PIX 515E config help

Similar Questions

• Question of PIX 515E

  Hi all

  We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

  PIX-151st #show version

  Cisco PIX Firewall Version 6.3 (1)

  Cisco PIX Device Manager Version 3.0 (1)

  Updated Thursday 19 March 03 11:49 by Manu

  PIX-515E up to 5 hours and 15 minutes

  Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

  Flash E28F128J3 @ 0 x 300, 16 MB

  BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 000f.2457.4b12, irq 10

  1: ethernet1: the address is 000f.2457.4b13, irq 11

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Maximum Interfaces: 6

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Flow: IKE peers unlimited: unlimited

  This PIX has a failover license only (FO).

  Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

  PIX-515E # config t

  WARNING *.

  Configuration of replication is NOT performed the unit from standby to Active unit.

  Configurations are no longer synchronized.

  PIX-515e (config) #.

  Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

  you have in your possession a PIX failover. That's why says in the "sh run".

  This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

  Good luck

  Steve

• PIX 515E v7 VPN config help

  Hello

  I have a PIX 515E current of execution to 7.

  Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

  I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

  I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

  Is there a way to fix this?

  Any help appreciated gratefully.

  apply the commands below:

  ISAKMP identity address

  ISAKMP nat-traversal 20

  If the problem persists, then please post the entire config with ip hidden public.

• PIX 515 VPN config help

  I was working on the creation of a PIX 515e to serve my firewall and VPN. The firewall and main routing work well as I am able to VPN and get an IP address. However, I am unable to remote desktop on a PC behind the firewall.

  Here is my config as I have now. If someone could show me what I'm missing, would be great.

  Firewall # sh run
  : Saved
  :
  PIX Version 7.2 (3)
  !
  Firewall host name
  DOMAINNAME.COM domain name
  activate r9tt5TvvX00Om3tg encrypted password
  names of
  !
  interface Ethernet0
  PPPoE Interface Description
  nameif outside
  security-level 0
  PPPoE client vpdn group pppoe
  63.115.220.5 255.255.255.255 IP address pppoe setroute
  !
  interface Ethernet1
  Description network internal
  nameif inside
  security-level 100
  the IP 192.168.0.1 255.255.255.0
  !
  interface Ethernet2
  DMZ Interface Description
  nameif DMZ
  security-level 50
  IP 10.1.48.1 255.255.252.0
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  clock timezone STD - 7
  clock to summer time recurring MDT
  DNS server-group DefaultDNS
  domain ivanwindon.ghpstudios.com
  object-group service remote tcp - udp
  Description Office remotely
  3389 3389 port-object range
  standard access list vpn_client_splitTunnelAcl allow a
  inside_nat0_outbound list of allowed ip extended access any 192.168.0.192 255.255.255.192
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.96 255.255.255.240
  access-list Local_LAN_Access Note Local LAN access
  Local_LAN_Access list standard access allowed host 0.0.0.0
  outside_cryptomap_65535.20 deny ip extended access list a whole
  access-list 102 extended allow ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  vpn_client_splitTunnelAcl_1 list standard access allowed 192.168.0.0 255.255.255.0
  inside_access_in list extended access permit tcp any eq 3389 3389 any eq
  pager lines 24
  Enable logging
  information recording console
  registration of information monitor
  logging trap information
  asdm of logging of information
  address record [email protected] / * /
  exploitation forest-address recipient [email protected] / * / level of errors
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 DMZ
  IP local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image Flash: / asdm - 523.bin
  enable ASDM history
  ARP timeout 14400
  Overall 101 (external) interface
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 101 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 207.225.112.2 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  AAA authentication LOCAL telnet console
  Enable http server
  http 192.168.0.4 255.255.255.255 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto-map dynamic outside_dyn_map 20 set pfs
  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
  Crypto-map dynamic outside_dyn_map 20 the value reverse-road
  PFS set 40 crypto dynamic-map outside_dyn_map
  Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP disconnect - notify
  Telnet 192.168.0.4 255.255.255.255 inside
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  VPDN group request dialout pppoe pppoe
  VPDN group pppoe localname [email protected] / * /
  VPDN group pppoe ppp authentication chap
  VPDN username username password *.
  dhcpd dns 208.67.222.222 208.67.220.220
  dhcpd lease 1500
  dhcpd ping_timeout 10
  NAME of domain domain dhcpd
  dhcpd auto_config off vpnclient-wins-override
  dhcpd option 3 ip 192.168.0.1
  !
  dhcpd address 192.168.0.5 - 192.168.0.49 inside
  dhcpd dns 208.67.222.222 208.67.220.220 interface inside
  dhcpd lease interface 1500 inside
  interface ping_timeout 10 dhcpd inside
  dhcpd DOMAIN domain name inside interface
  dhcpd 192.168.0.1 ip interface option 3 inside
  dhcpd allow inside
  !
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  !
  global service-policy global_policy
  TFTP server inside 192.168.0.4/TFTP-Root
  internal vpn_client group policy
  attributes of the strategy of group vpn_client
  value of server DNS 208.67.222.222 208.67.220.220
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list vpn_client_splitTunnelAcl_1
  value by default-domain DomainName
  admin I727P4FvcUV4IZGC encrypted privilege 15 password username
  username ivanwindon encrypted password privilege 0 7K5PuGcBwHggqgCD
  username ivanwindon attributes
  VPN-group-policy vpn_client
  tunnel-group vpn_client type ipsec-ra
  tunnel-group vpn_client General-attributes
  address vpn_pool pool
  Group Policy - by default-vpn_client
  vpn_client group of tunnel ipsec-attributes
  pre-shared-key *.
  96.125.164.139 SMTP server
  context of prompt hostname
  Cryptochecksum:48fdc775b2330699db8fc41493a2767c
  : end
  Firewall #.

  Ivan Windon

  Sent by Cisco Support technique iPad App

  Hello

  I had first change in the pool of VPN Client to something other than the LAN

  As 192.168.1.0/24

  NAT0

  • Adding NAT0 rule for the new pool and then removing the 'old'

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

  no access list inside_nat0_outbound extended permits all ip 192.168.0.192 255.255.255.192

  No inside_nat0_outbound extended access list only to allowed ip 192.168.0.0 255.255.255.0 192.168.0.96 255.255.255.240

  VPN Client pool

  • Remove the old group "tunnel-group" configurations, then removing the pool, make a new pool, and finally configure the pool to group "tunnel".

  tunnel-group vpn_client General-attributes

  No address vpn_pool pool

  no ip local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0

  IP local pool vpn_pool 192.168.1.100 - 192.168.1.105 mask 255.255.255.0

  tunnel-group vpn_client General-attributes

  address vpn_pool pool

  Theres another thread with a similar problem (even if the settings appear to be correct) on the forums.

  If you can't get the RDP connection works I would also maybe Google for UltraVNC and its installation on the host LAN and your VPN Client and trying to connect with him to determine that the Client VPN configurations are all ok. There were problems that were ultimately associated with the LAN host rather than the VPN Client configurations.

  If you think that his need. Save your settings before making any changes.

  -Jouni

• PIX 515E and remote access VPN

  I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

  I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

  Any help is appreciated,

  Hello

  Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

  Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

  There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

• Using PIX 515E configuration require

  Dear all,

  Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?

  Pls. find the details following and configuration of VLAN attached router.

  # I want to put as

  «Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.

  # Now it's

  "My LAN on CISCO 2900 - VLAN (external) router - ISP.

  Details of router & PIX:

  #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

  Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

  #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

  #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

  Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

  #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

  VLAN router Config:

  Current configuration: 1028 bytes

  !

  version 12.3

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname VLANRouter

  !

  boot-start-marker

  boot-end-marker

  !

  activate the gcsroot password

  !

  No aaa new-model

  IP subnet zero

  !

  !

  no record of conflict ip dhcp

  DHCP excluded-address IP 172.16.29.1 172.16.29.240

  DHCP excluded-address IP 172.16.29.250 172.16.29.254

  !

  IP dhcp pool dhcppool

  network 172.16.29.0 255.255.255.0

  DNS-server 208.144.230.1 208.144.230.2

  router by default - 172.16.29.1

  !

  !

  !

  !

  controller E1 0/0

  !

  controller E1 0/1

  !

  !

  interface FastEthernet0/0

  IP 208.144.230.197 255.255.255.224

  NAT outside IP

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1

  IP 172.16.29.1 255.255.255.0

  IP nat inside

  automatic duplex

  automatic speed

  !

  IP nat inside source list 7 interface FastEthernet0/0 overload

  IP http server

  IP classless

  IP route 0.0.0.0 0.0.0.0 208.144.230.200

  !

  !

  access-list 7 permit 172.16.29.0 0.0.0.255

  !

  Line con 0

  line to 0

  line vty 0 4

  opening of session

  !

  !

  !

  end

  All advice is appreciated.

  Kind regards

  Hiren s Mehta.

  ORG Informatics Ltd.

  Bamako, MALI

  AFRICA

  Hi hiren,.

  See the answers below:

  #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

  When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.

  Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

  Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.

  #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

  PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...

  #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

  PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.

  Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

  didn't get it... is that on the internet router or switch?

  #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

  If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...

• PIX 515E failover recover

  I have two PIX 515E firewall v7.01 configured in a failover scenario.

  The two units were operating without problem. Primary worked very well and the configuration changes have been transferred to secondary school.

  By TAC support, the only thing needed to test the failover was to issue a command to 'reload' in the primary and the secondary, take on main. Then, "active failover" question on the once rebooted device it was up in the secondary role.

  Failover to the secondary unit worked without problem, it is a smooth transition to the secondary unit.

  The problem came in that the original primary unit is stuck in a loop when you try to reload with what looks like now configuration errors. It will not properly start upward.

  Is not a valid procedure to test the failover?

  It seems that in the real world, this could actually happen that failover should work?

  Among what is shown:

  Config ERROR: invalid journal / level keyword specified; level must be emergencies (0) - debugging (7)

  Config error - acl_in list extended access permit tcp any newspaper SMTP host 208.13.32.36 eq

  Out of config line 359, "access-list acl_in exten...". »

  Config sync error: Suite not command could be executed in standby mode

  Platform

  acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

  Use BREAK or ESC to interrupt boot.ridge/vlan/modify flash): m

  e inactivea VLAN

  REPLICATION OF CONFIGURATION OF ACTIVE TOWARDS THE RESCUE UNIT IS INCOMPLETE,

  Reading of 115200 bytes of the image of the flash.

  TO AVOID THE EVE OF TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION UNIT, THE EMERGENCY UNIT WILL NOW RESTART *.

  You're not going to like this answer.

  It seems that commands typed in and abstract by cisco in the configuration are not valid when copied/pasted in or when the firewall is rebooted or receives an active firewall configuration.

  I don't know exactly what you did, but here's what I did to reproduce your problem:

  I typed in the command:

  acl_in list access permit tcp any host 208.13.32.36 eq smtp interval 300 inactive information newspaper

  Given that "interval 300 ft newspaper is the default, it is actually saved in the running-config like:"

  acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

  It's * not * a command invalid (the word "journal" following address must be a logging level), if you try to kick it. When you restarted the firewall, he tried to shoot the active configuration of the device (because it is now pending), received this line and since he can't run it (because it is not a valid command), it keeps restarting itself so that it cannot take over and be the active firewall.

  Best way to do is to hold this line (and other lines like him) outside the firewall active now - the line is marked "inactive" in any case, this should not affect you. The other way would be to change that line to something by default (the recording level change may be easier). In this way when the primary/secondary itself restarts again, the order received will have a valid log level (or if you take the lines out, they will not be a problem) and will allow the rest of the configuration process.

  You can also report to cisco as a bug, if they are not combing these forums already.

  -Jason

  This rate if this can help.

• PIX 515e, multiple VIRTUAL networks on a physical interface to DMZ

  We try to set up multiple VIRTUAL networks on a physical interface to the DMZ on a PIX 515e.

  The goal is to have logical subnets linked to our single, physical interface DMZ.

  Here's what I've tried so far without success:

  The switch

  -created the vlan 30

  -added switchports fa0/1 to 30 of vlan

  -attached host 192.168.100.1 in fa0/1

  -added switchport fa0/24 to the vlan 1 and vlan 30 with multimode

  -interface PIX DMZ connected to fa0/24 switchport

  -attached host to switchport fa0/10 172.16.1.55 (vlan 1)

  PIX:

  Auto interface ethernet2

  logical ethernet2 vlan30 interface

  nameif DMZ security50 ethernet2

  nameif vlan30 dmz2 security50

  address IP DMZ 172.16.1.254 255.255.255.0

  IP address dmz2 192.168.100.254 255.255.255.0

  Results:

  -172.16.1.55 has full connectivity to the PIX and beyond.

  -192.168.100.1 cannot ping the PIX to the 192.168.100.254 or anything else besides.

  Any help would be greatly appreciated. Also, I realize that I could buy a four port NIC and use the physical interfaces, but I can't get the approved purchase.

  Thank you

  Creation of VLANS on Ethernet1

  We want to create a new interface VLAN - VLAN30 and name DMZ2. Also affect the security level 50 in it.

  Step 1: Create a physical Interface:

  PIX (config) # interface ethernet1 vlan2 physical

  Step 2: Name the Interface and set the security level:

  PIX (config) # nameif ethernet1 inside the security100

  Step 3: Assign the IP address of the interface:

  PIX (config) # ip inside 192.168.1.1 address 255.255.255.0

  Step 4: Create the logical Interface:

  PIX (config) # interface ethernet1 vlan30 logical

  Step 5: Name of the Interface and set the security level:

  PIX (config) # nameif vlan30 DMZ2 security50

  Step 6: Assign IP address to the interface:

  IP pix (config) # DMZ2 192.168.100.254 255.255.255.0

  Step 7. Switch, set the port where from the inside, to the Isls or dot1q physical interface. Place the sheath in the native vlan2 as in step 1.

• IPSEC VPN between Pix 515E and 1841 router

  Hi all

  BACKGROUND

  We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

  PROBLEM

  The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

  Any help much appreciated.

  You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

  As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

  For a feature, it would be preferable to static IP addresses on both sides.

• Cisco VPN Client Authentication - PIX 515E-UR

  Hi all

  I need your expert help on the following issues I have:

  1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

  2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

  3 can. what command I use to debug RADIUS authentication?

  Thanks in advance for your help.

  Hi vincent,.

  (1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

  (2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

  (3) use the "RADIUS session debug" or "debug aaa authentication..."

  I hope this helps... all the best... the rate of responses if found useful

  REDA

• PIX 515E for VPN remote site

  Hello

  7.0 (1) version pix

  ASDM version 5.0 (1)

  I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site

  who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success

  The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.

  where can I see the vpn pix for error log?

  is there a manual for the solution of site to site VPN using the wizard

  Help, please.

  Thanks in advance

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml#ASDM

  the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm

  Newspaper to go to the section "check".

• PIX 515E failover

  I have a pair of PIX 515E (6.3) running in failover mode. They are currently connected to a single chassis base. We are upgrading our network with the heart, dual 6500's. Is there a way to connect each PIX to a separate kernel (1 PIX - Core1, PIX 2 - Core2) to allow a failure of the base?

  Core 1 and Core 2 will have a L2 link between them. If the current active PIX is connected to Core1 and Core 1 dies, this would not lead to support PIX failover. All LAN traffic would go through Core 2, but since he does not have an active path to the active PIX 1, traffic would drop. My reasoning is correct?

  Is there a way to connect the PIX to two cores running V6.3?

  Hello

  If you use the cable-based failover, you can change the basis of LAN failover.

  Read http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1024836

  I hope this helps.

  Best regards.

  Massimiliano.

• PIX 515E-> URL filtering: enabled

  Hello

  When I start my Cisco PIX 515E, I can see this output:

  Cisco PIX Firewall Version 6.3 (3)

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: disabled

  The maximum physical Interfaces: 3

  Maximum Interfaces: 5

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  I understand everything except "URL filtering: enabled".

  I looked in the documentation, but I can't find an explanation: is the PIX can filter requests for URL?

  Thank you in advance for the answer.

  Paolo

  Hi Paolo,.

  6.3 IOS PIX supports filtering of HTTPS and FTP sites to websense filtering servers, this option is enabled by default.

  More information can be found here:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/prod_release_note09186a00801a6d21.html

  and here:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#1120209

  Hope this helps-

  Jay

• PIX 515E - VPN connections

  Hello

  I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.

  I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.

  Users are connected to the internet via an ADSL router and the LAN switch.

  --------------------------------------------------

  PIX Config:

  6.3 (4) version PIX

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable encrypted password xxxxxxxxxxxxxxx

  xxxxxxxxxxxxxxxx encrypted passwd

  hostname ABCDEFGH

  ABCD.com domain name

  clock timezone IS - 5

  clock to summer time EDT recurring

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside xxx.xxx.xxx.xxx 255.255.255.0

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool vpnpool 192.168.2.1 - 192.168.2.254

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 0-list of access inside_out-nat0_acl

  NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server RADIUS (inside) host ABCDE timeout 10

  AAA-server local LOCAL Protocol

  RADIUS protocol radius AAA-server

  Radius max-failed-attempts 3 AAA-server

  AAA-radius deadtime 10 Server

  RADIUS protocol AAA-server partnerauth

  AAA-server partnerauth max-failed-attempts 3

  AAA-server deadtime 10 partnerauth

  partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  card crypto client outside_map of authentication partnerauth

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

  ISAKMP identity address

  part of pre authentication ISAKMP policy 8

  ISAKMP strategy 8 3des encryption

  ISAKMP strategy 8 md5 hash

  8 2 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup myvpn address vpnpool pool

  vpngroup myvpn ABCDE dns server

  vpngroup myvpn by default-field ABCD.com

  splitting myvpn vpngroup split tunnel

  vpngroup idle 1800 myvpn-time

  vpngroup myvpn password *.

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.200 - 192.168.1.254 inside

  dhcpd dns ABCDE

  dhcpd lease 3600

  dhcpd ping_timeout 750

  field of dhcpd ABCD.com

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  --------------------------------------------------

  Thanks in advance.

  -Amit

  Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.

  If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.

• ASDM 5.02 on PIX-515E

  When I use ASDM to administer my PIX-515E (v7.0), I get messages from 2 following error if I update the screen after being inactive in the session for about 2-3 minutes about:

  Error message 1

  ASDM is temporarily unable to communicate with the firewall.

  Error message 2

  ASDM is unable to reach the PIX. Please check the configuration and your connection and try again by clicking the Refresh button.

  These messages were recently and I don't know why. Is there an ASDM idle session time-out setting? I could not found.

  Thank you

  Bill Fanning

  Hello

  What version of Java are you using. If you have Java 1.6, can you go back to 1.5 and see if the problem goes away.

  Also, here is the URL indicating the operating system for client PC and browser requirements

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa70/asdm50/release/notes/RN505.html#wp231810

  I hope it helps.

  Kind regards

  Arul

  * Please note all useful messages *.