tunnel to the PIX firewall Site2Site

  I have PIX 506 Firewall and configured site2site VPN with router on the other side and also remote VPN on PIX and both work well. I want to add an another VPN on PIX site2site with another site router can someone guide me in this regard how accompalish it. I have attached the configuration file.

  Mohammed,

  Please see the attachment; I changed the configuration and added a 2nd peer IPSec of course you will need to change the remote router accordingly too!

  Hope this helps and pls rate post if it isn't.

  Jay

• Outlook web app on the pix firewall

  Hi guru firewall,.

  Can someone here help me install my firewall cisco to work for external outlook web access. I changed a few settings and do turn internally... However I can't access outside.

  That means, when I open outlook web app on our LAN that it works, but when I try to open it via internet ISP I can not open it... "page not found".

  Pls advice how you it is resolved through the configuration of firewall pix if anyone of you has met the same thing.

  Any help is greatly appreciated.

  Best regards

  Jeric

  Jeric,

  I am very surprised to read this thread. I really appreciate your effort to do this task.

  I said, listen to me, don't forget to add a statement static so that this works, but I'm not saying you port coz I'm still looking for it.

  I had a good conversation with our cisco consultant Ken. I show him the config and it's what Ken told me to do.

  We lack this static entry.

  public static tcp (indoor, outdoor) interface www inside_mail_server www netmask 255.255.255.255 0 0

  also add to this list of access

  ACL_OUT list access permit tcp any host 203.125.100.246 eq www

  Pls let me know the result. Hope that the system will work.

  PLS, do not forget to 'Clearly Xlate' and save it.

  See you soon.

  Dennis

• Helps to configure the pix firewall 507e for e-mail access

  Dear experts,

  I called our provider cisco and ask for technical help regarding our current problem as we know on our set-up.

  She told me to convey my concern to the Cisco TAC. My friends told me to post it here under discussion Netpro.

  I am writing today to ask a few questions about my pix 506 firewall configuration.

  To give the implementation Details pls find below and attached seizures of the show tech command.

  We have subscribed the service DSL and Singtel give us 2 addresses valid public IP that is 203.125.100.246 255.255.255.252.

  I used 203.125.100.246 for my external interface of my firewall pix and singtel assign 203.125.100.245 to the DSL router. In this case, we will only use PAT for internet connection.

  Currently he works very well our Mail Server is resided in the Singtel Office having the ip address of 165.21.111.22. Not work that we can receive and deliver electronic mail on the internet, and we can also surf the internet.

  Now we intend to put our mail in our own network server, because sometimes we encounter slowness on receiving and sending emails. Pls check on the IP address below

  Our LAN IP address is 192.168.1.X 255.255.255.0

  default gateway, which is the IP address of the firewall pix inside interface is 192.168.1.1

  The new mail server IP address is 192.168.1.4.

  Here's what I've done so far.

  I created a static mapping for my mail server is here

  public static 203.125.100.246 (inside, outside) 192.168.1.4 mask subnet 255.255.255.255 0 0

  and modify the access list to allow smtp on our networks.

  192.168.2.0 ip access list ACL_OUT permit 255.255.255.0 any

  ACL_OUT list access permit icmp any host 203.125.100.246

  ACL_OUT list access permit tcp any host 203.125.100.246 eq smtp

  ACL_OUT list access permit tcp any host 203.125.100.246 eq pop3

  ACL_OUT list access permit udp any host 203.125.100.246 EQ field

  Access-group ACL_OUT in interface outside

  After doing it... I have loss all the internet connection, the email does not work... so I deleted immediately. because it causes network failure.

  I have rather edit it and create a static map like this.

  public static 203.125.100.246 (exterior, Interior) 192.168.1.4 mask subnet 255.255.255.255 0 0

  and modify the access list to allow smtp on our networks.

  192.168.2.0 ip access list ACL_OUT permit 255.255.255.0 any

  ACL_OUT list access permit icmp any host 203.125.100.246

  ACL_OUT list access permit tcp any host 203.125.100.246 eq smtp

  ACL_OUT list access permit tcp any host 203.125.100.246 eq pop3

  ACL_OUT list access permit udp any host 203.125.100.246 EQ field

  Access-group ACL_OUT in interface outside

  Saw what it did not cause a failure of network or interruption. I thought that it will already work with the config, I keep it and this is the current config now... But when I change the POP and SMTP settings so that it points on 192.168.1.4 which is the new mail server on our LAN. his does not work.

  To this day, we are in a discussion with my boss or not possible to create a static mapping on our new mail server address 192.168.1.4 to 203.125.100.246 which is already assigned as external IP address and is used for PAT.

  We are asking your help to know how to set up our internal mail server statically match our public IP address that is already used for PAT.

  Please check attached the tech release see the.

  Thank you very much!

  I'd appreciate your quick response.

  Your truth.

  Dennis Pelea

  Dennis,

  Can you please send to me your configuration full pix (unscrew sensitive information) to [email protected] / * /

  I am puzzled, why this configuration does not for you. I have several clients who use a public ip address for external intf more than several other services that use this single ip address.

  Thank you / Jay

• Integration with the PIX IDS firewall

  I read the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0 S4 (1), and tripped on the new features of this version it pretends the integration with the PIX firewall

  How do implement you this? What kind of integration offer?

  Instructions for the sensor and the basic configuration of PIX can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

  Instructions for sensor and PIX SSH configuration can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

  You can configure the sensor to connect to the PIX via telnet when

  using the PIX inside interface, otherwise you have to use SSH.

  SSH with 3des encryption is supported in version 3.0 or later

  sensors for connections of PIX.

  Warning: If you use telnet with a version 6.2.1 or PIX more late or if

  you want to use SSH with encryption on any PIX, so you

  need a patch for your sensor. If so, open a case of TAC and demand

  the latest version of nr.managed engineering. Reference

  [email protected] / * / for any question.

• Cisco ACS and Pix Firewall

  I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.

  In the router, I have the configuration option

  AAA authentication login default group Ganymede + local

  that tells the router first looking for a radius server and if is not available connect through the local database.

  Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?

  Thanks in advance

  Hello

  PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.

  Kind regards

  Mahmoud Singh