Place a server behind a PIX firewall production

Similar Questions

• Enable syslog server behind the PIX

  Could someone tell me a config that allows a server syslog (Kiwi syslog) to get behind the PIX syslogs. I have a 2K with the KIWI syslog server behind a PIX 501.

  I have the static command, the access group and the access-list:

  public static 192.104.109.92 (Interior, exterior) 192.168.15.200 netmask 255.255.255.255 0 0

  Access-group local_server in external interface

  local_server list access permit udp any host 192.104.109.92 eq syslog

  Man, I can't understand it.

  Thanks for any help

  You could:

  1. make a capture of port syslog traffic directed to the syslog server.

  2 Terminal monitor - deny traffic showed clearly when I had not set up the firewall to forward the traffic. (Note: attention on busy firewall)

  3 netstat - a on the syslog server

  4. If you allow, you should be able to portscan the server on port of syslog by your firewall.

  5. is your syslog capture created file? It is not created if the service never started.

  6 - is the service running in the system context or perhaps another account that doesn't have the correct rights?

  The answers seem to indicate a service not started that seemed likely. What you describe happened to me when I had the demon also version; I went to service version and the problem has been resolved (once I opened the port.)

  I love the kiwi syslog. I use with Snare and BacklogIIS and receive alerts within 60 seconds to my mailbox when something bad happens. It always fools of my end users out when I call them with the problem solved when they seek always my number report the problem.

• How to configure to allow users in my web server behind a PIX 501

  I have 1 web server, 4 web hosting sites. IP addresses are like:

  the area of the web server itself: 192.168.111.11

  1 web site on this box has IP 192.168.111.101

  2nd ............................................ 192.168.111.102

  3rd ............................................. 192.168.111.103

  4th ............................................. 192.168.111.104

  My OUTSIDE interface (say) 205.200.20.5

  My INSIDE interface has 192.168.111.1

  I want to leave the outside web traffic in my web server box that hosts 4 sites. I only let people with HTTP and HTTPS.

  How should I do and for purposes of flexibility, say also tomorrow I want to host my site on a different web server #3 but always with the same IP address, can I selectively route certain web traffic to the boxes in different web server?

  Also, I want to open another port, say, 8080 for administrative purposes. Can I route HTTP or HTTPS, addressed to some port # to the Web server also?

  You will need to create static port mapped, but if you have only the external IP address a people can connect to, they will need to connect to a specific port in the URL to differentiate which internal web server, they really want to go.

  For example:

  > static (inside, outside) tcp 205.200.20.5 80 192.168.111.101 80 netmask 255.255.255.255

  > static (inside, outside) tcp 205.200.20.5 81 192.168.111.102 80 netmask 255.255.255.255

  > static (inside, outside) tcp 205.200.20.5 82 192.168.111.103 80 netmask 255.255.255.255

  > static (inside, outside) tcp 205.200.20.5 80 83 192.168.111.104 netmask 255.255.255.255

  maps of connections to 205.200.20.5 on port 80 through to port 80 on 192.168.111.101. Connections inbound to port 81 will be mapped through to port 80 on 192.168.111.102. Connections incoming on port 82 will be mapped through to port 80 on 192.168.111.103 and so on.

  You cannot map just all incoming traffic on port 80 to 4 different internal web servers, cause how the PIX will know which send traffic to.

  To allow access, as well as the static shown bove, you must:

  > list of allowed inbound tcp access any host 205.200.20.5 eq 80

  > list of allowed inbound tcp access any host 205.200.20.5 eq 81

  > list of allowed inbound tcp access any host 205.200.20.5 eq 82

  > list of allowed inbound tcp access any host 205.200.20.5 eq 83

  > list of allowed inbound tcp access any host 205.200.20.5 eq 443

  > interface entering outside acess group

  HTTPS is also going to be a problem, to do the same on HTTP, you need to use different ports to differentiate what specific internal web server that you want to that they go (and allow these ports in your "incoming" ACL above).

  To port 8080, just follow these steps:

  > static (inside, outside) 205.200.20.5 tcp 8080 192.168.111.10x 8080 netmask 255.255.255.255

  > list of allowed inbound tcp access any host 205.200.20.5 port 8080

  As you can probably guess, this won't work very well if you have only one external IP address, because users will not know to specify a specific port number so that they get through an internal host specific. You may have a single external address for each web server internal to this work in reality.

• Allowing L2TP to pass through PIX Firewall

  Hi all

  Can someone help me on how to allow inbound l2tp connection on a pix? Behind the pix firewall, there is an ISA server as a vpn l2tp server. I can't allow l2tp on the pix.

  Thank you very much!

  Please use this doc as a guide-

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

  Jon

• Ports from Site to site behind another PIX

  Have a client who we are going to set up a site to site VPN. The remote site is behind another PIX firewall that has private inside IP addresses. Next to the static nat, which ports must be open in order to make a site to site?

  If the VPN tunnel ends on PIX - B, then PIX - A must be opened for the following ports (in two senses - incoming and outgoing).

  -The ESP protocol (that's the protocol 50)

  -Port UDP 500

  -UDP 4500 port

  Thus, orders ACLs on PIX - A will be:

  outside_ACL udp IP_of_SiteA-PIX IP_of_PIX-B eq 500 allowed access list

  outside_ACL list of permitted access eq of IP_of_PIX from IP_of_SiteA-PIX-B udp 4500

  outside_ACL list of permitted access esp IP_of_SiteA-PIX-IP_of_PIX-B

  That should do the trick.

• Cannot access the VPN server located behind the corporate firewall.

  The VPN server was created by myself, in my Department. I can access the server from anywhere when I am in my business network. When I'm at home, I can't even ping the VPN server WAN interface. When I try to connect via the cisco VPN client, I get the message ' reason 412: peer remote not responding. "

  The main my company firewall blocks external traffic?

  Should I change anything in the VPN server?

  I heard about port forwarding, but have no knowledge about this. Port forwarding is done on the VPN server or the main firewall?

  Also should I go and ask the company system administrator to enable certain ports for the public IP address that I use for my server?

  I hope you can help

  Concerning

  Yes, quite correct. Please open ESP protocol UDP/500 and UDP/4500 for IPSec VPN.

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• PIX firewall Image issue

  Hello

  I'm without a firewall PIX 7.0 to 6.3 decommissioning. I faced the problem during the restart of the PIX.

  The error given below,

  Start the first image in flash

  Image must be at least 7-0-0-0 error in the flash file: / pix635.bin

  No bootable Flash image. Please download an image from a network server

  in monitor mode

  CISCO PIX FIREWALL SYSTEMS

  BIOS version shipped 4.3.207 01/02/02 16:12:22.73

  Compiled by Manu

  128 MB OF RAM

  Did you follow the exact downgrade procedure indicated on this link... you point the image as shown 6.3.x

  downgrade tftp://tftpserverip/pix63x.bin

  PIX downgrade procedure 7.x to 6.3.x

  http://www.Cisco.com/en/us/docs/security/ASA/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1810347

  in any case, you can always redownload the 6.3.5 new code in monitor mode.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml#upbootormon

  Let us know how it works.

  Rgds

  Jorge

• How to limit the ICMP on the PIX firewall.

  Guys good day!

  I have a dilemma with regard to limiting ICMP users browsing to other networks such as other demilitarized interns.

  I know that, to allow ICMP to pass through interfaces, you will need to create an ACL such as below:

  access-list DMZACL allow icmp a whole

  Users require this config ping a server on the DMZ, but it is a security risk.

  To minimize, I have a group of objects created in order to identify hosts and networks is allowed to have access to the echo-replies.

  Again, this is a problem since many host who extended pings just to monitor the connectivity server and its application.

  Do you have other ideas guys?

  As to limiting the echo answers on the PIX. As first 5 echo request succeed with 5 echo-replies and the rest would be removed.

  This could be done?

  Thank you

  Chris

  Hello.. I don't think you can do this by using an ACL on the PIX, however, you might be able to stop the ICMP sweeps by activating CODES signatures using the check ip command you... For more information see the link below

  Guidelines of use Cisco Intrusion Detection System (IDS Cisco) provides the following for IP-based systems:

  ? Audit of traffic. The application of signatures will be audited only as part of an active session.

  ? Apply to the verification of an interface.

  ? Supports different auditing policies. Traffic that matches a signature triggers a range of configurable

  actions.

  ? Disables signature verification.

  ? Always turns the shares of a class of signature and allows IDS (information, attack).

  The audit is performed by looking at IP packets to their arrival at an input interface, if a packet triggers

  a signature and the action configured does not have the package, and then the same package may trigger another

  signatures.

  Firewall PIX supports inbound and outbound audit.

  For a complete list signatures of Cisco IDS supported, their wording and whether they are attacking or

  informational messages, see Messages in Log System Cisco PIX Firewall.

  See the User Guide for the Cisco Secure Intrusion Detection System Version 2.2.1 for more information

  on each signature. You can view the? NSDB and Signatures? Chapter of this guide at the following

  website:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids1/csidsug/SIGs.htm

• Cisco ACS and Pix Firewall

  I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.

  In the router, I have the configuration option

  AAA authentication login default group Ganymede + local

  that tells the router first looking for a radius server and if is not available connect through the local database.

  Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?

  Thanks in advance

  Hello

  PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.

  Kind regards

  Mahmoud Singh

• PIX firewall problem

  I have two servers, one in pix inside and the other in the demilitarized zone. I wanted to set them up so that they can communicate with routers and switches

  Located outside the pix firewall.

  My inner Server works fine, able to go Internet and able to comminicate with all devices located outside the Pix Firewall. Here is reference configuration

  of insideserver.

  outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.32.50 ip

  outside_acl list extended access permit ip host host x.219.212.217 172.28.32.50

  access-list extended sheep permit ip host 172.28.32.50 host x.219.212.217

  access-list extended sheep permit ip host 172.28.32.50 x.223.188.0 255.255.255.0

  inside_acl list extended access permit ip host 172.28.32.50 all

  But my DMZ server does not work. However, I made the same configuration with respect to the server on the inside. Not able to communicate with outside DMZ server

  network.

  outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.92.72 ip

  outside_acl list extended access permit ip host host x.219.212.217 172.28.92.72

  access-list extended sheep permit ip host 172.28.92.72 host x.219.212.217

  access-list extended sheep permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

  dmz_acl list extended access permit ip host 172.28.92.72 all

  If I create a static entry for your DMZ SNMP server.

  static (edn, external) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

  He starts to communicate with external devices, but stops Internet run on this server. same configuration

  works with the server on the inside, but not with dmz server.

  NAT (inside) 0 access-list sheep

  NAT (inside) 3 172.28.32.0 255.255.255.0

  NAT (dmz) 3 172.28.92.0 255.255.255.0

  Global interface 3 (external)

  Your static entry is bypassing your nat (dmz) 3 entry. You can do NAT exemption instead, as you do to your home

  1. remove the static entry (followed by clear xlate)

  Add - nat 0 access-list sheep (dmz)

  I suggest to use two acl different sheep, one for each interface.

  Ex: nonat_inside

  nonat_dmz

• PIX firewall Security Guide

  Hi guys, I noticed that there is a document on the setting of the Cisco routers on cisco.com

  Is there than a best practices similar document type for Secure PIX firewall? or even a general firewall best practices guides?

  I searched, but did not really find anything. Any help would be great!

  Hi Nathan,

  So far, there is no specific doc, but you can get the idea of documentation PIX / ASA itself. This is probably due to the nature 'trust' of the firewall itself (everybody knows that it was not 100% sure).

  Anyway, there is a document on "Best practices of firewall" at http://www.principlelogic.com.

  Others are:

  http://www.Security.FSU.edu/firewall.cfm

  http://SearchSecurity.TechTarget.com/originalContent/0, 289142, sid14_gci838230, 00.html

  Personally, I think the recommendations are very good and can be applied generally to fix most of the firewall products.

  I hope this helps.

  Rgds,

  AK

  WARNING: -.

  The post above is not intended to promote the services/tools/products on behalf of a person or organizations. This is simply about & information sharing.

• HELP: Activation server determined that the specified product key has been blocked

  I did a complete reset of my ENVY 17 laptop and now whenever I try to re-activate Windows 8 Pro that I reinstalled using the USB recovery, I get error:

  Code: 0xC004C003

  Description: The activation server determined that the specified product key has been blocked.

  I have Microsoft Suppot had called and were told to contact HP (manufacturer of my pc. Someone at - he met sam and how wa it is resolved?

  Thank you

  Rico.

  Solved! HP technical support took care of me Thank you so much.

• the activation server determined that the specified product key cannot be used to 0xC004C008

  Hello

  I'm running a server KMS on Windows server 2012 R2 and I have enabled more than 300 PC and servers.

  But for some reason, can no longer trigger the new PCs and servers. They get 0xc004c008 the activation server determined that the specified product key cannot be used.

  Nothing has changed on the KMS server and I do not see where the KMS host key could be used outside of the host itself.

  All ideas

  Hello

  Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• Access list ID # on a PIX firewall

  Is anyone know what of the identifier access list on a pix firewall?

  Standard IOS = 1-99

  Extended IOS is 100-199.

  SW = PIX?

  There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.

  access-list 100000000000000; 1 items

  allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)

  Jason