PIX vs hub
What is better to use for VPN access and why? Maybe there are other solutions?
Hello
I would say better to have both if you are concerned about the safety of you're network and not concerned by budget constraints.
or even better to go for a pix with the policy of resistance and secrurity enough F/W in place to avoid any kind of attacks and obtained the VPN set up on tht.
If you both the best place the cocentrator in the dmz that is recommended design.
If you want to know about the wise performance of both these pix/concentrators diff diff, then a search under techinical support for the respective topics.hope tht will help u out...
regds
Tags: Cisco Security
Similar Questions
-
(1) if I understand correctly - Phase 1 DMVPN is Star technology. Is it possible to use two hubs of the network?
(2) is it possible to use the router 1841 as Phase 1 DMVPN hub?
(3) imagine this network topology:
* PIX *-(static vpn tunnel)-> router 1841 (hub)-(dynamic vpn tunnel)-> rays.
I'm having problems with routing in VPN between PIX and rays through 1841?
In the attachment, see diagram.
Thnx in advance!
Hello
It should be possible. The tunnel between the PIX and Hub 2 is going to be a regular with PIX IPSEC tunnel configured with all networks to talk as destination the ACL crypto and vice versa on the hub. Hub 2 will have a static route for the private subnet route tis and PIX will be redestributed in the routing process so that it is announced to the rays. Please keep in mind that the protection tunnel profile you are configuring should have configured 'shared' keyword.
HTH,
Please rate if this can help.
Kind regards
Kamal
-
Cisco PIX 501 to Cisco 3005 concentrator via remote access
Hello people,
I need your help.
We got a Cisco PIX 501 in one place and this pix is configured for pppoe connection. The pix connects to internet via the pppoe client. an official ip address ping works well.
So what I want to do is to establish a tunnel von between this pix and a cisco 3005 concentrator.
But I failed to establish it.
Here are the pix config. the acl? s are only for the test and will be replaced if it works.
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxx
passwd xxx
hostname PIX - to THE
domain araukraine.ua
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
outside ip access list allow a whole
inside_access_in ip access list allow a whole
pager lines 24
opening of session
Monitor logging warnings
logging warnings put in buffered memory
MTU outside 1456
MTU inside 1456
IP address outside pppoe setroute
IP address inside 192.168.x.x 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM location 192.168.x.x 255.255.255.224 inside
forest warnings of PDM 500
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
outside access-group in external interface
inside_access_in access to the interface inside group
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
Enable http server
255.255.x.x 192.168.x.x http inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
255.255.x.x telnet inside 192.168.x.x
Telnet timeout 5
SSH 194.39.97.0 255.255.255.0 outside
SSH timeout 5
management-access inside
Console timeout 0
VPDN group pppoe_group request dialout pppoe
VPDN group pppoe_group localname [email protected] / * /
VPDN group ppp authentication pap pppoe_group
VPDN username [email protected] / * / password *.
encrypted privilege 15
vpnclient Server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpntest vpngroup vpnclient password *.
vpnclient username pixtest password *.
Terminal width 80
the hub, I created a user pixtest, a group vpntest and I? ve created the rules of the network for example to what server, users behind the pix will be able to access.
And that? s all.
I couldn't send you exit pix or hub because I don't have an error or a message that the tunnel will be established.
What can be wrong?
Thanks for the replies
This configuration example shows how to create an IPsec tunnel to a computer that is running the Client VPN Cisco's (4.x and later versions) to a Cisco VPN concentrator 3000 to allow the user to safely access the network inside the VPN concentrator.
-
Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.
Hub (MEAN): 10.1.6.x
PIX 515e (HUB): 172.16.3.x
RV042 (SPOKEN): 192.168.71.x
PIX 515e (HUB):
Outside - 12.34.56.78
Interior - 172.16.1.1
Hub (TALK):
Outside - 87.65.43.21
Interior - 10.1.6.1
RV042 (SPOKEN):
Outside - 150.150.150.150
Interior - 192.168.71.1
The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.
On PIX you need a static policy statement,
NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0
public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list
And modify the ACL of appropriately crypto to include natted address.
-
ACL = deny; No its created
I am building an IPSec between a PIX and hub connection. I get the following debug message (ACL = deny; no its not created) when the traffic starts behind the PIX. When the traffic starts behind the hub the tunnel rises and the data passes (on each side) without any error. The PIX has two associated ACLs to the tunnel. The first acl sets the NAT and the second defines what should be encryptted. At the launch of traffic originating on the side of PIX, the two ACL shows the responses. But the captured traffic indicates the PIX does not seek to communicate with the hub. Any ideas on what ACL = deny; no way of his created?
Hello
Have you changed anything on the Pix, once the card encryption was apllied to it? If so, remove the encryption card, disable all SA and then re - implement the plan.
The behavior mentioned happen if we change the VPN configuration without removing the card cry.
NOTE: The Pix is sometimes inconsistent in the case of 'decline' statement ACL definition interesting taffic or if it sets the ports. The ACL should allow all IP pool and should have no reject the order.
-
CBAC with several inspection rules
Hello
My customer places an ASA/Pix IPsec hub and network spoke to a DMVPN network with 2921/881.
All the security(ACL/CBAC) will be run on the Cisco 2921 Hub site. I have attached a drawing simplified topology of HUB interfaces:
As you can see in the picture there are 5 active interfaces on the Cisco 2921:
LAN INT
DMZ INT
VIRTUAL INT
INT TUNNEL
RE INT
All interfaces have incoming ACL applied to them in the inbound direction. So, I have the following ACL:
INSIDE_OUT for LAN internal (management traffic from the LAN to DMZ DMVPN, Internet and VPN clients remote)
DMVPN_INSIDE_OUT for TUNNEL INT (managing the movement of DMVPN LAN and WAN)
VIRTUAL_INSIDE_OUT for VIRTUAL INT (manage traffic for remote users VPN DMVPN, LAN and WAN)
DMZ_INSIDE_OUT for DMZ (open for ICMP to internet and a server on the LAN)
INSIDE_IN for INT WAN (deny all apart form ICMP; ESP, ISAKMP, etc.)
Currently, I have the 2 following the rules of CBAC:
Property intellectual CHECK NAME IN_OUT applied on departing on INT WAN
IP INSPECT NAME applied to inbound on INT WAN OUT_IN_DMZ (to allow traffic initiated Internet DMZ return form)
But now, I think all the stateful traffic interface, as in an ASA I have to configure a rule to inspect to inbound on each interface or am I completely wrong?
For example if I want a LAN Server to communicate with a server on the DMZ, I need to inspect the incoming traffic to the right to allow traffic to DMZ from LAN LAN? Which means I need a third inspection rule, no?
Kind regards
Laurent
Laurent,
Ideally, you'd inspection on all inbound interfaces.
However, I think that you try to overcomplicate things, (dare I say).
Your problem would be solved by adding a dynamic firewall on your design and ending for example remote VPN on it.
This would substantially reduce the burden of DMVPN routers in the case of PPE or future growth and would you allow to dynamically on a device which was supposed to be with State actually lie real packet filtering.
I will attach a photo in a moment of what I think off the coast.
Marcin
Edit: adding hastly does DIA.
-
PIX with H &; S VPN DMZ hosting web server to the hub
Ok
Heres a problem which I think would be quite common for these even remotely conscious of security. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in phase of 'growth '.
So, here's the problem. I have a WAN put in place with PIXen and SonicWalls, we are set up in a design essentially Hub and Spoke (fine ok so it is partially meshed). We recently decided to pull the trigger on getting a 'real' web site and everything went relatively well that getting up and rolling. (even with my notice of 3 days/deadline), but here's the problem: I set up the web server on the DMZ to the hub pix, and I figured out (the easy part) how to set things so in the Home Office, people can connect to the web server by using the internal address, but I don't know what to do for people in remote offices with VPN home connections. I tried to define static routes, I tried to add the DMZ to the VPN trigger, I tried to do both of the last things together, and I checked that I have rules allowing traffic to the VPN outside the DMZ on the inside. So, what else can I I get?
I have no problem by configuring a PIX for all basic ups and VPN even at this stage, I can do most of it through the CLI (even if I still want to do more through the PDM). My biggest stumbling block on the PIX has so far was when I actually involve this pesky DMZ...
I actually two PIX in my office, two for my network domestic (one for my place in the States and one for my place in the Japan), so if you can help me, I'll be the two problems and do not forget to give a rating of excellent reviews!
so I guess that leaves me to the place where I scream...
Help!
and I humbly await your comments.
the current pix configuration should look at sth like this,
IP access-list 101 permit
IP access-list 110 permit
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac superset
myvpn 10 ipsec-isakmp crypto map
correspondence address card crypto myvpn 10 110
card crypto myvpn 10 set by peer
superset of myvpn 10 transform-set card crypto
interface myvpn card crypto outside
ISAKMP allows outside
ISAKMP key
address netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)
access-list 102 permit ip
access-list 110 permit ip
nat (dmz) 0 access-list 102
-
VPN high availability: double 3 k in the hub and the PIX as rays
Hi Experts.
In my scenario, I need routing between the rays and, above all, high availability (HA).
On the shelves, I have Pix 501/506E, OS ver 6.3. In the hub, I have a couple of redundant VPN3k.
What mechanism is the best:
1 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "load balancing" feature of the VPN3k?
2 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "backup server" feature of the VPN3k?
3 any-to-any topology (an IPSEC tunnel between any pair of sites) - for HA, I can take advantage of the 'LAN-to-LAN backup' feature of the VPN3k?
Thank you
Michele
I'd go with NLB on the backup server. With load balancing your connections will be spread over the two hubs. If a hub dies, then at least it will only affect half of your connections, rather than each of them in case of death of your primary and backup servers using.
If a hub dies, your PIX connections will be de-energized for a short period, but they will be able to reconnect back automatically without making you no change.
-
DMVPN - Hub Hub behind PIX, rays on the outside
Hi all
Someone at - it examples of configuration with DMVPN, where the hub is behind a PIX and the rays are on the outside. Inside of ownership intellectual of the hub must be NAT' static ed to the hub inside.
THX
«Also added in Cisco IOS release 12.3(9a) and 12.3 (11) T is the ability to make router DMVPN hub behind static NAT.» It was a change in the support of ISAKMP NAT - T. For this feature to use DMVPN spoke all routers and routers hub must be upgraded and IPSec must use the mode of transport. "
I would like to know if this link helps
-
PIX v7 speaks to talk about vpn access via the hub of pix
Hello
Does anyone know if the v7 PIX code supports the overs speaks of talking about VPN connectivity?
For example, 3 sites, Hub, to talk to and A of spoke spoke of b and B connect in the hub (PIX) with VPN.
With earlier versions of the software, the rays would not be able to communicate. Is this possible with the new version of the code?
Thank you
Hello
As long as the hub is running v7, you should be able to do. See
for an example.
HTH
Kind regards
Cathy
-
PIX 501, 1 static IP, IP address dynamic 2. Mesh full possible?
I have 3 sites. All sites have PIX 501. Central site has a static IP, 2 remote sites a dynamic IP.
I have no problem with the connection to the central site by using their dynamic IP address in a remote star connection.
Is it possible for 2 remote sites communicate? There is data that must be transferred between remote sites. I read somewhere in cisco site web which its possible via mesh on request.
Does anyone have an example of configuration on a VPN Site to Site where the Central site has static IP and remote sites with a dynamic IP? Remote locations teaches a dynamic IP from remote sites to the central server.
Thank you.
With IOS as your hub and then the Yes rays, the rays can learn dynamically address other departments using the PNDH. This type of configuration is called Dynamic Multipoint VPN (DMVPN), you can read everything you need to know about this here:
http://www.Cisco.com/warp/public/105/DMVPN.html
Even with EzVPN (not DMVPN) the rays will not learn the address of other rays, all communication is always via the hub. Call another talks would work, but as I said, the packages will talk-star.
-
VPN concentrator + PIX on LAN->; customers can not reach local servers
Hello
I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.
For the topology:
The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.
On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the
VPN client-PCs.
I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses
the 10.0.100.0/24 range.
The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to
internal to the 10.0.1.28 server.
To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in
10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.
So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is
Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1
This does not solve my problem though.
In the PIX logs, I see the entries as follows:
% 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064
The PIX seems to abandon return packages, i.e. traffic from the server back to the client
To my knowledge, the problem seems to be:
Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.
My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the
package because he has not seen the package from the client to the server.
So here are my questions:
(o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and
computers servers on the local network (10.0.1.0/24)?
(o) someone else you have something like this going?
PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.
Thank you very much in advance for your help,.
-ewald
Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.
Best regards
Robert Maras
-
Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.
I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.
.
The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).
.
A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?
.
I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?
.
Thank you.
UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.
The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.
-
PAT on IPSEC VPN (Pix 501)
Hello
I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.
I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.
lines of current config interesting configuration with static mapping:
--------------------------------------------------------------------------
access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0
access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host
access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z
IP address outside w.w.w.1 255.255.255.248
IP address inside 10.0.0.1 255.255.255.0
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0
Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1
correspondence address card crypto mymap 10 103
mymap outside crypto map interface
ISAKMP allows outside
Thank you!
Dave
Dave,
(1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent
translation for your guests inside and they will always be this way natted. Use
NAT of politics, on the contrary, as shown here:
not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0
Global (outside) 2 z.z.z.z netmask 255.255.255.255
(Inside) NAT 2-list of access 101
(2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."
Delete this because you need to nat 2 nat/global card. (as a general rule, simply you
If you terminate VPN clients on your device and do not want inside the traffic which
is intended for the vpn clients to be natted on the external interface).
(3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first
translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which
sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.
I hope this helps. I have this work on many tunnels as you describe.
Jamison
-
Questions of hub L2L with Checkpoint NGR55 3K 5
I am trying to create a connection L2L from a 3 K 5 hub to a seller with a NGR55 of control point. Setting up this morning, we have been able to access all applications using a NAT on their side, they were not able to access our own. The message that we've seen on both sides was:
No routine received Notify message: info ID not valid (18)
Which indicates the incompatible attributes between the peers. These have been verified on both sides. We have our list of local network specified as all the individual hosts that are translated into static NAT rules. For them, we have static translations and two global PATs... the network list for them specifies all their/24 network, which has been used in the comprehensive PAT. My understanding is that the most specific network will be applied and if not found, the PAT will be used, and I can see what is happening in the case where newspaper.
Question 1.) This could be a possible problem with why they are unable to connect to what anyone on our side?
Question 2.) The hub is driven by, even from the menu CLI and I can't find a way to clean up the SA when troubleshooting other than the deactivation and reactivation of the tunnel. I know about the ASA and PIX and I can do for phases 1 and 2 of the CLI. Deactivation of the tunnel on the 3 K 5 has the same result?
Any other ideas on why this would be appreciated.
It is very likely that the checkpoint is
do suppernetting, causing Phase 2
Quick mode error. I could do this on the
side of control point:
1 - Open a session in the check point gateway,
2. "you vpn" and remove the tunnel between
point of control and VPNc,
2 - cd $FWDIR/log,.
3 - vpn debugging trunc,
4 - vpn debugging ikeoff,
5 - vpn debugging ikeon,
6. now initialize the connection of control point
side. It will fail,
7 - get the ike.elg file and export it
on your desktop via scp or whatever.
8 - use a tool called IKEView.exe control point
utility and open the ike.elg file.
This will tell you EXACTLY why the tunnel failed and why. It is very likely that
control point is suppernetting its network and
Send it to VPNc, causing phase II for
in case of failure.
To resolve this problem, you will have
to modify the parameter "IKE_largest_possible_subnet" to "true" to "false" and also change the file user.def as
Well.
The other solution is to switch to the NGx so
you have an option to negotiate 'by '.
host' and have communication on both sides.
Sounds easy?
Now,.
Maybe you are looking for
-
registration of dynamic events - FP not in memory?
Hello I have the problem that I do not understand the event registration Dynamics trhw. In my application, I have multiple threads that are initialized when the application starts and I switch between them using secondary. In one of this module, I wa
-
PDF files does not print now that I have Windows 8
I got a new computer with Windows 8, and is automatically connected to my wireless HP Photosmart 5510. Test page for the fine printed word. But when I try to print a PDF file, it says "unable to print." I have the software Adobe Acrobat Reader las
-
Pavilion dm1 touchpad not working not
Pavilion dm1 touchpad not working not not using windows 7 Home Edition.In Device Manager, I see that the external USB mouse, witch synaptic touchpad does not work.Can someone help me please.Did all the updates that are offered by HP
-
How to detect BIS support the change?
Hello world I work and test network events manages the real device. I tried to detect the moment where we get actually BIS taken in charge and when we lose it really. Whenever you have granted with a new RIM service, a network event is launched and c
-
Recently, my son plugged his headphones Turtle Beach X 12 in the front USB and my computer's audio input. Since he took the helmet, I have had no audio of my Logitech speakers. When I click the speaker icon to get out of trouble, I get this message: