PIX: IDS drop allowed vs ACL

Similar Questions

• PIX IDS signatures

  Does anyone know the PIX IDS signatures to block Ping scans and Port scans?

  Do the substitution of signatures IDS ACL defined previously? For example; I want to allow people to ping - me (I allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port scans.

  Gracias.

  PIX IDS signatures are all listed here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267

  You will notice that it isn't sigs for the port scans and ping sweeps, mainly because it does not detect the PIX. This would imply the PIX to keep track of all the pings or connection attempts and try to understand that if a scanning goes, this is not what the PIX is designed for.

  If you want to see these then a NID system is the best way to go. IDS PIX is very limited and don't look for a very small subset of the signatures, and most of these signatures simply consist of a package, do not try to reconstitute several packages to different hosts or ports.

• A PIX-to-PIX VPN can allow traffic in only one direction?

  Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip.  Everything works very well, allowing traffic to flow both ways after that the tunnel rises.  But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX?  In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

  Thanks for any comments.

  pixfirewall # sh conf
  : Saved
  : Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
  6.3 (4) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  pixfirewall hostname
  .com domain name
  fixup protocol dns-maximum length 4096
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
  pager lines 24
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside xxx.xxx.xxx.248 255.255.255.255
  IP address inside 192.168.27.2 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.10.1 - 10.10.10.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  NAT (inside) - 0 102 access list
  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac gvnset
  Crypto-map dynamic dynmap 10 transform-set gvnset
  gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
  gvnmap interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP identity address
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool gvnclient
  vpngroup dns 192.168.27.1 Server gvnclient
  vpngroup gvnclient wins server - 192.168.27.1
  vpngroup gvnclient by default-domain '.com'
  vpngroup split tunnel 101 gvnclient
  vpngroup idle 1800 gvnclient-time
  vpngroup password gvnclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  Terminal width 80
  Cryptochecksum:
  pixfirewall #.

  Of course, without a doubt capable.

  You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

  Example:

  access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

  the Interior-acl ip access list allow a whole

  group-access Interior-acl in the interface inside

  Hope that helps.

• PIX does not allow packets loarge

  I can ping with l - 992, but fail with-l 993.

  Ping 172.16.17.1 with 992 bytes of data:

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Ping statistics for 172.16.17.1:

  Packets: Sent = 4, received = 4, lost = 0 (0% loss),

  Time approximate round trip in milli-seconds:

  Minimum = 1ms, Maximum = 1ms, average = 1ms

  Ping 172.16.17.1 with 993 bytes of data:

  Request timed out.

  Request timed out.

  Request timed out.

  Request timed out.

  Ping statistics for 172.16.17.1:

  Packets: Sent = 4, received = 0, lost = 4 (100% loss),

  I also see that attached to the devices in the DMZ are taken excessively long time.

  The MTU size on all interfaces is always the default value of 1500.

  Hi Jimmysturn:

  Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.

  Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):

  From your post, you must have had the following policy of IDS on your PIX:

  IP audit name attackpolicy attack action fall

  (or

  IP audit name attackpolicy action fall attack alarm

  or

  attack IP audit name attackpolicy raz action alarm

  or both)

  If you want to ping with big package, there are several things you can do:

  (1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.

  Carefully look at this and see if it's what you want to do.

  To achieve the above, issue the following command:

  "no interface verification ip outside of attackpolicy"

  (2) turn off the signature 2151 by running the command:

  "disable signature verification ip 2151.

  That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.

  (3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.

  To achieve the above goal, issue the following command:

  IP audit alarm action name attackpolicy attack

  It will be useful.

  Please indicate the position accordingly if you find it useful.

  Sincerely,

  Binh

• PIX 501 to allow access to the ftp server

  Hello

  We have a public ip address of the pix 501 and the other, I want to access the ftp server on the internal network from the outside. I tried to configure the PDM by a static nat, which translate to the address of the FTP to the public address, but then none of the stations networks could out - how can I configure it?

  I would also like to know what ports should I open on the acl for access to the ftp server.

  Thank you, daguech

  Yes, sorry... You must use the unique host for addresses command. The access list is applied to your external interface?

  for example, the command would be:

  Access-group acl_out in interface outside

  Also, can you connect to the local ftp server behind a firewall?

• PIX of VPN to Pix does not allow navigation from one end.

  Hello

  We went an office of a router to connect to the internet (do Nat) our Pix VNP company. Now from this office, I can go through all our corporate network, but I can't browse them from our corporate network. I read a few cisco docs and I installed WINS, still no luck.

  Technicians from the isp for this office recommended disable Nat on this router (its doubly from). I have to change this Office Ip address external PIX and the default gateway to match any Ip subnet, they give me.

  This change will affect our current VPN IKE and IPSEC policies and connection to that office?

  Thank you

  Mario Cabrejo

  Network engineer

  You will need to use an external (visible ip internet) on the external interface of the PIX and disable the NAT on the router. You have to re-create the tunnels they will point to a new ip address and not the router.

  Hope this helps

  Richard

• How to interpret error PIX IDS

  Hi all

  For example, I got this error: "all ID files: 6053 DNS request.»

  Where can I know exactly what this and other means of ID messages and what are the ramifications of them and if possible corrective measures.

  Peace

  Roy

  The "6053" in this post (and all messages of type ID in the PIX) is the number of signatures. You can check what it means in seeking to network security database (NSDB) here:

  http://www.Cisco.com/cgi-bin/front.x/CSEC/idsAllList.pl

  Note that the PIX does not check for all these signatures, only a small subset of them in fact.

• Prevention of Spam PIX IDS

  Some firewalls (such as raptors) have a function that will check the incoming IP/domain mail to make sure that the domain name of the sender can be reached (reverse) via the IP address of the sender. This prevents spammers from sending mail to your e-mail with falsified addresses server. PIX it? How about you check sending IPs against block lists? It would be cool. And nachos. Nachos are cool, too.

  Nope, is who does not offer the pix.

  IMHO these functions are better achieved at the level of the server e-mail - this way, the e-mail administrators are more fully accountable for the reception and delivery of emails throughout the org and to the ' net, rather than splitting of responsibilities between the security personnel and email admins

• Integration with the PIX IDS firewall

  I read the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0 S4 (1), and tripped on the new features of this version it pretends the integration with the PIX firewall

  How do implement you this? What kind of integration offer?

  Instructions for the sensor and the basic configuration of PIX can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

  Instructions for sensor and PIX SSH configuration can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

  You can configure the sensor to connect to the PIX via telnet when

  using the PIX inside interface, otherwise you have to use SSH.

  SSH with 3des encryption is supported in version 3.0 or later

  sensors for connections of PIX.

  Warning: If you use telnet with a version 6.2.1 or PIX more late or if

  you want to use SSH with encryption on any PIX, so you

  need a patch for your sensor. If so, open a case of TAC and demand

  the latest version of nr.managed engineering. Reference

  [email protected] / * / for any question.

• 506th PIX IPSEC VPN allow authentication for local users?

  We have a 6.3 (5) running PIX 506th, configured for Cisco's VPN IPSEC clients. Cisco VPN clients authenticate with the credentials of group fine, but is it possible to use local users to authenicate plu? We use local users to our existing PPTP VPN clients, but we want to migrate these users to IPSEC. Any info would be greatly appreicated.

  Of course, you can... you need to include the command on your card crypto below

  map LOCAL crypto client authentication

  I hope this helps... Please, write it down if she does!

• Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

  We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

  We have achieved this help attributes RADIUS of Cisco IOS/PIX

  [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

  However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

  Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

  We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

  Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

  pix_int list access permit tcp any host 10.x.x.x eq 1022

  pix_int list access permit tcp any host 10.x.x.x eq 1023

  Thank you

  Download ACL works only with the RADIUS, as described here:

  http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

  You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

• IDS PIX "fat Ping".

  Is it possible to allow ping big answers through the signature of PIX IDS attack without completely turning off the ID?

  Hello

  Use the command 'ip signature verification' to disable this signature

  signature verification IP:

  Specify the message to display, establish a comprehensive policy to a signature and disable or exclude a signature verification.

  I think that the signature is 2151: large ICMP traffic

  Hope this helps,

  Christophe

• SonicWall VPN PIX - does not, could someone help?

  Hi all

  I'm trying to set up an a 506th PIX VPN tunnel (firmware 6.3 (2)), a firewall SonicWall Pro. It does not at the moment. Phase 1 is ok but the phase 2 is not, the VPN tunnel has not been established, and the security association is removed after a minute or two. I enclose below the PIX config and an attempt to create VPN tunnel debugging output (slightly modified and cut for reasons of confidentiality). The PIX already has other two VPN configured which work perfectly.

  I would be very grateful to anyone who could help me answer the following questions about this VPN configuration:

  1. to debug output, which means the next?

  ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  2. in the config, I don't know if the 3 static controls are necessary and how it might interact... What do you think?

  3. in what order things happen in the PIX when traffic is from the local network to remote network by VPN? What is NAT then treatment then setting up VPN to access list? or or treatment, then NAT and VPN to access list? or another possibility?

  4. How can I get it work?

  Thank you very much in advance for any help provided,

  A.G.

  ########### NAMING #################################

  vpnpix1 - is the local cisco PIX

  remotevpnpeer - is the Sonicwall firewall remote

  Intranet - is the local network behind PIX

  remotevpnLAN - is the remote network behind the SonicWall

  ################ CONFIG #############################

  6.3 (2) version PIX

  interface ethernet0 10full

  interface ethernet1 10full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  .../...

  hostname vpnpix1

  .../...

  names of

  name A.B.C.D vpnpix1-e1

  name X.Y.Z.T vpnpix1-e0

  name E.F.G.H defaultgw

  intranet name 10.0.0.0

  name 192.168.250.0 nat-intranet

  name J.K.L.M internetgw

  name 10.M.N.P server1

  name Server2 10.M.N.Q

  name 10.M.N.R server3

  name 192.168.252.0 remotevpnLAN

  name 10.1.71.0 nat-remotevpnLAN

  .../...

  object-group network server-group

  description servers used by conencted to users remote LAN through a VPN tunnel

  network-host server1 object

  host Server2 network-object

  network-host server3 object

  .../...

  access allowed INCOMING tcp nat-remotevpnLAN 255.255.255.0 list object-group server-eq - ica citrix

  .../...

  OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0

  access list permits INTRANET-to-remotevpnLAN-VPN ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN

  access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN

  .../...

  IP address outside the vpnpix1-e0 255.255.255.240

  IP address inside the vpnpix1-e1 255.255.252.0

  .../...

  Global 192.168.250.1 1 (outside)

  NAT (inside) 0 access-list SHEEP-to-remotevpnLAN

  NAT (inside) 1 intranet 255.0.0.0 0 0

  .../...

  static (inside, outside) server1 server1 netmask 255.255.255.255 0 0

  public static server2 (indoor, outdoor) server2 netmask 255.255.255.255 0 0

  public static server3 (indoor, outdoor) server3 netmask 255.255.255.255 0 0

  static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0

  .../...

  Access-group ENTERING into the interface outside

  Access-group OUTGOING in the interface inside

  Route outside 0.0.0.0 0.0.0.0 internetgw 1

  Route inside the intranet 255.0.0.0 defaultgw 1

  .../...

  Permitted connection ipsec sysopt

  .../...

  Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS1

  .../...

  map BusinessPartners 30 ipsec-isakmp crypto

  card crypto BusinessPartners 30 matches the INTRANET-to-remotevpnLAN-VPN address

  card crypto BusinessPartners 30 set peer remotevpnpeer

  card crypto BusinessPartners 30 game of transformation-VPN-TS1

  BusinessPartners outside crypto map interface

  ISAKMP allows outside

  .../...

  ISAKMP key * address remotevpnpeer netmask 255.255.255.255

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 28800

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 28800

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  30 1 ISAKMP policy group

  ISAKMP duration strategy of life 30 28800

  .../...

  : end

  ################## DEBUG ############################

  vpnpix1 # debug crypto isakmp

  vpnpix1 #.

  ISAKMP (0): early changes of Main Mode

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  Exchange OAK_MM

  ISAKMP (0): treatment ITS payload. Message ID = 0

  ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

  ISAKMP: 3DES-CBC encryption

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: duration of life (basic) of 28800

  ISAKMP (0): atts are acceptable. Next payload is 0

  ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

  to return to the State is IKMP_NO_ERROR

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  Exchange OAK_MM

  ISAKMP (0): processing KE payload. Message ID = 0

  ISAKMP (0): processing NONCE payload. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): ID payload

  next payload: 8

  type: 1

  Protocol: 17

  Port: 500

  Length: 8

  ISAKMP (0): the total payload length: 12

  to return to the State is IKMP_NO_ERROR

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  Exchange OAK_MM

  ISAKMP (0): processing ID payload. Message ID = 0

  ISAKMP (0): HASH payload processing. Message ID = 0

  ISAKMP (0): SA has been authenticated.

  ISAKMP (0): start Quick Mode Exchange, M - ID - 1346336108:afc08a94

  to return to the State is IKMP_NO_ERROR

  ISAKMP (0): send to notify INITIAL_CONTACT

  ISAKMP (0): sending message 24578 NOTIFY 1 protocol

  Peer VPN: ISAKMP: approved new addition: ip:remotevpnpeer / 500 Total VPN peer: 3

  Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt incremented: 1 Total VPN peer: 3

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP (0): processing NOTIFY payload Protocol 14 1

  SPI 0, message ID = 476084314

  to return to the State is IKMP_NO_ERR_NO_TRANS

  ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): start Quick Mode Exchange, M - ID 1919346690:7266e802

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): retransmission of the phase 2 (1: 1)... mess_id 0xafc08a94

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): retransmission of the phase 2 (0/2)... mess_id 0x7266e802

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): retransmission of the phase 2 (2/3)... mess_id 0xafc08a94

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): retransmission of the phase 2 (1/4)... mess_id 0x7266e802

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: error msg not encrypted

  ISAKMP (0): start Quick Mode Exchange, M - ID - 1475513565:a80d7323

  ISAKMP (0): delete SA: CBC vpnpix1-e0, dst remotevpnpeer

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: drop msg deleted his

  ISADB: Reaper checking HIS 0x10ff1ac, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt decremented for: 0 Total of VPN peer: 3

  Peer VPN: ISAKMP: deleted peer: ip:remotevpnpeer / 500 Total VPN peers: 2

  ISADB: Reaper checking HIS 0 x 1100984, id_conn = 0

  ISADB: Reaper checking HIS 0x10fcddc, id_conn = 0

  crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

  ISAKMP: its not located for ike msg

  #####################################################

  Get rid of:

  static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0

  You don't need it. Change:

  OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0

  access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN

  TO:

  access list permits OUTGOING ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN

  access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 remotevpnLAN

  This indicates the PIX not NAT IPSec traffic. NAT happens BEFORE IPSec in the PIX, so if you the traffic IPSec nat it will never match your crypto access list and will not be encrypted.

  This, however, should not stop the tunnel of Phase 2 of the course of construction, they would stop flowing above the tunnel, traffic, so you still have a problem somewhere. What I'm guessing, is that the Sonicwall (SW) has a different encryption-defined list access, it must be the EXACT OPPOSITE of what is configured on the PIX. In other words, the SW should be encrypting the traffic of "remotevpnLAN-24" "intranet/8", make sure that the subnet mask ar ETHE same too. "

  To answer your questions:

  1. it simply means that the PIX has not received a response and is to retransmit the last ISAKMP packet. The process_block simply means that the PIX has dropped a package that was to be encrypted because the IPSec tunnel has not been built. If you get the tunnel built, these messages will disappear.

  2. the 3 first static does not appear to be linked to the tunnel IPSec, if they are simply to access a server inside, then they will not affect this VPN tunnel. The last of them should be deleted, as I already said.

  3. for traffic initiated from inside the PIX, the order is incoming ACL, then NAT, IPSec processing. That's why your OUTGOING ACL must allow traffic first, then your NAT 0 statement refuses to be NAT had, then the encryption function is the traffic and the number.

  4 do what I said above :-)

  If you still have no luck, re - run debugs, but initiate traffic behind the Sonicwall, in this way the Sonicwall will try and debug of build that the tunnel and you will get more information on the PIX. Mainly, we'll see what traffic model the SonicWall is configured to encrypt (you don't see if the PIX initiates the tunnel).

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• PIX 501 ICMP access list Question

  According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

  PIX1 (config) # access - list ethernet1 permit icmp any any echo response

  PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

  Access-group ethernet1 PIX1 (config) # interface inside

  This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

  Thank you

  This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

  By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

  Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

  Let me know if it helps.