PIX 515 E (PIX OS 7.0.1) / website problem

Similar Questions

• PIX default factory reset (activation key problem)

  Hi all

  I have a question about cisco pix firewall. If I reset the aquise pix firewall by default then I have to activate again your allowed or not? I mean I have to re-enter the activation key or not.

  Hi sandeep,

  I met a key question of activation when changed the IOS, but have never seen a factory defects cause this. If you worry about it, question sh ver and write down your activation key, where he asks.

  Concerning

• DES/3DES license needed for the PIX 515 active/active configuration.

  Hello

  I am setting up two PIX active/active.

  My problem is that the PIX without restrictions, the 3DES activated license but the FO - AA that just the license OF.

  I would like to know if it is possible to downgrade the 3DES to just unlimited license OF (I know that the alternative would be to upgrade the FO - AA 3DES but I don't need this license).

  Thank you.

  Javier,

  You can get FREE 3DES/AES license of Cisco for your PIX, go here:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_product_index09186a00801bc3ec.html

  Hope this helps and please note post if it isn't.

  Jay

• PIX 515E configuration problems

  I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

  -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

  -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

  Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

  Thanks for your replies.

  Hello

  Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

  Jay

• Palm Pixi (Sprint) problems

  I tried to get on Live Chat, but it seems to be declining.  I'll try to be brief and detailed.

  I got a Pixi just over a week.  From the word go it seemed really slow.  When I press on an application, the lighted icon is sitting there for at least 3 seconds and then the app delay following charge.  If I have 2 loading apps it gets almost insensitive.  I restored the Pixi with webOS Doctor and the problem still persists.

  This sounds like a hardware problem?  Is there anything else I can do to isolate S/W or H/W?

  What accounts you have synchronized with the pixi? (google, facebook, yahoo, Exchange, etc.) ? I would start all first remove those if you had several to see if its related to one of them.

• PIX 6.3 (4) failover strangeness with VLAN

  I have a failover pair 535 6.3 (4) running and have experienced strange things while he was trying to get the dynamic failover to work. We use the serial cable to failover and a GE dedicated to the traffic of State via a cable directly connected x. We have a mix of standard interfaces for non - VLAN'ed, but also a physical I / f including 10 ~ VLAN. We are well within the limits of i / f allowed on the PIX so that isn't a problem. Also the

  VLAN'ed i / f on the two firewalls connects via a 802. 1 q trunk on the same switch Procurve 9315. All the required them VLAN is configured as marked on the two ports on the switch.

  The problem we had was that all as-based interfaces on the VLAN and physics i / f associated with these virtual local networks were perpetually in the State (pending) and we had no stats in the status section of the command 'show fail', which implies to me that stateful failover did not in fact. Failover works and traffic passes regardless of which firewall is enabled.

  Based on things I've read that I concluded that the problem is probably that 'Hello' messages were not being seen on each VLAN. So I did a bunch of capture on the VLAN different i / f of the PIX expecting to see outgoing Hello in the local unit, but saw nothing. Then I had a thought that maybe they were sent out without a label on the physical I / f, so I made a capture on it and also got nothing else than to the Hellos coming out to the physical interface.

  What we did that fixed it was to add the VLAN physics to the list of allowed VLANS labeled on firewall connected switch ports. As if by magic the physics I / f to the Normal State, as did all the local VIRTUAL network interfaces, and we started to get statistics on the State of the output of the show fail command section.

  And yet a capture on any of the interfaces VLAN does still not show the Hellos, and a capture on the physical displays now the bidirectional Hello for the physical LAN. Weird.

  So my questions are:

  1 > why the VLAN interfaces are dependent on their physical I / f for failover. I was told that you need not have any IP or configured for physical integrity, nameif I / f it's just must be enabled for the VLAN I / fs to work.

  2 > how are the VLAN I / f passing Hellos to the other.

  I can include my config if that helps.

  Peter

  Peter,

  (1) why is a good question. AFAIK that is according to the doc (same link below)

  "When you set up failover for an interface VLAN, Hello packets are sent through the physical interface, so the physical interface must be configured with an ip address."

  (2) I don't think that they are:

  One of the guides

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

  "Note that failover is supported with VIRTUAL local network interfaces. But the failover LAN interface command does not support VIRTUAL local network interfaces or failover link commands. "

  So basically it looks like helo packets are sent only on physical interfaces (dumped on any vlan you put them) and the VLAN will be "failover" If the pix, but if you had a failure in one vlan particular the pix would not notice it until the vlan the physical interface has been awarded to failed.

  Of course, it works in the equivalent level of the FWSM code - but FWSM never had the physical interfaces.

  The train 7.x supports subinterfaces, obviously.

  -Jason

  Please rate this message if it helps!

• PIX and problem of virtual FTP hosts

  I have a Cisco PIX (version 6.3 (3)) behind which I have all my ISP customers. I have a web server outside the PIX hosting various web sites on an IP (virtual hosts). People outside the PIX can send via FTP on the web server without any problems. People inside the PIX cannot. We have this problem until I started using virtual servers on the server FTP and assignment of different FTP port numbers for each of the web sites. (We only had a single site on the web server until a few days ago.) I guess it's a problem of PIX because that's the only difference between access to the FTP server for my customers of the ISP with non. So, my question is that I have to open also the new FTP on my PIX port numbers? I already have "fixup protocol ftp 21". I should add similar statements for each of the new higher ports? I'm new to using a PIX; We didn't cover them in my CCNA and CCNP courses. Also, I can FTP virtual hosts located on other servers of Internet service providers, which makes no sense to me. Thank you.

  Hello

  I assume by "higher port numbers" are the new ftp servers listening on ports other than the default port 21. If this is the case, then you are quite correct to say you need to add the correction commands more.

  The active way FTP works is that a control connection is established between the client and the server over tcp 21, and then they negotiate a data port. The * server * then initiates a connection to the customer on this port.

  Normally, this isn't a problem for the pix, because he looked at the control connection on port 21 and understood that it was necessary to open a hole for the connection on the new port, but if you do ftp on ports other than 21, you must specify the pix 'look' that port as a ftp control connection so it can then open the firewall for the data connection.

  You can verify the fix here

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

  The short but you need an outgoing access list for the new ftp port entry (say it's 2525), then to consult as if it were the ftp, the command "fixup protocol ftp 2525"

  -Jason

  Be sure to note if it helps.

• bandwidth after setting the pix is terrible

  I get terrible bandwidth results after establishing a pix 501. I am using cable, and my bandwidth is by dial-up access. I tried to download some files and visited sites like bandwidthspeedtest.com

  I separated the interfaces with the audit rules of intellectual property which have been applied and used its oversight PDM. It's memory resources and cpu are beautiful, and there is nothing unusual about the State of the traffic. Attached is my config, maybe I missed something that you could report to me?

  Thank you

  Bill

  Did you also check that the router or the external cable modem has the same linkspeed and duplex settings like the PIX?

  Most of the problems of performance that is due.

  A duplex mismatch is more frequently by increasing the counters of errors on the interfaces in question. The most common mistakes are the frame, CRC and Runts. If these values are incremented on your interface, you have a wiring problem or a duplex mismatch. Fix this before doing anything else.

  You have set: 10 MB Fullduplex

  Take a look at your interface to see if you have errors.

  show interface

  Can also be a good test to see if it is better in half-duplex 10 MB, even if that creates Collisions.

  Note: Set the two devices at a fixed speed and the duplex, the same course or use auto-negotiation on the two.

  See also: monitoring of the performance of PIX

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

  sincerely

  Patrick

• No Audio, video or ringtone - Sprint Palm Pixi

  We had our Pixi since June with no problems.  Suddenly this morning ringtone no longer works and the ringer switch is turned on.  When you examine the ringing options, previews play with no sound.  Stored .mp3 files don't produce audio.  When you go to YouTube there is no audio or video, but the marker of time ahead by showing that the video plays.  Preloaded videos won't play at all, giving back an error message.

  I tried a soft reset without effect.  Nothing has changed between last night and today that should affect the phone and the phone never had a wired headset.

  What else can we try?  Thank you!

  Mark V.

  Mark,

  I recently had the same problem with audio and video, as well as my camera wouldn't take photos.  It all started after downloading the new version 1.4.5.  I had to download WebOs Doctor on the computer and follow the instructions to reload the update on my Pixi.  It fixed all the problems and is now at 100 percent operation.  Let me know if it solves your problem.

  also, make sure that you run the backup feature before you run webos doctor.

  Sincerely,

  Carl

• How do you return to defalut font

  Given the poor eyesight, I tried to increase the font size. I do not know now how I did, but I had a very large print which is nice, but it has distorted my videos until I can hardly say that they are. How can I reset my computer where it was before.

  Don't worry no more.  Sometimes, ignorance is a blessing.  I went in "Display settings" and clicked on the color setting 32 pix and it solved all the problems.  I have no idea why, but he has also restored the option buttons to set the font size.  Thank you for your consideration.

• PIX515-E DMZ clients struggling with WAN web pages

  I have a DMZ behind a PIX515-E configuration that can not display web pages on devices that are managed on the external interface of the firewall. Clients can communicate with the controller without problem, except when the web interface on the PLC is requested. I tested with my laptop on the outside and the inside of the PIX. I get the same problem on the inside as the client systems, but the pages are well outside. I studied it to know what I can do and have found nothing that will help you. I can shoot a web page running on IIS from the inside without any problem. Set up rules to allow IP, UDP and TCP destination and service everything for each value have all of the automaton. No syslog messages appear when customers try to access external web pages. Any suggestion will be highly appreciated.

  You may need to try to increase the length of bytes of dns by default in pix, 512 MB is the size by default, increase it to 1024 and see if it makes a difference. I've seen similar issues which increases, it solved.

  PIX (config) #fixup protocol dns-maximum length 1024

  http://www.Cisco.com/en/us/docs/security/PIX/pix63/configuration/guide/fixup.html#wp1063720

• VPN Client connection terminated

  I am new to Cisco PIX and I'm having a problem with the removal of the connections. We use a 515e on 6.2 and my laptops use VPN Client 4.0 and Radius to IAS on W2K3 Server. About 30 minutes, a window appears saying "secure VPN connection is completed by a peer. "Reason: (reason unspecified peer). I've combed through the configuration settings and the settings of the Cisco and my connection on the Radius Server and am unable to find anything to help. Any help would be appreciated.

  Thank you

  Warren

  On if the PIX515 you do a 'show vpngroup' which is the ' time max "setting configured for? If it is not configured, you can do a max of vpngroup-time for the clients of the group. You can also set the idle max here too. In troubleshooting, maybe set to 3600 seconds (1 hour) to see if you are disconnected. Then adjust your idle down time (you can set it to 0 if ever you want clients idel time out) and see what happens.

  Matt

• DMZ connected network is not available

  My configuration:

  PIX - servers with gateway as pix - DMZ dmz - remote router - remote LAN

  When I try to reach remote LAN to dmz servers that I'm not able to reach.

  My servers have pix as gateway.

  PIX has road for Remote LAN. (PIX I n t have no problem to reach remote LAN)

  When I add remote LAN-specific routes pointing to local router then I n t have problem to reach the Remote LAN.

  My problem is the why of the pix as the gateway server not able to reach remote LAN.

  the problem is related to the v6.x pix golden rule.

  the golden rule does not fundamentally pix redirect the packets in and out the same interface. for example, server dmz try to send a packet to the remote lan. for now, dmz server has a default gateway for the interface of a pix dmz, dmz server passes the packet to the interface of dmz pix to begin with. PIX receives the packet comes from the dmz server and the remote lan. now, pix determines the next hop for this particular package is the router in the dmz, which is once again through the DMZ interface. as mentioned, the golden rule does not allow this operation because the packet is received on the interface of a pix dmz.

  the workaround, as mentioned earlier, martin is to change the default gateway on the dmz server. the default gateway should be the router in the dmz, then configure static routes on router.

  now, there are two choices with regard to the configuration of the ports on the router.

  a: Configure the pix as the gateway router dmz dmz interface by default and configure the static route to the Remote LAN. or

  two: Configure the remote router as the default gateway of the router dmz and configure a static route for pix inside the net.

  personally, I prefer the first options as server dmz may need access to the internet via the pix as well.

  leaving again watching the flow of traffic to dmz, DMZ router as the default gateway server; router DMZ with interface dmz pix for the default gateway and the static routes for remote lan.

  package from Server dmz for the lan remote will be forwarded to the dmz router. DMZ router will then forward the packet to the remote router based on the static routes; Alternatively, package from Server dmz to the internet or the pix inside the subnet will be forwarded to the dmz router. the dmz router will then package the pix dmz interface based on the default gateway settings.

• Text in turnover and assets States jump down

  I'm sure there's a setting somewhere that I just can not find.

  You can see what I mean at http://www.richtigsingen.de/ uber-erwin - stephan.html where I did the upper tabs for the problem

  or here: http://www.richtigsingen.de/siegbrunn-musiktheater.html where I left as they were.

  When I scroll the "States" in the side - window if whole tab or only the selected - text there is no movement. Only when I go to preview in Muse or publish, then the "roll" and "Active" States - I have chosen to make another color - jump down - on the second page, they disappear in fact behind the Panel. Can someone tell me the setting that I forgot?

  I'm in Vista HP with all the updates and update Muse.

  Thanks in advance for any help with this.

  Karen

  PS - I use Firefox, but I just checked in Internet Explorer and the result was the same.

  Hoohah! Wasn't it exactly, but you put me on the right path!

  I made narrower BG jpg for the tabs that you suggest (60 high pix) and tried. The same problem. Important to note that I had been the creation of the mosaic image on the 'tile '. Then I tried to think another parameter, 'Original size', maybe that would do something. YES! It worked! I discovered, that the size of the original has no importance! As long as I did not "Tile" setting, the text and tabs behave normally. I'm ecstatic.

  Other tiling settings everything works as it should, it's just "tile" that messes up. I wonder if this is a bug.

  In any case, thanks for sending in the window on the right, so to speak.   Now, I can get on the site.

• Win2K NAT would be from 1650 to a PIX 515 - does not

  Hello

  :

  I have a working VPN config on my 515 (6.2.2) and can tunnel from one host with a valid external IP without any problem. But, with a NAT would be customer, nothing seems to work.

  I use RADIUS to authenticate after using a password for the group. Here is the sequence of events.

  (1) client machine as a 10.0.0.1 address, NAT had a public address to come into the port of 'outside '.

  (2) the client connects, the user enters GANYMEDE password and is connected.

  (3) the user tries to browse any service and can not.

  (4) if the user switches DNS to an external server, the portion of the split tunnel internet works fine but inside is still broken.

  (5) clients with static IP addresses that are publicly routable connect and can perform all internal and external activities of split tunnel.

  Excerpts from config. I'm doing something wrong?

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac noaset

  Crypto dynnoamap dynamic-map 10 transform-set noaset

  noamap 10 card crypto ipsec-isakmp dynamic dynnoamap

  Harpy of authentication card crypto client noamap

  noamap interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address noapool pool noagroup

  vpngroup dns 66.119.192.1 Server noagroup

  vpngroup noagroup wins server - 66.119.192.4

  vpngroup noagroup by default-field noanet.net

  vpngroup split-tunnel vpn - IP noagroup

  vpngroup idle 3600 noagroup-time

  vpngroup password noagroup *.

  Help and thanks in advance.

  Mike

  You do not have something wrong. The problem is that NAT (NAT actually PAT, port) and IPSec is not working very well, and many features PAT can PAT IPSec traffic to all (PIX included until version 6.3).

  The problem is that PAT depends on using the port number TCP or UDP source as a way to differentiate between sessions, because they are all PAT would be from the same source IP address. However IPSec (ESP at least), tracks right on top of IP, in other words, it is NOT a TCP or UDP protocol, and therefore has no associated port number. It breaks most of the PAT devices.

  The reason for which you can build your tunnel initially, it is that it is all done by ISAKMP, which is a UDP protocol, which can be PAT would be fine. Once the tunnel is built however, all encrypted data are sent by packs of ESP, which as I said, is not a TCP or UDP protocol.

  Trnalsations NAT static work cause they do not rely on the use of the port number, they just change the address of the source that works very well with ESP.

  There is not much you can do about it. If you were closing the VPN into a VPN3000 concentrator, it has a feature called IPSec through NAT, which encapsulates all ESP packets in a UDP packet, which can then be PAT would be properly. The PIX, unfortunately, doesn't have this feature. The only solution is to get a NAT device that manages properly the IPSEc. Surprisingly, some of the less expensive devices on the market handle it, but you should check with each manufacturer to be sure.