PIX, wiring question

Hello

We currently have a Pix of the 506th, int external ethernet is connected to our 1720 router ethernet int using a crossover cable. We are trying to replace the 506e with a 515e. In the quick start guide that it is said to use one of the provided patch cables. If someone could confirm the good cable for use between the 515e and the 1720 and also if the connection by using a passive filter would have a significant impact?

Thank you very much

J Mac

You need crossover cable between the router and PIX,

Use a crossover cable when connecting as devices such as the transition to a switch or a PC to a PC... PIX interface is as NETWORK card in your PC so if you connect PIX interface directly to the router (or directly to the PC) you have to crossover, if you connecting PIX to pass you need straight cable...

M.

Hope that helps the rate if it isn't

Tags: Cisco Security

Similar Questions

  • VPN inside a PIX (General Questions)

    Hello

    I'm trying to implement a scenario of communication between a customer inside a pix that talks to a server on the outside. The customer must have an ipsec inside connection. I have the following config and a few questions I´d be very happy to get an answer for...

    Backup on the interface outside the security0 Server

    Client safety within 100 interface

    The client IP address is 200.200.212.194

    backup server address is 200.200.202.201

    I want to implement a VPN client connection to the inside interface, and therfore have implemented the following configuration.

    external IP 200.200.202.200 255.255.255.0

    IP address inside 200.200.212.193 255.255.255.192

    access-list 100 permit host 200.200.202.201 ip 10.3.3.0 255.255.255.0

    IP local pool privada 10.3.3.1 - 10.3.3.254

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    map mymap 10-isakmp ipsec crypto dynamic dynmap

    client configuration address map mymap crypto initiate

    client configuration address map mymap crypto answer

    mymap map crypto inside interface

    ISAKMP allows inside

    ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address private pool PRIVADAGROUP

    PRIVADAGROUP vpngroup password *.

    vpngroup split tunnel 100 PRIVADAGROUP

    I have a few questions about this configuration maybe some kind soul able to respond.

    1. the VPN clients receive an address (10.3.3.1) for example through the IKE negotiation. When I ping my server from the client with the active VPN tunnel I assume the real package that passes through the wire has 10.3.3.1 a source address and a destination of 200.200.212.193 (endpoint the VPN and inside interface). Within IPSEC, the package is my real ip with a source 200.200.212.194 address (address of the real client) and a destination address of 200.200.202.201 (address of the backup server that I am trying to ping). If all this makes sense and is correct could you confirm the following point.

    2 when the PIX deencrypts the package and removes the IPSEC header I find myself with my IP packet of origin with a source 200.200.212.194 address (address of the real client) and a destination address of 200.200.202.201 (address of the backup server that I am trying to ping). I don't know if I need then the following configuration to allow the package to be transferred to the backup without NAT server:

    access-list allowed sheep host ip 200.200.212.194 255.255.255.0 200.200.202.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    I was previously using the following configuration and it seemed to work but the more I think the less sense it seems to do as I´d wait for the SENATE to run on the dencypted package. I must be missing something or confused, or both.

    IP 10.3.3.0 allow Access-list sheep 255.255.255.0 200.200.202.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    3. as a last and probably least I m pretty sure I don't have to line "isakmp key * address 0.0.0.0 netmask 0.0.0.0" when connecting with a VPN client software only. Somone can confirm that for me.

    I'm actually trying to get this to work remotely with someone else doing the actual work and we don't speak the same language.

    Any help to store my confused brain would be appreciated.

    1. No, it's the other way around. The real package that passes through the wire has the address IP of the PC (200.200.212.194) as a source. Within the IPSec packet is allocated 10.3.3.1 as source IP address. When the PIX decrypts the packet, the outer header is removed, and the package has a source of 10.3.3.1 as it is sent to your server on the outside. The external server will respond to 10.3.3.1 so it must be routed to the PIX for her to work.

    Think of this as the normal instance with the PC to the outside through the Internet. A package from of and sent to 10.3.3.1 would never do to the original PC. The encrypted IPSec packet always contains the VPN endpoints real IP source and destination addresses. The decrypted original deck contains allocated as source IP and the actual destination as destination (usually also a private address) computer.

    2. This should make more sense now that you know the answer to 1.

    3. you don't need that if you have a "vpngroup password xxxx" command. This command «isakmp key...» "If there is no specific vpngroup key, or someone connects with a different groupname.

  • VPN on PIX Newbie question

    Hello

    I need to create a site to site VPN, I have in mind a PIX 515e. Behind it is a network of win2k with a domain controller for authentication. Users of the remote site must be attached to authenticate to this DC via a VPN.

    The two sites to connect to the internet by modem cable and the remote site will have up to 10 users behind the PIX/VPN.

    Here are my questions:

    What kind of material PIX the remote site needs? A 501/506, or something else.

    Do I need a VPN concentrator, etc. to the head of line?

    How the hell i make it work?

    Sounds simple right? I appreciate a lot of help because I am a little confused. Thanks in advance.

    Marc

    Hello Mark,

    Here is an example of PIX to PIX VPN using IPSec:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

    In addition, many more examples here to get you go, all TACS is the author:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

    Hope this helps - Jay

  • Configuring PIX Cisco Question - very limited info. Sorry!

    People,

    Have been put to me a quetsion on a Cisco PIX (I don't know what model it is) who I know very very limited. The person asked me the question, is to help someone else! I apologize in advance for the lack of information here, but Im hoping that someone who has expertise in PIX experts will be able to diagnose the problem, or ask the question to the bottom of the chain to address this problem. The question they asked me: -.

    "Can't get NAT works correctly between the demilitarized zone and other ports.

    I know that it is very skectchy, but because I'm not a firewall or security Im not sure what I want or what questions I need to ask. I have however a copy of the config, if someone can help, we'd really appreciate it.

    Config is attached.

    I think that the above is not a problem.

    However, here it is a question;

    static (dmz1, external) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

    static (dmz1, external) 20.20.20.22 switch1 netmask 255.255.255.255 0 0

    I think it should be;

    static (dmz1, external) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

    (dmz1, external) 20.20.20.22 static nlbweb1 netmask 255.255.255.255 0 0

    Let us know if this can help,

    Paul

  • Wiring question: PXI-2501 1 wire 48 x 1

    Dear friends,

    I need wiring help.   I have a setup of the PXI-2501 for 1 wire 48 x 1 with a block of connection TB-2065.   I have an analog signal entering the block I want to switch between 5 different LEDs.   The incoming analog signal has two sons (positive & GND), and my Bank of LEDS has 6 wires (5 separate positive & a shared GND).   I have reviewed the documentation section 'NI Switches Help' 'topology, NI PXI-2501/2503 1fil 48 × 1 Multiplexer', but he has not quite figured it.   Can I connect my two ground wires and then connect the rest like this?

    analog input

    + 1-> the Terminal 27

    output LED Bank

    + 1-> terminal 67

    + 2-> 66 terminal

    + 3-> terminal 65

    + 4-> terminal 64

    + 5-> terminal 65

    Also, should I be connecting GND wires on the block somewhere instead of themselves?

    Any help would be greatly appreciated...

    Thank you

    Zach Barnett

    Hello Zach,

    Try to move the analog input + 61 terminal connection.  You can a) connect your two ground wires or b) can connect the ground wires to the TB-2605 terminal block.

    The image below shows the resulting configuration if you connect the wires to the Earth to the terminal block:

    I hope this helps!

    Chad Erickson
    Switch Product Support Engineer
    NOR - USA

  • Simple failover PIX LAN question

    Is - this (PIX 6.3) FO license that is sufficient for LAN-based failover to secondary unit or to be unrestricted? I can not find the exact answer on the Cisco Web.

    Marko

    Yes, Marko, FO license is sufficient for the minor unit. Primary should be allowed without restriction.

    Kind regards

    GE.

  • PIX OSPF question load balancing

    I have a pix 515e with two default routes, via OSPF from two routers on the "outside" interface

    Route #2 is currently being preferred spending much more than the #1 router. There are thousands of destinations for traffic. These two routers are still NAT nat rfc1918 IP Internet (the pix doesn't nat)

    Can you get it someone please let me know how the PIX is load balancing? is it by destination IP address? is it something else?

    Thank you

    Joe

    TAC:

    "the PIX will be per destination load balancing instead of by package

    load balancing. The algorithm will look at the source and destination

    addresses. It is not 1:1 load balancing. Given quite different

    the source address and destination, the packets will reach more or less one

    spindle of 50-50 between the two next-hops. However, in the real world test

    with the same source and destination addresses, it may not reach the same

    load balancing. »

  • PIX 501 question?

    Hello

    I have a PIX 501 and received 1 single public IP address from my ISP and I need to access a server on the private network of outside (Telnet or FTP).

    How to translate the Private IP of the server to the public ip address for the external interface of the firewall and specifying the port ftp or telnet only? is this possible?

    Thank you

    The pleasure is mine.

    Click rate if you found the post useful.

    sincerely

    Patrick

  • PPTP VPN pix 501 question

    I'm relatively new to the security stuff.  I'm a guy of the voice.  I created a Pix 501 for IPSEC VPN and works very well.  Then I tried it setting up PPTP VPN.  I use Windows XP to connect.  It connects fine, but I can't ping to the inside interface on the PIX.  I can do this by using IPSEC.  Any ideas?   Here is my config:

    :

    6.3 (3) version PIX

    interface ethernet0 car

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the password * encrypted

    passwd * encrypted

    host name *.

    domain name *.

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol pptp 1723

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit icmp any any echo response

    access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

    access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

    access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

    pager lines 24

    opening of session

    emergency logging console

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside of *. *. *. * 255.255.255.0

    IP address inside 10.0.0.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool pool1 192.168.5.100 - 192.168.5.200

    IP local pool pool2 192.168.6.100 - 192.168.6.200

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

    Access-group 101 in external interface

    Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    the ssh LOCAL console AAA authentication

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Sysopt connection permit-pptp

    Sysopt connection permit-l2tp

    Crypto ipsec transform-set high - esp-3des esp-sha-hmac

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto dynamic-map cisco 4 strong transform-set - a

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    Cisco dynamic of the partners-card 20 crypto ipsec isakmp

    partner-map interface card crypto outside

    card crypto 10 PPTP ipsec-isakmp dynamic dynmap

    ISAKMP allows outside

    ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 8

    ISAKMP strategy 8 3des encryption

    ISAKMP strategy 8 md5 hash

    8 2 ISAKMP policy group

    ISAKMP life duration strategy 8 the 86400

    vpngroup address pool1 pool test

    vpngroup default-field lab118 test

    vpngroup split tunnel 80 test

    vpngroup test 1800 idle time

    Telnet timeout 5

    SSH 10.0.0.0 255.0.0.0 inside

    SSH 192.168.5.0 255.255.255.0 inside

    SSH 192.168.6.0 255.255.255.0 inside

    SSH timeout 5

    management-access inside

    Console timeout 0

    VPDN PPTP-VPDN-group accept dialin pptp

    VPDN group PPTP-VPDN-GROUP ppp authentication chap

    VPDN group PPTP-VPDN-GROUP ppp mschap authentication

    VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

    VPDN group VPDN GROUP-PPTP client configuration address local pool2

    VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

    VPDN group VPDN GROUP-PPTP pptp echo 60

    VPDN group VPDN GROUP-PPTP client for local authentication

    VPDN username bmeade password *.

    VPDN allow outside

    You will have to connect to an internal system inside and out run the PIX using pptp.

    For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

    Concerning

  • VPN pix 515 questions

    Hello

    We strive to provide access to the remote client to a server on the inside interface. We have read a lot of topics similare, but still does not work. Can someone please take a look at our configuration and let us know what we're doing wrong?

    Our int are as follows:

    outside = 204.222.162.0

    inside = 192.168.1.1 - 254

    DMZ = 204.222.161.0

    Thank you

    Hello

    You must have a static nat translation for the internal server.

    static (Inside, Outside) netmask 255.255.255.255 0 0

    Then create an access list to allow access to the host (public IP) with port...

    ex:

    out_to_in list access permit tcp any host 1.1.1.1 eq telnet

    Apply the ACL to the external interface.

    HTH

    Thank you

    MS

  • R3 wiring question

    I had 2 GTS 450. in my pc. and it went wrong. So I had a 290 R9. but my diet wouldn't run it. so I had a psu 875 w and the new card needs a plau 6 pins and a connector 8 pin. as you can see from this picture it is attached to the 2 450 s. now I plug this one into the 6 pins and other pins in the plug 8. the box says must 150w 8-pole and 6 plug PIN must 75w?

    [IMG] http://i.imgur.com/xxgTOc8.jpg [LINE]

    You have my new card hooked up and it works? but I discovered that when I opened it on it had a card telling me a bios on the card switch. and he say for windows 8 and switch on the side and for windows 7 for more on early again the reverse... I looked at the other card. and it was fixed for windows 8 and higher. that should be the reason why it did not work. same duh the MSI tech didn't tell me to check it out.

  • question about shun to pix

    Is it possible to have a user account specific on the sensor to connect and send commands on a PIX of shun, or are you limited to a generic connection with activate password?

    Thank you

    1) go to web configuration GUI on the sensor.

    (2) select the tab "configuration".

    (3) select 'blocking'-> 'logical devices.

    4. Enter username, password and enable password in the appropriate fields.

    5) go to "blocking devices", adds PIX as a blocking device.

    It should work. I do something similar through the IDSMC, but the configuration will be reflected on the individual sensors I described above. (Assume that you are on code sensor 4.x and the user name is valid for the PIX in question).

    I hope this helps.

    Kind regards

    Chad

  • Using VPN Client coming out behind a PIX

    As I understand it, a PIX can operate as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass to the other endpoints behind him; My PIX is an end point, but there are a few users who wish to use the VPN Client to connect to outside points beyond the firewall.

    Is it possible to configure a PIX to two pass through IPsec traffic AND be an endpoint?

    On a related note, two customer software VPN hosts can connect to each other?

    Thank you

    Marc

    My pix company does exactly what you posted, there is lan - lan vpn, and we again establish vpn to other companies via a software vpn client.

    concerning the transmission of described video, it should not need additional acl or configuration assuming that there is no acl on the pix. a question must be noticed is that the other end (i.e. the end point of the remote vpn client) needs to nat-traversal since the local pix usually perform nat/pat.

    However, the vpn directly between two clients is not feasible as its name suggests (they are the two client).

  • SSH Authentication: PIX-> RADIUS

    Hello. I try to have a [6.3.5] PIX firewall question a RADIUS server for authentication SSH users. The PIX is remote, if I'm afraid of losing access to it. :) My question is what commands can I enter if I am already SSHed in unity, such that the NEXT time I SSH in, PIX will check the RADIUS box for my user name / password challenge? Pleae help... Thank you!!!

    Hey Quentin,

    We can have this command, but it is not mandatory to have access SSH for the PIX.

    This command is used to verify the credentials allow RADIUS.

    Kind regards

    Jagdeep

  • Sony cdx-ca700x - cd error. technical help.

    I have this camera and when I put a disc, it will not turn upward and just, the screen lights up and said 'CD' then 'restart' itselves and repeat this beaviour.

    Im a newbie in elecricial knowledge and I know how to do self service, although I can't find any information of what can be wrong with this, maybe the spindle motor? causing some type of short when initiazing the cd player and then restart?

    I love this camera and I'd like to keep a little longer and I see there is no support section on the site for this specific model, I guess this is legacy now then.
    No rule important break if I get some technical know-how of a shoring guy I hope!

    Hello
    Welcome to the Forums of Discussion of the user.
    The only technical info topic, it provides for CD error means the disk itself. However you have probably tried with many store bought the audio CD and get the same problem. Have you tried a reset?
    The reset button is not on the façade but behind it. (see #11) on the diagram page 4 of the instructions for maintenance. http://www.docs.Sony.com/release/CDXCA700X.PDF

    Have you recently removed and replaced your terrace? If so you can experience an installation/wiring question. http://www.docs.Sony.com/release/CDXCA700Xinstall.PDF

    If you have ever dropped your deck (since the start-up failure occurring), and this happens regardless of which cd you are trying to play.
    laser head can be defective and must be repaired.

Maybe you are looking for

  • Satellite 1800-814: where can I order several keyboard?

    I made the mistake to vacuuming my keyboard Satellite 1800-814, a year or two ago. Surprised myself how it was easy to suck the letter "T" immediately! Found again after having dustily through the residue of "cyclone" Dyson and he re-joint - after a

  • Caps lock error & keyboard - Satellite L50-A-1F2

    Hello world! Can someone help me solve these problems with the SHIFT key? * 1st problem: *.The led on the key caps in my Toshiba Satellite L50-A-1F2 is always on. * 2nd problem: *.I did some tests using MS Word:When caps lock shift is not active, I c

  • HD movies play perfectly, BUT the Extras repeatedly buffer

    Hello As a general rule when I discover an HD movie on my MTB from the iTunes Store it plays almost perfectly.  No complaints.  But whenever I try to view all extras included, I constantly experience very slow downloads and content buffering.  It is

  • Upgrade my laptop G62

    Hello, I need some advice on upgrading my laptop. I have a G62 a80SV. I have 2 GB of RAM and I want to add another. What should I look for so it pairs with the one I have? I also want to put an SSD. What is spesifically should I pay attention to so i

  • Does not load before the Welcome screen

    I get to the sign in screen on vista and I put my password and sign in however it will not load past the loading screen.