PIX 501 Port Segmentation for teleworkers?

We are evaluating PIX vs Netscreen and SonicWALL for teleworkers. Both

Netscreen and SonicWALL offers a port segmentation feature that allows the

VPN business to be extended to specific ports only. Does that mean that MOM or

Dad can be found on the company VPN, but nobody else on this home network (children)

will not be able to access the company VPN. Cisco offers such as a

function or feature VLAN or to use a Netscreen and SonicWALL

Firewall for individuals?

Of course, the Pix can provide functionality similar - but even better.

How about you authenticate each user as they try to cross the tunnel?

User-level authentication is a feature of OS Pix 6.3.

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/63rnotes/pixrn63.htm#67805

It's safer, then simply let unauthorized users simply move from one port to another on the Netscreen, Sonicwall.

Peter

Tags: Cisco Security

Similar Questions

Port Fowarding PIX 501

Is it possible to forward port 80 to internal ip on a PIX 501?

I have a PIX 501, which made PAT / internal DHCP for my network. I want to forward all queries [80] http to an internal web server.

Thank you

Sepyh...

You can use port forwarding to get there.

Here is an example configuration:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#port

Hope this helps,

-Nairi

Place a FIOS for VPN router behind PIX 501

I have a Verizon FIOS internet connection and one of their routers wide wireless broadband, and this is a configuration of base completely... their router DHCP and firewalls, and the connection has a dynamic address. I would put the PIX 501 behind the Verizon router as one of its clients and make the VPN PIX of other PIX 501 at other locations, such as my entire network has access to remote networks.

Is this possible, and if yes, any who could some suggest configurations (how to address internal and external, static routes ports that may be required somewhere, etc.)?

Thanks for any help.

When installing my FiOS, I had already asked that it be installed on the Ethernet cable. Don't know they need to do something for you to spend the coax to Ethernet.

The best way to test it would be to find the Media Converter (follow the coaxial cable between your FiOS router to the demarc and there should be a box with a coaxial port, some phone Sockets and an Ethernet port). If you unplug the coaxial cable and plug a laptop computer on the Ethernet port, see if your laptop takes a public IP address. If Yes, then you just have to run to your PIX501 Ethernet cable and you should be ready.

Just to note that Verizon, according to your region, reserved DHCP assignments. This means that you may need to call Verizon and ask them to release the previous assignment of DHCP-MAC addresses. I had this happen recently. They must release the assignment then your PIX will pull a new IP address and they will book your new IP - MAC address assignment. They do this to speed up the connection to a cold start time on the router.

Basically, they are filtering by MAC address, but rather through a sticky ARP where they clear the entry, and then the next device that connects records his MAC address and then only that device is permitted to connect to this leg of the cable. So there is a bit of work you have to do, but the most difficult part would be sitting on hold waiting for a tech, if you call to Verizon.

Port forwarding with PIX 501

I try to get my PIX 501 to forward traffic on port 1412 with TCP and UDP to use Direct Connect, and the problem I have is I can connect to a DC hub, but cannot establish connections with users.

I added the following to the default configuration from the factory with a partial success:

outside access list permit tcp any host 192.168.100.20 eq 1412

access-list outside permit udp any host 192.168.100.20 eq 1412

public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

In the debug log set to the access list I rule this type of errors:

Deny tcp src outside other.users.ip.addr/3099 dst within the my.public.ip.addr/1412 by access-group "access_outside_in".

TCP request discarded outside my.public.ip.addr/45961 other.users.ip.addr/2362

I'm quite lost as to why it does not work when I think it should. I tried several ways, opening of port ranges and no chance for a transfer of the port sucsessful.

You can change you, outside the ACL to the following:

outside access list permit tcp any host eq 1412

access-list outside permit udp any host eq 1412

outside access-group in external interface

Save again with: write mem and also issue: clear xlate

I would like to know if it works.

Jay

Pix 501 for Small Business SERVER 2003 configuration problems

I am new to cisco equipment. My company recently purchased a firewall of Pix 501 unlimited number of users, it is connected to an internet connection by cable with a dynamic ip address. Internet works fine and so the dhcp server.

I have a Windows 2003 Small Business Server on our network. I need to configure the firewall to forward ports on the SBS server for remote web workplace.

Also about a week ago I lost connectivity to the GUI of PDM via my web browser. Telnet and console work perfectly well.

I enclose my config file.

Any help will be appreciated. Thank you

Ed

FIRT off, you do not have a group-access instruction set for one of your ACL. This means that you have blocked all inbound traffic. You also have your incorrect static instructions. You can start by cleaning your config and enter the correct commands, you should be able to stick to your firewall config mode:

No list will host 192.168.1.1 acl-enabled access 192.168.1.1

no access list acl_outside not allowed tcp any any eq www

no access list acl_inside not allowed tcp any any eq www

no access list no incoming icmp permitted any one

No list of permitted no inbound tcp access any host 24.50.241.113 eq https

No list to access acl - permit gre 192.168.1.1 host 192.168.1.1

No outside_in not allowed access list tcp any host 24.50.241.113 eq www

not static (inside, outside) tcp interface www SBSServer www netmask 255.255.255.255 0 0

not static (inside, outside) tcp interface https SBSServer https netmask 255.255.255.255 0 0

not static tcp (exterior, Interior) interface www SBSServer www netmask 255.255.255.255 0 0

not static tcp (exterior, Interior) interface https SBSServer https netmask 255.255.255.255 0 0

static (inside, outside) tcp 24.50.241.113 80 192.168.1.69 80 netmask 255.255.255.255 0 0

static (inside, outside) 24.50.241.113 tcp 443 192.168.1.69 443 netmask 255.255.255.255 0 0

access-list OUT-IN permit tcp any host 24.50.241.113 eq https

access-list OUT-IN permit tcp any host 24.50.241.113 eq www

allow to Access-list OUT-IN a whole icmp

Access-group OUT-IN in interface outside

What ip you are trying to access your pdm of? the looks of configuration http correct, unless your coming to one other than 192.168.1.x ip address

Let me know if it works

Configure the PIX 501 for IDS

I have a PIX 501 with wired high-speed LAN headquarters inside and outside. Which would be a solid policy IDS to enable and what interfaces it must be applied to? There will be other measures necessary to enable IDS?

IDS on the PIX itself is very limited, it checks only 59 signatures listed here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9 under the section of signatures supported IDS). The signatures themselves are pretty basic.

If you do not want to activate this, then for the signatures of attacks I would fix for drop/alarm/reset action, which is the default anyway.

You will also need to set the logging to a syslog server and monitoring for any 4000nn messages in syslog, cause it event IDS.

Opening of port 22 in PIX 501

I would like to access my PC location xyz. How can I open port 22 access to my pc. I use pix 501.

Can anyone provide commands to open the port so that I can access my pc.

Thank you

totally agree because only 3 commands are needed.

list of allowed inbound tcp access any eq 22

public static tcp (indoor, outdoor) interface 22 22 netmask 255.255.255.255 0 0

clear xlate

However, all of these commands are missing in the config you have posted.

PIX 501 for Cisco 3640 VPN router

-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-

Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.

What Miss me? I added the configuration for the PIX and the router.

Here are the PIX config:

PIX Version 6.1 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable encrypted password xxxxxxxxxxxxxxxx

xxxxxxxxxxxxx encrypted passwd

pixfirewall hostname

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

Telnet timeout 5

SSH timeout 5

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXXX

: end

Here is the router config

Router #sh runn

Building configuration...

Current configuration: 6500 bytes

!

version 12.2

no service button

tcp KeepAlive-component snap-in service

a tcp-KeepAlive-quick service

horodateurs service debug datetime localtime

Log service timestamps datetime localtime

no password encryption service

!

router host name

!

start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system

queue logging limit 100

activate the password xxxxxxxxxxxxxxxxx

!

clock TimeZone Central - 6

clock summer-time recurring CENTRAL

IP subnet zero

no ip source route

!

!

no ip domain-lookup

!

no ip bootp Server

inspect the name smtp Internet IP

inspect the name Internet ftp IP

inspect the name Internet tftp IP

inspect the IP udp Internet name

inspect the tcp IP Internet name

inspect the name DMZ smtp IP

inspect the name ftp DMZ IP

inspect the name DMZ tftp IP

inspect the name DMZ udp IP

inspect the name DMZ tcp IP

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 20

BA 3des

preshared authentication

Group 2

ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx

ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test

Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT

!

dynamic-map crypto dny - Sai 25

game of transformation-PIXRMT

match static address PIX1

!

!

static-card 10 map ipsec-isakmp crypto

the value of x.x.180.133 peer

the transform-set vpn-test value

match static address of Hunt

!

map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc

!

call the rsvp-sync

!

!

!

controller T1 0/0

framing ESF

linecode b8zs

Slots 1-12 channels-group 0 64 speed

Description controller to the remote frame relay

!

controller T1 0/1

framing ESF

linecode b8zs

Timeslots 1-24 of channel-group 0 64 speed

Description controller for internet link SBIS

!

interface Serial0/0:0

Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites

bandwidth 768

no ip address

no ip redirection

no ip unreachable

no ip proxy-arp

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0 / point to point 0:0.17

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 17 frame relay interface

!

interface Serial0 / point to point 0:0.18

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 18 frame relay interface

!

interface Serial0 / point to point 0:0.19

Description Frame Relay to xxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 19 frame relay interface

!

interface Serial0 / point to point 0:0.20

Description Frame Relay to xxxxxxxxxxxxx location

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 20 frame relay interface

!

interface Serial0 / point to point 0:0.21

Description Frame Relay to xxxxxxxxxxxx

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 21 frame relay interface

!

interface Serial0 / point to point 0:0.101

Description Frame Relay to xxxxxxxxxxx

IP unnumbered Ethernet1/0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

No arp frame relay

dlci 101 frame relay interface

!

interface Serial0/1:0

CKT ID 14.HCGS.785383 T1 to ITT description

bandwidth 1536

IP address x.x.76.14 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the Internet IP on

no ip route cache

card crypto ISCMAP

!

interface Ethernet1/0

IP 10.1.1.1 255.255.0.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

no ip route cache

no ip mroute-cache

Half duplex

!

interface Ethernet2/0

IP 10.100.1.1 255.255.0.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

no ip route cache

no ip mroute-cache

Half duplex

!

router RIP

10.0.0.0 network

network 192.168.1.0

!

IP nat inside source list 112 interface Serial0/1: 0 overload

IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible

IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible

IP nat inside source 10.1.3.2 static 209.184.71.140

IP nat inside source static 10.1.3.6 209.184.71.139

IP nat inside source static 10.1.3.8 209.184.71.136

IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible

IP classless

IP route 0.0.0.0 0.0.0.0 x.x.76.13

IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19

IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18

IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17

IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20

IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21

IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101

no ip address of the http server

!

!

PIX1 static extended IP access list

IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

IP access-list extended hunting-static

IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

extended IP access vpn-static list

ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255

access-list 1 refuse 10.0.0.0 0.255.255.255

access-list 1 permit one

access-list 12 refuse 10.1.3.2

access-list 12 allow 10.1.0.0 0.0.255.255

access-list 12 allow 10.2.0.0 0.0.255.255

access-list 12 allow 10.3.0.0 0.0.255.255

access-list 12 allow 10.4.0.0 0.0.255.255

access-list 12 allow 10.5.0.0 0.0.255.255

access-list 12 allow 10.6.0.0 0.0.255.255

access-list 12 allow 10.7.0.0 0.0.255.255

access-list 112 deny ip host 10.1.3.2 everything

access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

access-list 112 allow ip 10.1.0.0 0.0.255.255 everything

access-list 112 allow ip 10.2.0.0 0.0.255.255 everything

access-list 112 allow ip 10.3.0.0 0.0.255.255 everything

access-list 112 allow ip 10.4.0.0 0.0.255.255 everything

access-list 112 allow ip 10.5.0.0 0.0.255.255 everything

access-list 112 allow ip 10.6.0.0 0.0.255.255 everything

access-list 112 allow ip 10.7.0.0 0.0.255.255 everything

access-list 120 allow ip host 10.100.1.10 10.1.3.7

not run cdp

!

Dial-peer cor custom

!

!

!

!

connection of the banner ^ CCC

******************************************************************

WARNING - Unauthorized USE strictly PROHIBITED!

******************************************************************

^ C

!

Line con 0

line to 0

password xxxxxxxxxxxx

local connection

Modem InOut

StopBits 1

FlowControl hardware

line vty 0 4

exec-timeout 15 0

password xxxxxxxxxxxxxx

opening of session

!

end

Router #.

Add the following to the PIX:

> permitted connection ipsec sysopt

This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.

Simple question PIX 501

Hey guys,.

The switch integrated on a PIX 501 will freely forward traffic between devices plugged into it, as long as they are on the same subnet? I assume that the answer is Yes. If so, is it possible to isolate one device other network traffic using the PIX only? I can t think in a certain way, but I'm not a guru PIX, so I figured that I d ask Mr. thanks a lot for any information that you may be able to provide.

Do you hear them VLAN private?

If so, then 'NO', it is not possible.

There is no options at all to things like private VLAN on a PIX 501.

Connect a Switch which suports as suppoorts this kind of features and a port of the switch to the pix.

sincerely

Patrick

PIX 501 in the firewall of the Web server

Hello

At the suggestion of a colleague, we bought a firewall PIX 501 to protect our new Win2003 web server and a UNIX/Oracle DB server.

I've never worked with before firewalls.

Our servers are located in a cage at the ISP and belong to us. There are only two servers providing web site. I have read the documentation in the Getting Started book and it does not answer my question.

We have 2 web sites with different IP numbers on our web server. Let's say 140.5.5.4 and 140.5.5.5. I understand that I have will redefine the numbers with the firewall (192,...) but I do not understand how the routers at the ISP will be able to route requests for two websites to the firewall when it has one IP number, say 140.5.5.1?

Any help is appreciated.

Thank you, Jerry

Jerry,

what you are referring is called port forwarding. Whether you a PIX with a public IP address 12.1.1.1 and your web servers are respectively and 12.1.1.2 12.1.1.3. Port forwarding is really a 2 step process:

* a static translation of the public IP address of the PIX (12.1.1.1) at the address of the web server (12.1.1.2)...

static (inside, outside) tcp 12.1.1.1 12.1.1.2 www www netmask 255.255.255.255 0 0

* an intermediate statement basically "all web requests should be allowed in the pix outside of the interface"...

driving permit tcp host 12.1.1.1 eq www everything

Here is a link that will help you to clarify this point:

www.Cisco.com/warp/Customer/707/28.html

This should help you get started. Regarding the basic configuration, it takes config examples on the Cisco site, if you have access CCO.

Let me know if it helps.

Rob H.

default configuration of the pix 501 past recovery/restoration

You need to reset the PIX 501 (lost password). I tried the password recovery instructions and accesses the monitor command by using the connection of the console, but cannot get the file to be transferred using tftp (ping command also expires).

1. in case ordering interface be set to 0 or 1 (I used 1)

2. the order of the address I was using 192.168.1.1

3. order the server, I was using the IP address of the tftp server

4. entry door? (Which is the PIX or the computer)?

5. in addition to the blue console cable that if all other cables should be connected and which ports.

Thank you

I'm guessing you already have this document:

http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

I would like to use the default value inside of the interface of the 1. Connect a standard ethernet cable to one of the Interior ports on the PIX and the other to your PC that has the server tftp on it of the interface software. Make sure that you see a link on both ends light. If not, take this cable or save it if you think it is a crossover cable. If you set the PIX address to: 192.168.1.1, then I would set my tftp server address: 192.168.1.2 or something in the same subnet. In this way we will not care what is the gateway address. No need to let pesky routers get in the way, when we're down!

Since you asked the question 5 above, I'll explain. You should have a console cable connected, it seems do you since you can get to the monitor > prompt. You'll also need an ethernet cable plugged in a PC running a server tftp with the IP address: 192.168.1.2 3Com made a server tftp really good F * R * E * E.

http://support.3Com.com/software/utilities_for_windows_32_bit.htm

Select the last file in the list. Make sure you get that file recovery of password for the Cisco link above for the PIX OS version you are running. Configure the tftp server to point to the directory containing the PIX password recovery file and you are ready. Good luck, Derrick

PIX 501 - VPN - based

Hello

I am considering the implementation of a vpn pptp on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP address. I will also have to have at least 2-3 Terminal Server client connected simultaneously.

The Terminal Server service will pass through vpn tunnel.

Can this be achieved? A local Tech told me that I need at least 2 IP addresses.

Thank you

Mike

For Terminal Server services, you can do it with just an IP address that is assigned to the external interface of the PIX, just create a static mapped port to port 3389 thru peripheral inward.

For PPTP, you must however an IP address separate, different from that assigned to the PIX outside the int. This is because PPTP uses two TCP/1723 and GRE protocols. You can create a static mapped ports for TCP/1723 through the PPTP server, but you can't do it for the GRE. This is because GRE is not a TCP/UDP protocol, it is located just above IP and has therefore no port number to map through. You need an IP address unique address and card. You config should look like this:

list of allowed inbound tcp access any host 200.1.1.1 eq 1723

list of allowed incoming access will any host 200.1.1.1

Access-group interface incoming outside

public static 200.1.1.1 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

where 200.1.1.1 is your second (different from the PIX off int) routable IP address 10.1.1.1 is your PPTP server inside

If you only want to use an IP address, why don't the PIX not set itself up as a PPTP server and put an end to your connections on this. The PPTP client end simply on the PIX outside IP address, and you will not need all the others.

See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for more details.

PIX 501 NAT and PAT with a single IP address

Using the following configuration, on my first PIX 501, I am unable to provide a server of mail to the outside world and allows inside customers to browse the Internet. :

6.3 (5) PIX version

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxx

hostname fw-sam-01

SAM domain name

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

outside access list permit tcp any host 62.x.x.109 eq smtp

access the inside to allow tcp a whole list

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside the 62.177.x.x.x.255.248

IP address inside 192.168.45.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.45.2 255.255.255.255 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

public static 62.177.x.x.x.45.2 (Interior, exterior) mask subnet 255.255.255.255 0 0

outside access-group in external interface

group-access to the Interior in the interface inside

Route outside 0.0.0.0 0.x.x.x.177.208.105 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.45.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet 192.168.45.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

: end

It is I'am using access list and groups wrong or am I wrong in PAT/NAT configuration.

Please advise...

Hello

I went through the ongoing discussion. The pix configuration should be fine for now according to suggestions. The problems seems to be on the server. If it is a new installation of windows, then there is an option not to accept requests that are not local network.

If you want to check if pix allows connections and then when you telnet to port 25 of the outside, just run the xlates control.

SH xlate and it should show you a translation for the inside host. More than a quick test if pix allows traffic is to check 'sho-outdoor access list' and see if the counters are increasing.

Hopefully this should help you.

Arun S.

PIX 501 PPPOE outside

Hello

I have a pix 501.

It gets the IP address of the ISP using PPPOE.

If I have an e-mail inside server can I still have the email NAT for this device.

I did before NAT on mail servers where I have a breakdown of the intellectual property of PSI.

In this scenario, I have 1 IP (he doesn't) outside.

Can I allow other services too although I have 1 IP address

John

The config is OK, but it might be better to replace the fixed IP address in the access list and the staic by a dynamic.

1. you have configured:

outside_access_in list of access permit tcp any host XX. XX.XXX.XXX eq ftp

Access-group outside_access_in in interface outside

static (inside, outside) tcp XX. XX.XXX.XXX ftp ftpserver ftp netmask 255.255.255.255 0 0

2 - I would like to replace this with:

outside_access_in tcp allowed access list any interface outside eq ftp

Access-group outside_access_in in interface outside

public static tcp (indoor, outdoor) interface ftp ftpserver ftp netmask 255.255.255.255 0 0

The advantage of this configuration is that if the IP address changes NAT and access list won't automticly too.

3 - you need a CLEAR XLATE after have changed you the NAT settings.

clear xlate

Note that this will reset all connections.

4. - use a dyndns or no - ip client so that when you connect on the Internet you just have to know the DNS name, and if the IP address changes the client will update the DynDNS server.

See:http://www.no-ip.com/downloads.php

5. - are you sure that your ISP Internet service provider allows ftp, smtp, and http? Many providers to block the ports for non-commercial DSL connections!

sincerely

Patrick

Help the PIX 501 - cannot access startup.html

I'm new to the network and has received a job to configure the PIX 501 firewall.

The fact is:

We use IP table rules as a firewall on a linux machine. My pc is connected to a switch. So I use the yellow network cable to connect the port of the Pix 501 0 to the port in the switch. Then I disconnect my pc of swich cable and plug into the port of the Pix 501 1.

My pc is to use a static ip address before. I try to change to automatically get an IP address, but it will not work. So I changed the setting and use the IP address originally. Pop up message network connection icon says that the local connection is enabled. But when I try to ping 192.168.1.1, request time-out. Also I can't acess the https://192.168.1.1/startup.html.

I have a look at Books Online cisco and shootings of disorder, but most of them talk about the configuration or more advance features. I'm still on the very basic level to try to connect to the firewall.

I hope someone can help me. All ideas and questions are welcome. Thank you.

Your IP address should be fine. You do not want to have the PIX connected to your local network, even if you have the Linux firewall as well as this will cause a conflict. Keep the PIX the LAN for now. Your DNS configuration will have no effect because the url you are trying to reach is based on the IP address and not the domain name if your PC has nothing to look for.

You have to check the cable that you use - if your PIX has only an 'inside' interface, then you must use a crossover cable. If he has four so it's built in switch for a straight cable will be fine. Is what PIX model?

After checking the cable - see if you can console in the firewall - use the blue cable that came with the PIX and set up a connection (hyper terminal) terminal with the help of 9600, 8, no 1. If you can console and then you can stick in a basic configuration you can get.

PIX 501 Port Segmentation for teleworkers?

Similar Questions

Maybe you are looking for