PIX 515 VPN config help

Similar Questions

• Cisco Pix 515 VPN problems

  Hi all

  Here's my problem, I have 2 PIX 515 firewall...

  I'm trying to implement a VPN site-to site between 2 of our websites...

  Two of these firewalls currently run another site to site VPN so I know who works...

  I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

  Protected networks are:

  172.16.48.0/24 and 172.16.4.0/22

  If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

  2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

  It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

  Don't know what that might be, the other VPN are working properly.

  Any help would be great...

  I enclose a copy of one of the configs...

  Let me know if you need another...

  no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

  Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

• PIX 515E v7 VPN config help

  Hello

  I have a PIX 515E current of execution to 7.

  Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

  I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

  I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

  Is there a way to fix this?

  Any help appreciated gratefully.

  apply the commands below:

  ISAKMP identity address

  ISAKMP nat-traversal 20

  If the problem persists, then please post the entire config with ip hidden public.

• termination of VPN client 4.0 on pix 515

  I am trying to connect the cisco 4.0 vpn client to a worm of pix 515 6.1 and receive as a result of errors that I guess are the related hashing algorithm but am not sure. Only DES is not enabled 3DES. Config output Cisco post interprets but apparently no error in config.

  Journal of VPN client:

  Cisco Systems VPN Client Version 4.0 (Rel)

  Copyright (C) 1998-2003 Cisco Systems, Inc. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 5.0.2195

  1 10:58:34.890 25/09/03 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  2 10:58:34.906 25/09/03 Sev = Info/4 CVPND/0xE3400001

  Microsoft's IPSec Policy Agent service stopped successfully

  3 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100004

  Establish a connection using Ethernet

  4 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "x.x.x.226".

  5 10:58:35.953 25/09/03 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with x.x.x.226.

  6 10:58:36.000 25/09/03 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Nat - T), VID (Frag), VID (Unity)) at x.x.x.226

  7 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  8 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  9 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  10 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

  11 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  12 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

  13 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  14 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

  15 10:58:56.093 25/09/03 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  16 10:58:56.593 25/09/03 Sev = Info/4 IKE/0x6300004A

  IKE negotiation to throw HIS (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  17 10:58:56.593 25/09/03 Sev = Info/4 CM / 0 x 63100014

  Could not establish the Phase 1 SA with the server 'x.x.x.226' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

  18 10:58:56.593 25/09/03 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  19 10:58:56.593 25/09/03 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  20 10:58:56.625 25/09/03 Sev = critique/1 CVPND/0xE3400001

  Service Microsoft's IPSec Policy Agent started successfully

  21 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  22 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  23 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  24 10:58:57.093 25/09/03 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  Journal of Pix:

  crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

  Peer VPN: ISAKMP: approved new addition: ip:x.x.x.194 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 1 Total VPN EEP

  RS: 1

  Exchange OAK_AG

  ISAKMP (0): treatment ITS payload. Message ID = 0

  ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: hash SHA

  ISAKMP: default group 2

  ISAKMP: preshared extended auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform against the policy of priority 1 2

  ISAKMP: encryption... What? 7?

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared extended auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: hash SHA

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 5 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: hash SHA

  ISAKMP: default group 2

  ISAKMP: preshared extended auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared extended auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: hash SHA

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 1

  ISAKMP: encryption... What? 7?

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

  ISAKMP: attribute 3584

  ISAKMP (0): atts are not acceptable. Next payload is 3

  ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 1

  ISAKMP: 3DES-CBC encryption

  ISAKMP: hash SHA

  ISAKMP: default group 2

  ISAKMP: preshared extended auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

  crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

  RS: 1

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

  RS: 1

  crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

  RS: 1

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

  RS: 1

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): delete SA: src x.x.x.194 dst x.x.x.226

  ISADB: Reaper checking HIS 0x80db91c8, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 0 Total of VPN EEP

  RS: 1

  Peer VPN: ISAKMP: deleted peer: ip:x.x.x.194 VPN peer Total: 0

  ISAKMP: Remove the peer node for x.x.x.194

  Thanks for any help

  Hello

  Pix isakmp policy should have DES, MD5, and group 2 for the 4.x to connect Cisco VPN client, these are proposals that the client sends to the server...

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/rel4_0/admin_gd/vcach6.htm#1157757

  This link will show you IKE proposals be configured on the PIX (VPN server)

  Arthur

• VPN for PIX 515 allowing access to a single host

  I have already setup on my PIX 515 a VPN connection, which allows the user to connect to our network via a cisco VPN client to access network resources.

  I want to configure now is an another VPN connection that external users can use but would only allow access to a host.

  E.g. I would like to VPN in my site but would be allowed to access the 10.1.1.1 on my network.

  How can I do this? What I have to install VPNGROUP another and somehow an access list to allow only traffic to a host of configuration. Can anyone help with the correct syntax for the PIX.

  Thank you

  Scott

  You will now have a bunch of commands "vpngroup" in your PIX, simply go into config mode and add more commands 'vpngroup' but with a different groupname. The VPN client then uses this group name to connect to the PIX.

  Another way to allow only access to a host for this PIX is to split tunnelling on this group, as well as in the tunnel of split ACL set only as a host.

• VPN to pix 515

  Good day to all,

  I'm trying to configure the client VPN to a PIX 515.  Once VPN'ed in, the traffic is going no where, but on THIS subnet. The Vlan that we are trying to achieve is a 10.111.250.x/23.  Once VPN'ed in the allocation of an IP address is 10.111.250.33 - 10.111.250.63. We can VPN in and get VPN IP assigned, but we cannot get anywhere inside VLANs.  I was sure that it could be done in a layer 2.  You can view the assigned addresses VPN arped entries and the inside address Vlan on the Pix.

  Keep in mind, my first thought was to change the VPN address assigned, but we do not want to carry on this Vlan especially because access is very limited.

  Is it possible to make this work?  If I have to redo attributes and policy, I.

  Thank you

  Dwane

  The output shows that the PIX is decrypt packets, but not encryption.

  So there is a good chance that packets are sent within the network but not to return.

  Check the following:

  management-access within the--> this command should allow ping to the IP of the VPN PIX inside (make sure you that if you can TEST this IP address when connected)

  Verify that the default gateway within the network (behind the PIX) is the current inside the property intellectual of the PIX.

  After these tests, post again "sh cry ips its"

  Federico.

• Accounting customer VPN on PIX 515 worm problem. 6.3

  Hello everyone! Is it possible to configure PIX 515 worm. 6.3 to send logs to the RADIUS to break when a VPN Client user loggs in and outside loggs? I can't find any aaa accounting command which allows this.

  Hello

  Accounting of VPN was added in PIX 7.x. It is not available with 6.x

  Kind regards

  Vivek

• Win2K NAT would be from 1650 to a PIX 515 - does not

  Hello

  :

  I have a working VPN config on my 515 (6.2.2) and can tunnel from one host with a valid external IP without any problem. But, with a NAT would be customer, nothing seems to work.

  I use RADIUS to authenticate after using a password for the group. Here is the sequence of events.

  (1) client machine as a 10.0.0.1 address, NAT had a public address to come into the port of 'outside '.

  (2) the client connects, the user enters GANYMEDE password and is connected.

  (3) the user tries to browse any service and can not.

  (4) if the user switches DNS to an external server, the portion of the split tunnel internet works fine but inside is still broken.

  (5) clients with static IP addresses that are publicly routable connect and can perform all internal and external activities of split tunnel.

  Excerpts from config. I'm doing something wrong?

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac noaset

  Crypto dynnoamap dynamic-map 10 transform-set noaset

  noamap 10 card crypto ipsec-isakmp dynamic dynnoamap

  Harpy of authentication card crypto client noamap

  noamap interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address noapool pool noagroup

  vpngroup dns 66.119.192.1 Server noagroup

  vpngroup noagroup wins server - 66.119.192.4

  vpngroup noagroup by default-field noanet.net

  vpngroup split-tunnel vpn - IP noagroup

  vpngroup idle 3600 noagroup-time

  vpngroup password noagroup *.

  Help and thanks in advance.

  Mike

  You do not have something wrong. The problem is that NAT (NAT actually PAT, port) and IPSec is not working very well, and many features PAT can PAT IPSec traffic to all (PIX included until version 6.3).

  The problem is that PAT depends on using the port number TCP or UDP source as a way to differentiate between sessions, because they are all PAT would be from the same source IP address. However IPSec (ESP at least), tracks right on top of IP, in other words, it is NOT a TCP or UDP protocol, and therefore has no associated port number. It breaks most of the PAT devices.

  The reason for which you can build your tunnel initially, it is that it is all done by ISAKMP, which is a UDP protocol, which can be PAT would be fine. Once the tunnel is built however, all encrypted data are sent by packs of ESP, which as I said, is not a TCP or UDP protocol.

  Trnalsations NAT static work cause they do not rely on the use of the port number, they just change the address of the source that works very well with ESP.

  There is not much you can do about it. If you were closing the VPN into a VPN3000 concentrator, it has a feature called IPSec through NAT, which encapsulates all ESP packets in a UDP packet, which can then be PAT would be properly. The PIX, unfortunately, doesn't have this feature. The only solution is to get a NAT device that manages properly the IPSEc. Surprisingly, some of the less expensive devices on the market handle it, but you should check with each manufacturer to be sure.

• Adding a pix 501 VPN 2

  Hello.. I am beginner in this kind of things cisco...

  I'm trying to set up multiple VPN on a Cisco PIX 501 firewall with routers Linksys BEFVP41...

  Since not very familiar with the CLI, I use the PDM utility and it was very easy for the first... Unfortunately, I get this error when I try to add the second VPN using the VPN Wizard:

  Outside_map map (ERR) crypto set peer 200.20.10.3

  WARNING: This encryption card is incomplete

  To remedy the situation even and a list of valid to add this encryption card

  Hi garcia

  for each vpn/peer, you need to a separate instance of crypto card, the card will have the same name, but different sequence... numbers one map encryption can be attributed to an interface, but you can have several instance of cards inside a main...

  for configuration, you can go through the URL below... It has all the details on IPSEC config:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/ipsecint.htm

  I hope this helps... all the best... the rate of responses if deemed useful...

  REDA

• PIX: Cisco VPN Client connects but no routing

  Hello

  We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

  2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

  2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

  2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

  We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

  I enclose the training concerned in order to understand the problem:

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address xx.yy.zz.tt 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  172.16.0.1 IP address 255.255.255.0

  !

  access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

  !

  IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

  !

  NAT-control

  Global xx.yy.zz.tt 12 (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 12 172.16.0.12 255.255.255.255

  !

  internal VPN_clientes group strategy

  attributes of Group Policy VPN_clientes

  xxyyzz.NET value by default-field

  internal VPN_client_group group strategy

  attributes of Group Policy VPN_client_group

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

  xxyyzz.local value by default-field

  !

  I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

  Thank you very much.

  can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

  PIX / ASA 7.1 and earlier versions

  PIX (config) #isakmp nat-traversal 20

  PIX / ASA 7.2 (1) and later versions

  PIX (config) #crypto isakmp nat-traversal 20

• Upgrade from PIX 515

  Hi all

  My company needs upgrade its PIX 515 to have the function VPN 3DES for remote site connection. So I just need to buy a license of 3DES for the PIX functionality? and can I also upgrade the IOS 6.1 so that I can use PDM to config the PIX? And I also need to upgrade the memory in the PIX?

  Thank you very much!

  Best regards

  Teru Lei

  Yes to the first question.

  Better 6.2 and pdm 2.1 I think.

  How much memory do you have? Reach

  http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html#xtocid4

  There is memory for pix 6.2 requirements

  Good luck!

  --

  Alexis Fidalgo

  Systems engineer

  AT & T Argentina

• PIX 515 no traffic on the new IP address don't block

  We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

  The problem:
  We can not all traffic to the pix on the new 213.x.x.x/28 range.
  -If we try to ping 213.x.x.61, we get the lifetime exceeded.
  -ISP Gets the same thing of their router.
  -ISP tries ssh and gets no route to host.

  The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

  The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

  Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

  Excerpt from config:
  7.0 (7) independent running Pix 515
  outside 92.x.x.146 255.255.255.240
  inside 192.168.101.1 255.255.255.0
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
  Access-group acl_out in interface outside
  acl_out list extended access permit tcp any host 213.x.x.x eq www
  acl_out list extended access permit tcp any host 213.x.x.x eq ssh
  static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
  ICMP allow any inaccessible State

  192.168.101.99 is a test with http and ssh linux server

  Any help much appreciated.

  PM

  dsc_tech_1 wrote:
  I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0
  
      ISP says
  
      ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32
  
  Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
  Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
  

  If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

  They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

  Jon

• PDM with PIX 515 does not work

  I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

  Hello

  have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

  Enable http server

  http A.B.C.D 255.255.255.255 inside

  A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

  If you're still having problems after the addition of these two lines, you might have a look at this page:

  http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

  Kind regards

  Tom

• PIX - 515 does not identify Tokenring Interfacecard

  Hello

  I installed a PIX-1 TR interface in the PIX 515. Start ok, 'answer' no configuration. SH LVE and sho int etc. presents only the build Ethernet0 and Eth1 but no interface tokenring.

  HS release looks like as follows.

  Thanks Ruedi

  pixfirewall # sh ver

  Cisco PIX Firewall Version 6.2 (2)

  Cisco PIX Device Manager Version 2.0 (2)

  Updated Saturday, June 7 02 17:49 by Manu

  pixfirewall until 10 mins dry 14

  Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

  I28F640J5 @ 0 x 300 Flash, 16 MB

  BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 0003.6bf6.a8a9, irq 11

  1: ethernet1: the address is 0003.6bf6.a8aa, irq 10

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES: disabled

  Maximum Interfaces: 3

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  Serial number: 405341167 (0x182903ef)

  Activation key running: xxxxxxxxx

  Modified configuration of enable_15 to 13:11:47.490 UTC Tuesday, December 23, 2003

  pixfirewall #.

  Hello

  Token-Ring is no longer supported, I think since version 6.0.

• PIX with VPN to Checkpoint with overlapping subnets

  I have a client with a PIX runs code 6.3.

  They need establish an IPSec Tunnel for one of its customers with a Checkpoint firewall.

  Both organizations use 10.1.0.0/16 and I'd like to nat to 10.180.0.0 Home Office 16 and the remote client to 10.181.0.0.

  The document on the site Web of Cisco PIX and VPN concentrators is less useful. I don't think the text describing the image is correct.

  Help with ACL and static NAT is greatly appreciated.

  Frederik

  Apologies, should have asked. Which office has the pix and the control point. I write this as if the two ends were firewall pix so that's fine and we can see if that helps.

  Remote endpoint

  ==========

  NAT 10.1.0.0 ip access list allow 255.255.255.0 host 10.180.1.103

  NAT (inside) 3 access list NAT

  Global (outside) 10.181.0.0 255.255.0.0

  NOTE: You could really just NAT addresses 10.1.x.x from source to a global IP address rather than the whole 10.181.0.0/16 up to you.

  Your card crypto access list must then refer to the addressing of Natted 10.181.x.x rather than the 10.1.0.0 address.

  vpntraffic list access ip 10.181.0.0 255.255.0.0 allow host 10.180.1.103

  Main office

  ===========

  crpyto-access list should read

  vpntraffic list allowed access host 10.180.1.103 ip 10.181.0.0 255.255.0.0

  And you will need a static translation for client access

  public static 10.180.1.103 (Interior, exterior) 10.1.1.103 netmask 255.255.255.255

  Does that help?

  Jon