PIX IPSec and ACL issues

Hello

On a PIX 515E v.6.3.5.

There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')

1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN

2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3 ACL - ACL to allow | deny traffic after ACL #1 and #2.

#3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?

The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?

Thank you

Dan

pdvcisco wrote:

Hello,

On a PIX 515E v.6.3.5.

Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )

1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN

2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3. ACL - ACL to permit | deny traffic after ACL #1 and #2.

Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?

The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?

Thanks,

Dan

It depends on

(1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal

(2) always necessary

(3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.

Mirrored ACLs is required.

Jon

Tags: Cisco Security

Similar Questions

PIX, PDM and AAA issues

I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

Here's a current configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

Console AAA authentication http GANYMEDE +.

order of AAA for authorization GANYMEDE +.

Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

Let me know if you need more info. Thank you!

Hello

Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

Scott

VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?

The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.

The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.

Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.

When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.

Here is a summary of the MTU settings on the head of line:

End of the head:

int tunnel0 (it's the GRE tunnel)

IP mtu 1420

source of tunnel G0/0

dest X.X.X.X

tunnel path-mtu-discovery

card crypto vpn 1

tunnel GRE Description

blah blah blah

card crypto vpn 2

Description IPSec tunnel

blah blah blah

int g0/0 (external interface)

no ip redirection

no ip unreachable

no ip proxy-arp

Check IP unicast reverse

NAT outside IP

IP virtual-reassembly

vpn crypto card

int g0/1 (this is the interface to the server in question)

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

HA, sorry my bad. Read the previous post wrong.

(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).

Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).

Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).

M.

Press L2L VPN, IPSEC, and L2TP PIX connections

Hi all

I'm trying to implement a solution on my FW PIX (pix804 - 24.bin) to be able to support a VPN L2L session with VPN dynamic user sessions where clients will use a mix of IPSEC(Nat detection) and L2TP. We have always supported things IPSEC and that worked great for many years. I'm now trying to Add L2TP support, so that I can support Android phones/ipads, etc. as well as Windows with built in VPN l2tp clients clients. Everything works well except for the new features of L2TP. Allows you to complete one phase but then tries to use the card encryption that is used for the VPN L2L. It seems to fail because IP addresses are not in the configured ACL to the crypto-map L2L. Does anyone know if there are any questions all these configurations support both. And if not can you see what I have wrong here, which would make it not work. Here are the relevant training:

C515 - A # sh run crypto
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set of society-ras-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac company-l2tp
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map company-ras 1 correspondence address company-dynamic
company Dynamics-card crypto-ras 1 set pfs
Dynamic crypto map company-ras 1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras
Dynamic crypto map company-ras 1 lifetime of security association set seconds 28800
company Dynamics-card crypto-ras 1 kilobytes of life together - the association of safety 4608000
crypto dynamic-map-ras company 2 address company-dynamic game
crypto dynamic-map company-ras 2 transform-set of society-l2tp
crypto dynamic-map company-ras 2 set security association lifetime seconds 28800
company Dynamics-card crypto-ras 2 kilobytes of life together - the association of safety 4608000
card crypto company-map 1 correspondence address company-colo
card crypto company-card 1 set pfs
card crypto company-card 1 set counterpart colo-pix-ext
card crypto card company 1 value transform-set ESP-3DES-MD5 SHA-ESP-3DES
company-map 1 lifetime of security association set seconds 28800 crypto
card company-card 1 set security-association life crypto kilobytes 4608000
company-card 1 set nat-t-disable crypto card
company-card 2 card crypto ipsec-isakmp dynamic company-ras
business-card interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside

Crypto isakmp nat-traversal 3600

crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 2
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
C515 - A # sh run tunnel-group
attributes global-tunnel-group DefaultRAGroup
company-ras address pool
Group-LOCAL radius authentication server
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
No chap authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group company-ras remote access
tunnel-group global company-ras-attributes
company-ras address pool
Group-LOCAL radius authentication server
tunnel-group company-ras ipsec-attributes
pre-shared-key *.
type tunnel-group company-admin remote access
attributes global-tunnel-group company-admin
company-admin address pool
Group-LOCAL radius authentication server
company strategy-group-by default-admin
IPSec-attributes of tunnel-group company-admin
pre-shared-key *.
PPP-attributes of tunnel-group company-admin
No chap authentication
ms-chap-v2 authentication
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
ISAKMP keepalive retry threshold 15 10
C515 - A # sh run Group Policy
attributes of Group Policy DfltGrpPolicy
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN IPSec
enable PFS
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value company-SPLIT-TUNNEL-ACL
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create value
internal strategy of company-admin group
attributes of the strategy of company-admin group
WINS server no
DHCP-network-scope no
VPN-access-hour no
VPN - 20 simultaneous connections
VPN-idle-timeout 30
VPN-session-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the IP-comp
Re-xauth disable
Group-lock no
enable PFS
Split-tunnel-network-list value company-ADMIN-SPLIT-TUNNEL-ACL
L2TP strategy of Group internal
Group l2tp policy attributes
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN l2tp ipsec
disable the PFS
Split-tunnel-policy tunnelall
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create value

Relevant debug output

C515 - Has # Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa181b866).
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:09:33 [IKEv1]: ignoring msg SA brand with Iddm 204910592 dead because ITS removal
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:10:05 [IKEv1]: ignoring msg SA brand with Iddm 204914688 dead because ITS removal

The outputs of two debugging who worry are the following:

Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701

Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).

This seems to indicate that his NAT detection but then do not assign to the entry card cryptography because networks are encrypted are not in the configured ACL that is true. He needs to use dynamic input and it doesn't seem to be.

I need to create another dynamic map entry to make it work instead of add lines to the same dynamic with a lower (higher) priority map entry?

Thanks in advance for any help here.

Hello

That won't do the trick, l2tp clients are picky kindda, so you know if they do not hit the correct strategy first they just stop trying. Follow these steps:

correspondence from the company of dynamic-map crypto-ras 1 address company-dynamic

No crypto-card set pfs dynamic company-ras 1

No crypto dynamic-map company-ras-1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras

Dynamic crypto map company-ras 1 transform-set company-l2tp SHA-ESP-3DES ESP-3DES-MD5 company-ras

The foregoing will not affect existing customers of IPsec at all, these clients will not use the statement of pfs and will link even if the correspondence address is not configured (it is optional), besides Cisco IPsec clients will be affected first the mode of transport policy and fail however they will continue to try and hit another police PH2.

Regarding your last question, I was referring specifically to the support of l2tp for android, and Yes, you will need to run one of these versions.

http://www.Cisco.com/en/us/docs/security/ASA/asa82/release/notes/asarn82.html#wp431562

Tavo-

processing order of encryption and ACLs

Hi people,

I am preparing to a test lab and have the following scenario:

R6---172.16.50/24---PIX---172.16.10/24--R1

R6 I have two interfaces:

lo0 6.6.6.6/24

FA0/1 172.16.50.50/24

R1 two int:

lo0 1.1.1.1/24

E0 172.16.10.1/24

I want to protect all traffic between the 6.6.6.0 and network 1.1.1.0 with IPSec. I use ESP to protect traffic.

Another condition is that I want to put an ACL to e0 allowing IPSec traffic.

I created an ACL named ACL_E0_IN that is applied on e0 for inbound traffic.

R1 #sh of access lists

Expand the IP ACL_E0_IN access list

esp permits 172.16.50.50 host 172.16.10.1 (15 matches)

permit udp host 172.16.50.50 host 172.16.10.1 eq isakmp (116 matches)

refuse the log host 1.1.1.1 icmp host 6.6.6.6 (5 matches)

Ping of R6 R1 does not work:

R6 #p 1.1.1.1 source lo 0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:

Packet sent with the address source 6.6.6.6

.....

Success rate is 0% (0/5)

R6 #.

On the R1, I get the following message:

* 8 Mar 03:58:37.917: % s-6-IPACCESSLOGDP: ACL_E0_IN denied icmp 6.6.6.6 - list

> 1.1.1.1 (8/0), 4 packs

This scenario works ONLY when I allow ICMP of R6 and ESP traffic.

I wonder why the decrypted packets are denied by the ACL. I expect that the ACL is processed BEFORE the packet is decrypted. When I look at the meter on the hit of the ACL, it seems that the ACL is checked twice.

Someone at - it an idea on the exact order of encryption and the treatment of the ACL?

Thank you

Michael

Attached you will find the configs of the R1 and R6

Michael

I recently saw an explanation of encryption and ACLs that indicates there has recently been a change in behavior. In most versions of IOS, the behavior is as you describe, the package is evaluated by the ACL twice. The explanation is that the package is evaluated first in his State encrypted to check that it was something that must be dealt with. After the package has been decrypted, the IOS necessary to assess the package decrypted to see if things like the quality of Service necessary to apply. So basically the decrypted packet passed through the interface again and the ACL again. In recent versions of the code (12.3 (4) T, if memory serves) a change has been made and the package will now go through the ACL only once.

HTH

Rick

sick of frustration... 501 and ACL

Hey all, what gives.

I worked on a pix 501 and I can't get the ACL to save my life. I'm new on this and obviously missing something. I have a 501 connected to a cable broadband account is public ip through DHCP. I want to limit all traffic going out to 80, 110 and 53.

I add the following commands.

access-l 125 permit tcp any any eq 80

access-l 125 permit tcp any any eq 53

access-l 125 permit tcp any any eq 110

access-l 125 deny ip any one

access-g 125 in interface inside

everything falls to the interface I think. I am able to browse the net, Kazaa, sof2 throughout the day if I use the default configuration provided by the firewall. I posted this before and actually got it to work once. I tried to repeat the process, but failed.

any help is GREATLY appreciated

humbly yours

MB

Add

> access-l 125 permit udp any how any eq 53

DNS searches with UDP, TCP not. You will find probably your DNS resolution does not work, so when you navigate to a web server by name it will fail, because the first thing that your PC will do is a name search.

PIX IPSec tunnel - IOS, routing Options

Hello

I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.

Have I not all options about any routing protocol can I use?

Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?

------Naman

Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html

I can't send email Outlook Express (sudden problem). It is a new and sudden issue. Error number: 0x800CCC67

Original title: I can't send email Outlook Express (sudden problem). It is a new and sudden issue.

I use Outlook Express 6 and make this message. An unknown error has occurred. "Account: 'XTRA', server: 'smtp.xtra.co.nz', Protocol: SMTP, server response: ' 421 mta01.xtra.co.nz connection refused [222.155.136.138] ', Port: 25, secure (SSL): no, Server error: 421, error number: 0x800CCC67.

Continues to receive e-mails.

Hello

Have you made changes on the computer before this problem?

The following article might be useful.

Troubleshooting error messages that you receive when you try to send and receive e-mail in Outlook and Outlook Express
http://support.Microsoft.com/kb/813514

My Windows 7 Pro system has some serious hardware, internet connection and security issues. The system image and restore the system in case of failure.

My Windows 7 Pro system has some serious hardware, internet connection and security issues.

My efforts to remedy by restoring a system image backup failed. At this point, I'm ready for a new clean install if I have to buy a drive to do. My question is whether a professional Ultimate upgrade will or will not fix these bugs. In addition, what is the cause of restoring the system to fail? I never turned off or cannot create regular restore points.

Original title: upgrade a "Fix" for existing system problems?

My Windows 7 Pro system has some serious hardware, internet connection and security issues.

My efforts to remedy by restoring a system image backup failed. At this point, I'm ready for a new clean install if I have to buy a drive to do. My question is if an upgrade to Professional Ultimate will be or not correct not these bugs. Also, what is the cause System Restore to fail? I never turned off or cannot create regular restore points.

Hello

1 re-installing/repairing software will not fix hardware issues.

2. the operating system upgrade is not the way to solve computer problems that can be carried forward.

3 1. If you use Norton, you should disable Norton inviolable Protection before using System Restore.

http://Service1.Symantec.com/support/sharedtech.nsf/pfdocs/2005113009323013

AVG will cause problems with SR too.

«Temporarily disable AVG»

http://www.Avg.com/ww-en/FAQ.Num-3857

2. try to use Safe Mode system restore.

http://Windows.Microsoft.com/en-us/Windows7/products/features/system-restore

"Start your computer in safe mode.

http://Windows.Microsoft.com/en-us/Windows/Start-computer-safe-mode#start-computer-safe-mode=Windows-7

3 Malware will stop at the system restore.

Download, install, update and scan your system with the free version of Malwarebytes AntiMalware:

http://www.Malwarebytes.org/products/malwarebytes_free

____________________________________

We really need for more details:

"My Windows 7 Pro system has some serious hardware, internet connection and security issues.

See you soon.

IPSEC and SSH2

Does anyone know if the switch Cisco 3750 G supports IPSEC and SSH2?

Mohsen

Yep, that's what I would do as well.

I'm happy to have helped.

Jon

in PIX with SSH connection issues

Hello

I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection.

Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured.

Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it.

I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself.

Any help would be greatly appreciated. Thanks in advance.

A.G.

##################################################

Inside PIX config:

access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh

list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix

access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0

access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo

dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0

dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo

access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede

access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede

The outdoor PIX config:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10

AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication enable console GANYMEDE +.

Telnet Company-Interior-Net 255.255.255.0 inside

Telnet timeout 5

SSH-company-Interior-Net 255.255.255.0 inside

SSH DMZNet 255.255.255.192 inside

SSH timeout 5

did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys?

L2TP/IPSec and VRRP on Cisco VPN3000

Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)

I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.

When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.

Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.

The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.

Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).

Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?

Thank you

Roberto Patriarca

This has proved quite recently and a high severity bug has been open about it and is currently under review.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.

Nice work well in the survey.

Missing documents for Pix V7 and ASDM V5

Just upgraded one of my Pix to V7.

Now I'm looking for the "Cisco Pix Firewall and VPN Configuration Guide" and "the Cisco PIX Firewall command reference" for version 7, but I couldn't find them on the cisco site.

Any idea where I could find them?

Maybe I need to use the ASA guides instead?

And I was unable to find documentation on how to install ASDM... When I upgraded to 6.3 I've had trouble finding the PDM 3.0 installation guide...

All the tracks would contribute to

www.Cisco.com

right side

Old Site Technology-Documentation

Network security

Select "Cisco Secure PIX Firewall.

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/index.htm

Windows IPSEC and SSL VPN client on the same machine

Matches (coexistence) installation of IPSEC and SSL vpn clients that are supported on the same computer, windows (XP and Win7)?

As mentioned by Patricia and Jennifer (5 stars), you can install two clients on the same machine without any problem.

The tricky part comes when you are trying to connect two clients at the same time, that's when you may encounter unexpected problems.

However, if your intention is to install both clients and connect them individually and not at the same time, you'll be fine.

If you have any other questions, please mark this question as answered and note all messages that you have found useful.

Thank you.

Portu.

Post edited by: Javier Portuguez

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

PIX IPSec and ACL issues

Similar Questions

Maybe you are looking for