PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
Tags: Cisco Security
Similar Questions
-
If I access-list and statements ICMP on the same interface, which contradicts the other, who gets preference. for ex. If I refuse a package in icmp and allow the access-list package, which wins.
Access lists apply only to passing packets * by * the PIX. ICMP commands are applied to the PIX interfaces themselves (meaning premitting or deny ICMP packets to the PIX interface address). So, to answer your question, it depends on what you are trying to ping ;)
Scott
-
Hello
We have a Cisco PIX 535. By default, traffic on one more secure interface with a lower security level is allowed, what is?
OK, I have a doubt, I had to define an access list entry to allow a telnet connection between inside and outside. There is no rule against that traffic, but without this rule the telnet connection cannot be established.
And my question is: why? It is not supposed to be allowed by default?
Thanks in advance.
Higher default-> bottom is allowed... However, once you add instructions permit, it is implicitly deny all at the end. So, if you allow ftp and ssl web... so by default, any other traffic is denied and you need to be precise with your permit.
-
Cisco ASA tunnel access list question
We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel. They ask now addresses. My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?
And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?
I thank you and I hope this makes sense. We were originally political thought based routing on the nearest core of the source.
Dwane
Hi Sylvie,.
If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.
If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)
But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...
So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...
Concerning
Knockaert
-
I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.
192.168.1x
* THE REMOTE SITE
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
192.168.0.X
HAND ROUTER
recording of debug trap
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
!
IP tcp mss<68-10000>
Hope this helps,
Gilbert
-
PIX Firewall 525 access list problem
Hello.
I have the following problem. After insertion of an access list, despite seeing the packages associated with the list, they do not "match", that is, it is as if the list wasn't doing his job.
Who can be the cause of this behavior?
PIX 525 model
IOS 6.3 (4)
Thank you.
Marulanda Ramiro Z.
Are all of syslogs sent properly to the remote host? If so, I would say that the udp connection is never closed by the PIX. Let's say that the connection never hit the timeout in the pix config. If the connection remains open and doesnot increments the hit count for your access list. I have a PIX that makes the same behavior.
The increase in the number of accesses is also based on the connection and not on each packet passing through the PIX.
You can use a debug command to see the packets through the PIX.
HTH
Mike
-
Help the PIX 501 - cannot access startup.html
I'm new to the network and has received a job to configure the PIX 501 firewall.
The fact is:
We use IP table rules as a firewall on a linux machine. My pc is connected to a switch. So I use the yellow network cable to connect the port of the Pix 501 0 to the port in the switch. Then I disconnect my pc of swich cable and plug into the port of the Pix 501 1.
My pc is to use a static ip address before. I try to change to automatically get an IP address, but it will not work. So I changed the setting and use the IP address originally. Pop up message network connection icon says that the local connection is enabled. But when I try to ping 192.168.1.1, request time-out. Also I can't acess the https://192.168.1.1/startup.html.
I have a look at Books Online cisco and shootings of disorder, but most of them talk about the configuration or more advance features. I'm still on the very basic level to try to connect to the firewall.
I hope someone can help me. All ideas and questions are welcome. Thank you.
Your IP address should be fine. You do not want to have the PIX connected to your local network, even if you have the Linux firewall as well as this will cause a conflict. Keep the PIX the LAN for now. Your DNS configuration will have no effect because the url you are trying to reach is based on the IP address and not the domain name if your PC has nothing to look for.
You have to check the cable that you use - if your PIX has only an 'inside' interface, then you must use a crossover cable. If he has four so it's built in switch for a straight cable will be fine. Is what PIX model?
After checking the cable - see if you can console in the firewall - use the blue cable that came with the PIX and set up a connection (hyper terminal) terminal with the help of 9600, 8, no 1. If you can console and then you can stick in a basic configuration you can get.
-
IPSec VPN pix 501 no LAN access
I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:
: Saved
:
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
nameif ethernet0 WAN security0
nameif ethernet1 LAN security99
enable encrypted password xxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx encrypted passwd
host name snowball
domain xxxxxxxxxxxx.local
clock timezone PST - 8
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_in list of access permit udp any any eq field
acl_in list of access permit udp any eq field all
acl_in list access permit tcp any any eq field
acl_in tcp allowed access list any domain eq everything
acl_in list access permit icmp any any echo response
access-list acl_in allow icmp all once exceed
acl_in list all permitted access all unreachable icmp
acl_in list access permit tcp any any eq ssh
acl_in list access permit tcp any any eq www
acl_in tcp allowed access list everything all https eq
acl_in list access permit tcp any host 192.168.5.30 eq 81
acl_in list access permit tcp any host 192.168.5.30 eq 8081
acl_in list access permit tcp any host 192.168.5.22 eq 8081
acl_in list access permit icmp any any echo
access-list acl_in permit tcp host 76.248.x.x a
access-list acl_in permit tcp host 76.248.x.x a
allow udp host 76.248.x.x one Access-list acl_in
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
acl_out list access permit icmp any any echo response
acl_out list access permit icmp any any source-quench
allowed any access list acl_out all unreachable icmp
access-list acl_out permit icmp any once exceed
acl_out list access permit icmp any any echo
Allow Access-list no. - nat icmp a whole
access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0
access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any
access-list no. - nat permit icmp any any echo response
access-list no. - nat permit icmp any any source-quench
access-list no. - nat icmp permitted all all inaccessible
access-list no. - nat allow icmp all once exceed
access-list no. - nat permit icmp any any echo
pager lines 24
MTU 1500 WAN
MTU 1500 LAN
IP address WAN 65.74.x.x 255.255.255.240
address 192.168.5.1 LAN IP 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool pptppool 172.16.0.2 - 172.16.0.13
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global (WAN) 1 interface
NAT (LAN) - access list 0 no - nat
NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0
static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0
static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0
acl_in access to the WAN interface group
access to the LAN interface group acl_out
Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
NTP server 72.14.188.195 source WAN
survey of 76.248.x.x WAN host SNMP Server
location of Server SNMP Sacramento
SNMP Server contact [email protected] / * /
SNMP-Server Community xxxxxxxxxxxxx
SNMP-Server enable traps
enable floodguard
the string 1 WAN fragment
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
client configuration address map mymap crypto initiate
client configuration address map mymap crypto answer
card crypto mymap WAN interface
ISAKMP enable WAN
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup myvpn address pptppool pool
vpngroup myvpn Server dns 192.168.5.44
vpngroup myvpn by default-field xxxxxxxxx.local
vpngroup split myvpn No. - nat tunnel
vpngroup idle 1800 myvpn-time
vpngroup myvpn password *.
Telnet 192.168.5.0 255.255.255.0 LAN
Telnet timeout 5
SSH 192.168.5.0 255.255.255.0 LAN
SSH timeout 30
Console timeout 0
VPDN group pptpusers accept dialin pptp
VPDN group ppp authentication pap pptpusers
VPDN group ppp authentication chap pptpusers
VPDN group ppp mschap authentication pptpusers
VPDN group ppp encryption mppe 128 pptpusers
VPDN group pptpusers client configuration address local pptppool
VPDN group pptpusers customer 192.168.5.44 dns configuration
VPDN group pptpusers pptp echo 60
VPDN group customer pptpusers of local authentication
VPDN username password xxx *.
VPDN username password xxx *.
VPDN enable WAN
dhcpd address 192.168.5.200 - 192.168.5.220 LAN
dhcpd 192.168.5.44 dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable LAN
username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx
username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx
Terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxx
: end
I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!Thank you very muchTrevor"No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:
do not allow any No. - nat icmp access list a whole
No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any
No No. - nat access list permit icmp any any echo response
No No. - nat access list permit icmp any any source-quench
No No. - nat access list permit all all unreachable icmp
No No. - nat access list do not allow icmp all once exceed
No No. - nat access list only allowed icmp no echo
You must have 1 line as follows:
access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0
Please 'clear xlate' after the changes described above.
In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.
Hope that helps.
-
The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).
Router (works)
access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80
PIX (does not work)
access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80
I get the error on the PIX:
ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair
Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?
Thank you!
Domo Arigato!
You can use
192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.
Of course you can refuse the host 192.168.1.49 and
Let the others allow 192.168.1.48 255.255.255.248
-
L2L pix 501 and remote access VPN
Hi, I'm working on an old 501 PIX w / Software 6.3 (5), he already have access to remote VPN configuration and works very well, but now he needs a L2L implemented. One thing I try to do all the work remotely via VPN or ssh to the machine. I don't know what's on the other end, but they swear that it is set up and maybe my problem is when I start putting in orders for the other VPN it breaks the remote VPN access. One thing that I have to do is NAT a host on the inside to appear as another host on the end. I use these commands and I think it works cannot be said.
access-list 101 permit ip remote_network 255.255.255.0 local_server host
public static 10.1.0.203 (inside, outside) - access list 101
then
access-list 102 permit ip host 10.1.0.203 192.168.50.83
access-list 102 permit ip host 10.1.0.203 192.168.50.86
access-list 102 permit ip host 10.1.0.203 192.168.50.50
access-list 102 permit ip host 10.1.0.203 192.168.50.85and use it to match against
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
EMDs-map 10 ipsec-isakmp crypto map
correspondence address card crypto emds-map 10 102
card crypto emds-map 10 peers set remote_vpn_server
card crypto emds-card 10 set of transformation-ESP-3DES-SHAthen
ISAKMP key magic_key address remote_vpn_server netmask 255.255.255.255
ISAKMP identity hostname
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400and that is where it usually breaks the VPN, I don't know if the other VPN works due to not being not able to get to this server to try to ping, I don't really like to try this stuff remotely but I don't have a lot of choice at the moment.
Any thoughts?
Thank you
Jarrid Graham
Yes, just use the number of different sequence with 1 name of the crypto map. Please also ensure that your dynamic crypto map, which is your vpn client has the sequence down the crypto map (more), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).
The political isakmp sequence number does not match, it is processed from top to bottom (number less than the high number) and also long 1 set of isakmp policy corresponds to the remote peer, it will be negotiated properly.
Hope that answers your question and please note useful post. Thank you.
-
I have the access-list applied on my "external" my PIX interface and I'm trying to make it so pings coming from the 'inside' book, but those who come of the? outside? in case of failure.
access-list outside permit icmp any any echo response
list a whole outside access allowed icmp time-exceeded
access outside allowed icmp list everything all inaccessible
Using a VPN, you can create a rule/filter and apply it to the tunnel which verifies the established bit to be set. Is it possible to do this with a list of access a PIX?
I have a 6.3 (5) PIX 501
If you add (in config mode)
ICMP deny everything outside
The above will disable any ping/trace route or network scans of the internet (that is, your network will be in stealth mode), if you also add
access-list outside permit icmp any any echo response
list a whole outside access allowed icmp time-exceeded
access outside allowed icmp list everything all inaccessible
outside access-group in external interface
This will then allow icmp traffic going out to the internet, BUT don't be do not allow anyone to ping/trace route internet or analyze your network!
You can test this by visiting http://www.grc.com and using the program "shields up" to analyze your network. Try first without icmp deny out of any instruction and then with the statement added to your configuration.
Hope this helps
Jay
-
I'm relatively new to the security stuff. I'm a guy of the voice. I created a Pix 501 for IPSEC VPN and works very well. Then I tried it setting up PPTP VPN. I use Windows XP to connect. It connects fine, but I can't ping to the inside interface on the PIX. I can do this by using IPSEC. Any ideas? Here is my config:
:
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
host name *.
domain name *.
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit icmp any any echo response
access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0
access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
opening of session
emergency logging console
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *. *. * 255.255.255.0
IP address inside 10.0.0.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool pool1 192.168.5.100 - 192.168.5.200
IP local pool pool2 192.168.6.100 - 192.168.6.200
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Sysopt connection permit-l2tp
Crypto ipsec transform-set high - esp-3des esp-sha-hmac
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto dynamic-map cisco 4 strong transform-set - a
Crypto-map dynamic dynmap 10 transform-set RIGHT
Cisco dynamic of the partners-card 20 crypto ipsec isakmp
partner-map interface card crypto outside
card crypto 10 PPTP ipsec-isakmp dynamic dynmap
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 8
ISAKMP strategy 8 3des encryption
ISAKMP strategy 8 md5 hash
8 2 ISAKMP policy group
ISAKMP life duration strategy 8 the 86400
vpngroup address pool1 pool test
vpngroup default-field lab118 test
vpngroup split tunnel 80 test
vpngroup test 1800 idle time
Telnet timeout 5
SSH 10.0.0.0 255.0.0.0 inside
SSH 192.168.5.0 255.255.255.0 inside
SSH 192.168.6.0 255.255.255.0 inside
SSH timeout 5
management-access inside
Console timeout 0
VPDN PPTP-VPDN-group accept dialin pptp
VPDN group PPTP-VPDN-GROUP ppp authentication chap
VPDN group PPTP-VPDN-GROUP ppp mschap authentication
VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto
VPDN group VPDN GROUP-PPTP client configuration address local pool2
VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8
VPDN group VPDN GROUP-PPTP pptp echo 60
VPDN group VPDN GROUP-PPTP client for local authentication
VPDN username bmeade password *.
VPDN allow outside
You will have to connect to an internal system inside and out run the PIX using pptp.
For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .
Concerning
-
On PIX 501 6.3 intermittent Internet access (5)
Hello
I have a problem of access to the Internet from the local network behind a PIX 501. It worked for months, but suddenly, I discovered that Internet access is intermittent. Internet access works for about 10-15 minutes and then goes down. When I reboot the firewall or disable ARP Internet works again. I turn on debugging with 'debug arp' and I get an error message "arp-in: Dropping request outside the unsolicited nonadjacent ROUTEOUTSIDE 0002.cf69.50cf for 82.x.137.x 0000.0000.0000»
Any ideas on what could be the problem?
Thank you for your help.
Kind regards.
Hello, Couple of things to check.
You have ICMP permitted on the external interface of the PIX. If so, can ask you someone to ping from the internet to the external IP address.
When they ping, can you unplug the external interface and see if they receive a response in return.
If so, then there is a problem with the access provider. They could give your IP address to another person.
If this isn't the issue, then you open a TAC case and resolve this problem.
See you soon,.
Gilbert
The rate of this post, if that helps.
-
Cisco PIX 501 to Cisco 3005 concentrator via remote access
Hello people,
I need your help.
We got a Cisco PIX 501 in one place and this pix is configured for pppoe connection. The pix connects to internet via the pppoe client. an official ip address ping works well.
So what I want to do is to establish a tunnel von between this pix and a cisco 3005 concentrator.
But I failed to establish it.
Here are the pix config. the acl? s are only for the test and will be replaced if it works.
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxx
passwd xxx
hostname PIX - to THE
domain araukraine.ua
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
outside ip access list allow a whole
inside_access_in ip access list allow a whole
pager lines 24
opening of session
Monitor logging warnings
logging warnings put in buffered memory
MTU outside 1456
MTU inside 1456
IP address outside pppoe setroute
IP address inside 192.168.x.x 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM location 192.168.x.x 255.255.255.224 inside
forest warnings of PDM 500
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
outside access-group in external interface
inside_access_in access to the interface inside group
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
Enable http server
255.255.x.x 192.168.x.x http inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
255.255.x.x telnet inside 192.168.x.x
Telnet timeout 5
SSH 194.39.97.0 255.255.255.0 outside
SSH timeout 5
management-access inside
Console timeout 0
VPDN group pppoe_group request dialout pppoe
VPDN group pppoe_group localname [email protected] / * /
VPDN group ppp authentication pap pppoe_group
VPDN username [email protected] / * / password *.
encrypted privilege 15
vpnclient Server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpntest vpngroup vpnclient password *.
vpnclient username pixtest password *.
Terminal width 80
the hub, I created a user pixtest, a group vpntest and I? ve created the rules of the network for example to what server, users behind the pix will be able to access.
And that? s all.
I couldn't send you exit pix or hub because I don't have an error or a message that the tunnel will be established.
What can be wrong?
Thanks for the replies
This configuration example shows how to create an IPsec tunnel to a computer that is running the Client VPN Cisco's (4.x and later versions) to a Cisco VPN concentrator 3000 to allow the user to safely access the network inside the VPN concentrator.
-
PIX V6.2 of lists of access and authentication
We have a PIX 501 internal v6.2 on an intranet and you want to allow some subnets and other IP of specific hosts through high security (inside) to low-security side (outside) without authentication or authorization.
However, at the same time, we want to authenticate some other users the same path and apply an access of our v2.6 CiscoSecure ACS list.
We use http authentication.
How do I combine these two different requirements on the inside interface
e.g. allowed tcp 10.10.10.2 255.255.255.0 any eq 1022 and
(if it is authenticated) permit tcp host 10.120.10.1 any eq 8051
We have a similar setup working on a router using the firewall feature set proxy authentication, the access list has static entries and changes dynamically when users are authenticated with their conditions of access.
Do not use an ACL on the inside interface to achieve this. Rather, set you ACLs to include authentication for all traffic from this host out.
Allow Access-list auth_user host ip 10.120.10.1 one
This means that the user cannot run ALL the traffic out until he receives the authentication. The host can do this by opening a web browser for what anyone outside and giving the appropriate credentials firewall. Or FTP for what anyone outside... Or telnet to what anyone on the outside.
When the ACS service validates the credentials of the users, pass back the ACL for this user to define exactly what you want and what you want to deny. If you only allow outbound TCP/8501, then all other traffic is implicitly denied. The ACL by user like any other access-list. This will not require an ACL to be bound inside the interface.
-Shannon
Maybe you are looking for
-
Re: Satellite C660 - Sound stopped working
I did some research online, and it seems that this is not an uncommon problem for the sound card to stop working. I tried a number of things and just uninstall the old driver and installed a new. Still nothing. Advice please? I'm not a geek and I jus
-
Satellite L850 - volume icon and lost volume
as the title says I lost the icon from the taskbar and you tube clips are silentI did not notice this happens and the control panel says that this notification is not activeany suggestions welcome, but I'm a noviceBrian
-
How to add a laptop LCD CRT monitor?
Original title: I have a laptop dell with a burned back screen so I adderd a monitor for my my veiwing but 1 laptop's lcd and 2 crt monitor how their compatiable How yo adds a crt monitor and the laptop's lcd?
-
Microsoft SQL Server Desktop Engine (Pinnaclesys
I recently found the "Microsoft SQL Server Desktop Engine (Pinnaclesys)" software on my computer. I don't know how it got there. What does do for me? Can I delete it? I have Windows XP with SP3. Also Microsoft Office 2010.
-
Direct3D devices does not work on Windows XP
Direct3D devices does not work on Windows XP