PIX IPSec configuration

Similar Questions

• 506th PIX IPSEC VPN allow authentication for local users?

  We have a 6.3 (5) running PIX 506th, configured for Cisco's VPN IPSEC clients. Cisco VPN clients authenticate with the credentials of group fine, but is it possible to use local users to authenicate plu? We use local users to our existing PPTP VPN clients, but we want to migrate these users to IPSEC. Any info would be greatly appreicated.

  Of course, you can... you need to include the command on your card crypto below

  map LOCAL crypto client authentication

  I hope this helps... Please, write it down if she does!

• Road by default from version 6.3 PIX IPsec tunnel

  We have a PIX 501 running IOS version 6.3.1.

  There are currently 3 tunnels IPsec active as described below.

  What we would like is to have all traffic by default (0.0.0.0 0.0.0.0) range out through the tunnel of the middle line so that traffic can be protected by a firewall on the other side of the tunnel.  Since ICF is a Sonicwall what would be needed to be changed in the configuration on the PIX to get there?

  Thank you

  6.3 (1) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the 86AZXXmRLxfv/oUQ encrypted password

  86AZXXmRLxfv/oUQ encrypted passwd

  Site A hostname

  domain default.int

  clock timezone STD - 7

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  name 75.75.75.2 CovadHub

  name 75.48.25.12 Sonicwall

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

  access-list 101 permit icmp any any echo response

  access-list 101 permit icmp any any echo

  access-list 102 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

  access-list 103 allow ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

  access-list 104. allow ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

  pager lines 24

  opening of session

  monitor debug logging

  logging warnings put in buffered memory

  ICMP allow 10.10.5.0 255.255.255.0 inside

  Outside 1500 MTU

  Within 1500 MTU

  external IP 75.25.14.2 255.255.255.0

  IP address inside 10.10.5.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 10.10.5.0 255.255.255.0 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  allow icmp a conduit

  Route outside 0.0.0.0 0.0.0.0 75.25.14.1 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  NTP server 132.163.4.102 source outdoors

  NTP server 129.7.1.66 source outdoors

  Enable http server

  http 10.10.1.0 255.255.255.0 inside

  http 10.10.5.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac pix11

  peer11 card crypto ipsec-isakmp 10

  correspondence address 10 card crypto peer11 102

  peer11 card crypto 10 peers set 75.95.21.41

  peer11 card crypto 10 set transform-set pix11

  11 peer11 of ipsec-isakmp crypto map

  correspondence address 11 card crypto peer11 103

  11 peer11 peer Sonicwall crypto card game

  card crypto peer11 11 set transform-set pix11

  12 peer11 of ipsec-isakmp crypto map

  correspondence address 12 card crypto peer11 104

  card crypto peer11 12 set peer 75.62.58.28

  card crypto peer11 12 set transform-set pix11

  peer11 interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 75.62.58.28 netmask 255.255.255.240

  ISAKMP key * address netmask 255.255.255.224 Sonicwall

  ISAKMP key * address 75.95.21.41 netmask 255.255.255.252

  ISAKMP identity address

  ISAKMP keepalive 10

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  part of pre authentication ISAKMP policy 11

  encryption of ISAKMP policy 11

  ISAKMP policy 11 md5 hash

  11 2 ISAKMP policy group

  ISAKMP duration strategy of life 11 28800

  part of pre authentication ISAKMP policy 12

  encryption of ISAKMP policy 12

  ISAKMP policy 12 md5 hash

  12 2 ISAKMP policy group

  ISAKMP duration strategy of life 12 36000

  Telnet 10.10.5.0 255.255.255.0 inside

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 0.0.0.0 0.0.0.0 inside

  SSH timeout 60

  Console timeout 0

  dhcpd address 10.10.5.70 - 10.10.5.101 inside

  dhcpd dns 10.10.1.214

  dhcpd rental 43200

  dhcpd ping_timeout 750

  dhcpd field default.int

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:36d2c26afa8

  03957d 3659

  868d9219f8

  2

  : end

  Hello

  You do not configure really any type of default route for the VPN L2L. You match rather traffic with 'everything' destination on configuring VPN L2L. Basically you would like to configure the VPN L2L ACL encryption with the 'whole' destination map

  I guess in your case it would be the ACL named "103".

  access-list 103 allow ip 10.10.5.0 255.255.255.0 any

  IP 10.10.5.0 doesn't allow any access list 103 255.255.255.0 10.10.1.0 255.255.255.0

  Naturally, your NAT0 ACL configuration should also reflect this change. I guess the end remote Sonicwall'd private NAT to public Internet access in this case whereas. I guess that in this case, the ACL NAT0 might even be just this one rule ACL

  access-list 101 permit ip 10.10.5.0 255.255.255.0 any

  BUT what I was asking however for now mainly is the fact it has a priority of '11' in the 'crypto map' which has between 2 other L2L VPN connections.

  peer11 card crypto ipsec-isakmp 10

  correspondence address 10 card crypto peer11 102

  peer11 card crypto 10 peers set 75.95.21.41

  peer11 card crypto 10 set transform-set pix11

  11 peer11 of ipsec-isakmp crypto map

  correspondence address 11 card crypto peer11 103

  11 peer11 peer Sonicwall crypto card game

  card crypto peer11 11 set transform-set pix11

  12 peer11 of ipsec-isakmp crypto map

  correspondence address 12 card crypto peer11 104

  card crypto peer11 12 set peer 75.62.58.28

  card crypto peer11 12 set transform-set pix11

  If you have changed the destination address of '103' crypto VPN L2L ACL at "" I guess that would probably cause so that the last connection VPN L2L with "12" priority may stop working since the previous connection already corresponds to 'all' your network 'inside' destination address.

  The solution might be to delete the current configuration of the '11' priority and add it with '13' for example, so that the other 2 connections VPN L2L could continue to work and all the rest of the traffic would be passed to the connection VPN L2L with Sonicwall as the remote peer.

  No crypto map ipsec-isakmp 11 peer11

  no correspondence address 11 card crypto peer11 103

  no set of 11 peer11 card crypto don't peer Sonicwall

  No peer11 11 set transform-set pix11 crypto card

  13 peer11 of ipsec-isakmp crypto map

  correspondence address 13 card crypto peer11 103

  13 card crypto peer Sonicwall peer11 game

  card crypto peer11 13 pix11 transform-set game

  I have to say that this is how I expect it should work. I worked with VPN L2L that have been configured in this way but its quite rare.

  If you want to try something like that, of course, be ready to return to the old configuration with your admins of the remote peer, if things do not work. I guess more difficult configurations changes must be made on the remote end while your configuration of the ends should be fairly simple.

  Hope this helps

  -Jouni

• PIX IPSec and ACL issues

  Hello

  On a PIX 515E v.6.3.5.

  There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')

  1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN

  2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

  3 ACL - ACL to allow | deny traffic after ACL #1 and #2.

  #3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?

  The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?

  Thank you

  Dan

  pdvcisco wrote:
  Hello,
  On a PIX 515E v.6.3.5.
  Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
  1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
  2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
  3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
  Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
  The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
  Thanks,
  Dan
  

  Dan

  It depends on

  (1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal

  (2) always necessary

  (3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.

  Mirrored ACLs is required.

  Jon

• PIX IPSec VPN with Cisco 877W

  Hi all

  I am trying to create a VPN between a PIX and a Cisco 877W tunnel but can't seem to get the tunnel. When I do a 'sho crypto session"on the Cisco 877, I get, he said session state is declining, then changed to NEGOTIATE DOWN, but it is now down again... Please find attached the configs for both ends... Are there commands to confirm that the tunnel is up other than to try to ping the remote end? I would greatly appreciate any help lift this tunnel.

  Kind regards

  REDA

  Hello

  Based on the configurations of joined, to do some changes. For example:

  1. the isakmp policies do not match on the router and the pix. Make sure the hash group Diffie-Hellman and life correspond on the 877 and pix.

  2. the access list for the ipsec traffic must be images of mirror of the other.

  3. make sure life of ipsec on the two peers.

  I hope it helps.

  Kind regards

  Arul

  Rate if this can help.

• PIX IPSec tunnel - IOS, routing Options

  Hello

  I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.

  Have I not all options about any routing protocol can I use?

  Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?

  ------Naman

  Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html

• Pix IPSec support

  Hello

  I'm trying to set up a tunnel to PIX-501 6.3 version. It's an old device that needs to be replaced soon, but unfortunately we have a tunnel now...

  I used this document as reference (6211): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

  The remote end is a sonicwall.

  The problem seems to be that the pix never sees interesting traffic for the tunnel and never tries to establish a connection. I activated the ipsec encryption and debugs isakmp crypto, but no data is never displayed, even when you try to access a device on the remote side of the tunnel!

  Someone tried to implement this feature with some tunnels in the past, but never succeeded, so I think it can stay commands in the running-config causing problems...

  I'm grilled at this stage, so any help would be greatly appreciated. I will provide all necessary information as needed.

  Thank you very much.

  The issue is your inside interface/subnet has been configured as a 16 network and it duplicates the remote network.

  The inside interface: 172.21.25.254 (mask: 255.255.0.0), and network remote 172.21.19.0/24 also falls under the same subnet.

  Instead of routing the packet, inside host will try to proxyarp for the destination that they think they are in the same subnet, so does not.

  Try changing the inside interface with 24 subnet if you want to keep the same IP address and also change the mask of 24 inside your host.

  Otherwise, you need to configure NATing to a completely different subnet to the remote 172.21.19.0/24.

• conversion of iosxr ios ipsec configuration

  We have a configuration of ipsec work on ios

  !

  door-key crypto KRING

  pre-shared key BA2211RA1.ba.caixa key SeCretBA2211RA1 hostname

  pre-shared key BA3618RA1.ba.caixa key SeCretBA3618RA1 hostname

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  life 3600

  Crypto isakmp ISAPROF profile

  Keychain KRING

  FQDN of self-identity

  match domain ba.caixa host identity

  match domain se.caixa host identity

  address - 10.144.0.15

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPN

  !

  crypto dynamic-map 10 DYNMAP

  game of transformation-VPN

  ISAPROF Set isakmp-profile

  !

  card crypto VPN_AG_EBT address Loopback21

  card crypto VPN_AG_EBT 10-isakmp dynamic ipsec DYNMAP

  !

  !

  Interface Port - channel1.521

  card crypto VPN_AG_EBT

  !

  IOSXR configuration will be like this?

  !

  door-key crypto KRING

  pre-shared key hostname key

  !

  crypto ISAKMP policy 1

  3des encryption

  preshared authentication

  Group 2

  life 3600

  !

  Crypto isakmp ISAPROF profile

  Keychain KRING

  FQDN of self-identity

  host identity domain match

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac transform VPN

  !

  Profile of crypto ipsec VPN_AG_EBT

  dynamic set type

  PFS group2 Set

  game of transformation-VPN

  !

  interface of X / Y

  Crypto ipsec VPN_AG_EBT

  !

  the thing is, part of the configuration of encryption as keychain are supported because they are used in some methods of authentication for routing protocols.

  true ipsec isn't on the 9 k, the current ucode has no place for this. Next gen it maybe and we are also working on a blade or an adapter that can help with this.

  I'll try to find an official statement that ipsec on the 9 k is not supported, but the more I Googled it, the more embarrassed, I also get a lot of things 'suggests' it should work. I'm working on the correction to disambiguate.

  I also check with CRS and XR12K guys what their support for ipsec in hw.

  Will report to the time where I hear.

  concerning

  Xander

• Flexible Netflow with IPSec configuration

  Hello

  I'm trying to configure netflow/flexible netflow on some 887 branch site routers, which have an IPSec tunnel to the main office.  It is my understanding that the router will not encrypt the traffic it generates itself, so the standard netflow will not work. The workaround I've seen is to use nonstandard and flexible netflow.

  I tried to set up flexible netflow with the following configuration;

  exporter of workflow EXPORTER-1

  destination 192.168.10.1

  source Vlan1

  9996 udp transport

  time-out of 60 model data

  flow meter FLOW-MONITOR-1

  exporter EXPORTER-1

  active cache timeout 60

  netflow-original record

  dialer interface 1

  FLOW-MONITOR-1 controller for the IP stream entry

  IP FLOW-MONITOR-1 output flow controller

  However this doesn't seem to work and our monitoring server receives all the data (I've used network monitor to capture traffic to see if the router sends traffic or not)

  When I check the flow seems not collect data (either incidentally, the site has a lot of users).

  CRF-R-DUM-001 #sh flow monitor FLOW-MONITOR-1 hidden
  Cache type: Normal
  Cache size: 4096
  Current entries: 11
  High Watermark: 403

  Streams added: 164825
  Flow of years: 164814
  -Timeout active (60 seconds) 22720
  -Timeout inactive (15 seconds) 142094
  -Aged event 0
  -Watermark 0
  -Aged 0 emergency

  CRF-R-DUM-001 #sh flow statistics exporter EXPORTER-1
  Exporter of flow EXPORTING-1:
  Packet statistics send (cleared last 6d05h there):
  Successfully sent: 69071 (13068236 bytes)

  Statistics of the customer send:
  Client: Flow FLOW-MONITOR-1 monitor
  Records added: 164840
  -sent: 164840
  The bytes added: 8736520
  -sent: 8736520

  CRF-R-DUM-001 #sh flow Dialer interface 1

  Interface Dialer1

  FNF: monitor: FLOW-MONITOR-1

  Direction: entry

  Traffic (IP): on

  FNF: monitor: FLOW-MONITOR-1

  Direction: exit

  Traffic (IP): on

  I was wondering if someone could confirm that I am along in the right direction in terms of configuration, or am I missing a step which must be configured or if it has other commands that I can use to check the netflow exports

  Thanks in advance

  Brian

  Hi Brian,.

  Make sure you have the 'exit function' option added to your workflow exporter. For more information, see this blog:

  http://blogs.ManageEngine.com/netflowanalyzer/2011/04/01/NetFlow-data-export-over-IPSec-tunnels/

  Kind regards

  Don Thomas Jacob

  www.netflowanalyzer.com

  NOTE: Please note the messages and close issues if your query answered

• IPSEC configuration

  How to configure IPSEC to encrypt all traffic form one end of your network to another

  Create an access list 'Interesting address' and call this access list in your crypto config file.

  HTH >

• PIX VPN configuration

  Hello

  I have configured the PIX to make connections VPN to VPN clients and customers can see the entire network. How to configure the VPN to see only 2 guests to my network and nothing else?

  Concerning

  Kim Loefqvist

  You could do this is to change your

  inside_outbound_nat0_acl access list to allow the vpn to the subnet traffic from these 2 hosts rather than "all".

  HTH

• Remove the aaa in pix server configuration

  I have pix 515 with version 6.x cisco and me configured RADIUS vpn connection client authenitcation. The radius server is windows 2003 and I have the following commands

  RADIUS protocol AAA-server test

  AAA-server test (inside) host x.x.x.x1 password timeout 10.

  The vpn works great, now I want to change the radius server and I want to delete the order and add new, but I get errors of

  When I give

  clear the aaa-server test, Iget an error message

  You must remove all corresponding entries before AAA

  removing the last server in the test group

  When I give

  No server aaa test (inside) host x.x.x.x1 password timeout 10. I get

  You must remove all corresponding entries before AAA

  removing the last server in the test group

  When I give

  no RADIUS protocol aaa-server test I get

  AAA servers configured! Cannot delete server_tag.

  I'm in a loop. Can some one adivce me how to remove the aaa tag test the firewall server

  Thanks in advance

  you are probably still referencing it in the vpn setting somewhere.

  for example

  card crypto mymap TEST client authentication

  You must remove this first

• Using PIX 515E configuration require

  Dear all,

  Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?

  Pls. find the details following and configuration of VLAN attached router.

  # I want to put as

  «Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.

  # Now it's

  "My LAN on CISCO 2900 - VLAN (external) router - ISP.

  Details of router & PIX:

  #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

  Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

  #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

  #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

  Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

  #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

  VLAN router Config:

  Current configuration: 1028 bytes

  !

  version 12.3

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname VLANRouter

  !

  boot-start-marker

  boot-end-marker

  !

  activate the gcsroot password

  !

  No aaa new-model

  IP subnet zero

  !

  !

  no record of conflict ip dhcp

  DHCP excluded-address IP 172.16.29.1 172.16.29.240

  DHCP excluded-address IP 172.16.29.250 172.16.29.254

  !

  IP dhcp pool dhcppool

  network 172.16.29.0 255.255.255.0

  DNS-server 208.144.230.1 208.144.230.2

  router by default - 172.16.29.1

  !

  !

  !

  !

  controller E1 0/0

  !

  controller E1 0/1

  !

  !

  interface FastEthernet0/0

  IP 208.144.230.197 255.255.255.224

  NAT outside IP

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1

  IP 172.16.29.1 255.255.255.0

  IP nat inside

  automatic duplex

  automatic speed

  !

  IP nat inside source list 7 interface FastEthernet0/0 overload

  IP http server

  IP classless

  IP route 0.0.0.0 0.0.0.0 208.144.230.200

  !

  !

  access-list 7 permit 172.16.29.0 0.0.0.255

  !

  Line con 0

  line to 0

  line vty 0 4

  opening of session

  !

  !

  !

  end

  All advice is appreciated.

  Kind regards

  Hiren s Mehta.

  ORG Informatics Ltd.

  Bamako, MALI

  AFRICA

  Hi hiren,.

  See the answers below:

  #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

  When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.

  Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

  Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.

  #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

  PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...

  #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

  PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.

  Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

  didn't get it... is that on the internet router or switch?

  #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

  If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...

• PIX 515E configuration problems

  I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

  -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

  -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

  Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

  Thanks for your replies.

  Hello

  Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

  Jay

• 501 - pix basic configuration help

  People:

  Just acquired a 501. I'm really new to cisco pix and have no idea how to set it up.

  NAT seems to work (I connect via a client workstation on the 'inside' interface) using the pdm. However, I can't get the 'external' interface to work.

  I must be missing something:

  In the properties of the system, both inside and outside are turned on. I assigned (ethernet0) outside an IP address and a subnet mask 255.255.254.0 provided - it is a multinet). However there is no field to assign the router or dns.

  After a lot of tinkering, I can't work natted stations to talk to the outside world.

  Any advice?

  Bobby

  The easiest way to get this working is by using the Setup Wizard. Launch PDM and goto menu "Assistants"->"Installation Wizard".

  I think that the reason why you couldn't get working of the external interface is that you don't have the program to setup the default gateway and dns properly. By going through the wizard, you will find a place for complete information.

  Jack