PIX 515 DMZ problem

Similar Questions

• Cisco Pix 515 VPN problems

  Hi all

  Here's my problem, I have 2 PIX 515 firewall...

  I'm trying to implement a VPN site-to site between 2 of our websites...

  Two of these firewalls currently run another site to site VPN so I know who works...

  I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

  Protected networks are:

  172.16.48.0/24 and 172.16.4.0/22

  If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

  2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

  It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

  Don't know what that might be, the other VPN are working properly.

  Any help would be great...

  I enclose a copy of one of the configs...

  Let me know if you need another...

  no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

  Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

• Accounting customer VPN on PIX 515 worm problem. 6.3

  Hello everyone! Is it possible to configure PIX 515 worm. 6.3 to send logs to the RADIUS to break when a VPN Client user loggs in and outside loggs? I can't find any aaa accounting command which allows this.

  Hello

  Accounting of VPN was added in PIX 7.x. It is not available with 6.x

  Kind regards

  Vivek

• Translation problem group on PIX 515

  Hi can someone help me with this?

  I'm trying to configure a PIX 515 to pass messages icmp from the interface vlan dmz configured on interface (Vlan 3) PIX inside interface.

  setting it up like this

  interface ethernet0 100full

  interface ethernet1 100full

  interface ethernet2 100full

  physical interface ethernet2 vlan2

  logical interface ethernet2 vlan3

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif ethernet2 msx interieure4

  nameif dmz security7 vlan3

  SH nat

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

  NAT (msx) 1 0.0.0.0 0.0.0.0 0 0

  Global HS

  Global (inside) 1 interface

  Global interface (dmz) 1

  Global (msx) 1 interface

  At this stage I am not concerened with access lists that I get the error message is as follows

  155:-echo request ICMP dmz:192.168.3.1 to 10.240.2.2 ID = 512 seq = 11520 length = 40

  305005: no translation not found for icmp src dmz:192.168.3.1 dst domestic group: 10.240.2.2 (type 8, code 0)

  I'm not an expert when it comes to the PIX can someone help. Two other things can help shed light on the problem, there is no configuration of routing between Vlan interfaces, this could be a problem? I tried a static command and still have the same error that the order was... static (dmz, inside) 192.168.3.1 192.168.3.1

  Hi David:

  As you try to allow host from an interface for low security to a high security interface, you must have

  static (high, low) high high

  In this case, you must:

  static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0

  I assume that you already have an access list to allow the icmp message of echo applied to the DMZ interface. If it is not already there, just add an ACE to allow the icmp message to echo that you should be good to go.

  Sincerely,

  Binh

• PIX 515 adding a second DMZ

  Hello

  This is the specification of our PIX:

  Cisco PIX Firewall Version 6.2 (2)

  Cisco PIX Device Manager Version 2.0 (2)

  Updated Saturday, June 7 02 17:49 by Manu

  Firewall of the hours - days.

  Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

  I28F640J5 @ 0 x 300 Flash, 16 MB

  BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 0003.6bf6.74a2, irq 11

  1: ethernet1: the address is 0003.6bf6.74a3, irq 10

  2: ethernet2: the address is 00a0.c944.395b, irq 9

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES: enabled

  Maximum Interfaces: 3

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  Is it possible to add a second DMZ simply by adding another network card to the system? If this is not the case, what I have to do to get a second DMZ?

  Kind regards

  Alan

  You have already 3 interfaces, and your license only allows 3 (that you run limited license). Read the line of your worm above show: maximum Interfaces: 3

  You must update your Unrestricted license, then you can have up to 6 interfaces.

  It will be useful.

  Steve

• DNS traffic blocked after PAT - PIX 515

  I have PIX 515 with 3 named NIC (internal, external, dmz)

  I have 2 servers (Exchange and Windows 2000 with SMTP) in the demilitarized zone.

  I currently have a static command pointing to doamin for exchange Server IP address in the DMZ.

  I wanted to PAT on the IP address of the e-mail domain so that the configuration will look like as follows.

  The IP field will be used for the global IP

  all pop3 for global ip traffic will go to Exchange

  all www for the global IP traffic will go to Exchange

  all smtp for global ip traffic will go to the Windows 2000-based SMTP relay (SMTP relay is configured to send the e-mail received in exchange Server)

  I hosted DNS udp and tcp traffic to the servers.

  before pat, the server can use DNS to resolve IP domain e-mail and send mail to the Internet.

  As soon as I PAT the Internet e-mail delivery stops.

  When I did an NSLOOKUP command returns an error indicating that the DNS server cannot be resloved.

  The servere DNS used by these 2 servers are servers DNS of ISP.

  Is there any concern when you PAT.

  Thank you

  Hello

  I found the problem:

  for now, your dmz servers can go to the internet with pop3, smtp, and www. Only for these protocols is a (static) translation to provide in the config file.

  You will need to will provide you a translation for other protocols (for example, dns) also. This can be accomplished with one of the following two things:

  create a nat - pair overall for the DMZ for outdoor

  NAT (dmz) 1 0.0.0.0 0.0.0.0

  Global (outside) 1 200.100.100.168 (already exists)

  create a static translation for each of the other protocols (next to pop3, smtp, www), you want to pass from the dmz to the internet (you already did that for www, pop3 and smtp).

  Kind regards

  Tom

• PIX 515E configuration problems

  I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

  -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

  -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

  Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

  Thanks for your replies.

  Hello

  Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

  Jay

• PIX 515 6.1 (1) crashes every night

  We have a PIX 515 E Firewall (failover) with a simple configuration to allow web traffic only from inside. PIX with three interfaces ethernet and the DMZ is rarely used for specific needs. A www server is hosted with authentication through aaa for incoming users inside.

  For the last week, PIX crashes end each evening. No traffic doesn't cross the pix and we cannot ping all devices of pix as well. There are a lot of "no buffers" counts seen in all the PIX interfaces. The CPU usage is about 21%.

  Can anyone help to determine if this could be a hardware problem?

  Best regards, Murali

  Hi Murali,

  I'm not aware of any problem with the hardware, but there could be a software bug. I suggest that you open a case with cisco tac.

  or you can upgrade to 6.1.4 which has fix for most of the bugs.

  Thank you

  Syed

• PDM with PIX 515 does not work

  I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

  Hello

  have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

  Enable http server

  http A.B.C.D 255.255.255.255 inside

  A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

  If you're still having problems after the addition of these two lines, you might have a look at this page:

  http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

  Kind regards

  Tom

• How to open a port and limit the range of addresses that use it on PIX 515?

  I have a Pix 515 v6.3 and a new piece of software that I'm getting soon need aura 5080 open port for incoming & outgoing HTTP traffic. The server will be in my DMZ to 10.0.0.1

  I would like to restrict inbound access to this port so that it can be used in 4 specific IP adderess foreign xxx.xxx.xxx.24 through xxx.xxx.xxx.27 and also, if possible, limit the outbound destination using this port to a single specific foreign IP address xxx.xxx.xxx.30.

  Could you please tell me the best way to do it.

  Thank you in advance for a relative novice to PIX.

  PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

  PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

  PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.26 host 5080

  PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.27 host 5080

  PIX (config) # access - group acl-outside in interface outside

  PIX (config) # access list acl - dmx permit tcp host 10.0.0.1 xxx.xxx.xxx.30 eq 5080

  PIX (config) # access - group acl - dmz dmz interface

  static (inside, outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

  See also:

  PIX 500 series firewall

  http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration

  Configuration of the PIX Firewall with access to the Mail Server on the DMZ network

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

  sincerely

  Patrick

• PIX 515 limited software technical spec

  I couldn't find a complete tech

  specifications of the restricted part of the software on the PIX-515-R-DMZ-BUN, which is this chassis seem to bear no x interfaces, y amount of RAM and Z no users inside. X = 3, Y = 32 meg, which is Z and are there restrictions more and more of this?

  Rgds

  Martyn Beck

  The only chassis PIX that has limitations of the user is the 501 PIX which comes with a 10, 50 or unlimited user license. The 515 has not any restrictions on the number of internal users that this number is rather arbitrary. Instead, we use the throughput and simultaneous connections that are roughly 190 MB of throughput and 130 000 simultaneous connections. Also the license restricted on the 515 does not failover of any kind.

  Here is a link to 515E data sheets:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

  I hope this helps.

  Scott

• PIX 515 no traffic on the new IP address don't block

  We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

  The problem:
  We can not all traffic to the pix on the new 213.x.x.x/28 range.
  -If we try to ping 213.x.x.61, we get the lifetime exceeded.
  -ISP Gets the same thing of their router.
  -ISP tries ssh and gets no route to host.

  The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

  The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

  Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

  Excerpt from config:
  7.0 (7) independent running Pix 515
  outside 92.x.x.146 255.255.255.240
  inside 192.168.101.1 255.255.255.0
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
  Access-group acl_out in interface outside
  acl_out list extended access permit tcp any host 213.x.x.x eq www
  acl_out list extended access permit tcp any host 213.x.x.x eq ssh
  static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
  ICMP allow any inaccessible State

  192.168.101.99 is a test with http and ssh linux server

  Any help much appreciated.

  PM

  dsc_tech_1 wrote:
  I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0
  
      ISP says
  
      ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32
  
  Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
  Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
  

  If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

  They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

  Jon

• PIX 515 and software version 6.3 (4)

  We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?

  Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?

  Thank you.

  You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.

  If you use PDM, you will need to be updated also.

  Josh

• Limit the number of users for a pix 515 uauth

  I have a PIX 515 authenticate and authorize against a Cisco Secure ACS server for outbound internet connections (using the web prompt). For the purposes of scale, I need to know the maximum number of sessions competitor for these types of users. I know there is a limit of 16 reviews on simultaneous approval process (the process of logging in first), but once they are connected, is there a limit?

  Once connected, the number of connections is limited by the number of concurrent connections that can handle a PIX. For example, the PIX 515 E can handle a maximum of 130 000 concurrent connections.

• PIX - 515 does not identify Tokenring Interfacecard

  Hello

  I installed a PIX-1 TR interface in the PIX 515. Start ok, 'answer' no configuration. SH LVE and sho int etc. presents only the build Ethernet0 and Eth1 but no interface tokenring.

  HS release looks like as follows.

  Thanks Ruedi

  pixfirewall # sh ver

  Cisco PIX Firewall Version 6.2 (2)

  Cisco PIX Device Manager Version 2.0 (2)

  Updated Saturday, June 7 02 17:49 by Manu

  pixfirewall until 10 mins dry 14

  Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

  I28F640J5 @ 0 x 300 Flash, 16 MB

  BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 0003.6bf6.a8a9, irq 11

  1: ethernet1: the address is 0003.6bf6.a8aa, irq 10

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES: disabled

  Maximum Interfaces: 3

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  Serial number: 405341167 (0x182903ef)

  Activation key running: xxxxxxxxx

  Modified configuration of enable_15 to 13:11:47.490 UTC Tuesday, December 23, 2003

  pixfirewall #.

  Hello

  Token-Ring is no longer supported, I think since version 6.0.