Problem of NAT with PIX 515E

Similar Questions

• 4240 IPS blocking queries with Pix 515E

  I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John

  Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.

  Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.

  You have to look at what signatures you really want to block, and then enable blocking on them individually.

• VPN with ASA 5500 VPN with PIX 515E vs

  I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

  Craig

  According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

  On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

  HTH

  Rick

• Problem of routing in PIX 515E

  Hi all

  I have a problem here with the routing routing in PIX515E version 6.35. I have a few Client PC located in the DMZ of the PIX515E interface, they connect to the PIX using Cisco VPN Client (IPSEC VPN), once these computers can be routed to access servers (static route) located behind internal PIX interfaces. I have a few servers remotely with access to the Internet, the gateway router to connect remotely to PIX Outside (Internet) Interface using IPSEC VPN and then routed inside the Interface (static route).

  After establishing a VPN IPSEC computers Client behind the DMZ interfaces can access servers located behind the internal Interface of a PIX. So do the remote servers. However, the Client computers cannot access remote servers.

  I was wondering if there are any restrictions for the delivery in PIX?

  Thanks for the reply.

  Hello

  Thanks for posting, sorry for the late reply, been a little busy!

  I'm not to clear on how you route your networks, I personally try to be more specific in what is routed where when the static use of the routes that the large 16s prefixes.

  you have vpn l2l to allow remote access within your acl as crypto 172.16.0.199/32 to your server:
  Access ip 172.16.0.0 Remote_Server list allow 255.255.0.0 host 172.16.0.199

  and also you have cleared nat rule:
  NAT (inside) 0 access-list sheep

  for the resources of DMZ RA VPN 172.16.45.129 for server access through this VPN L2L wallpaper external interface, you need to activate in your acl L2L Tunnel end as well as for the valuable traffic.

  The end has access-list for the tunnel L2L is allowing the network of Client VPN ID?

  I would also like to add to your rule exempt Ant configuration on interface dmz as you do with inside interface

  NAT 0 access-list sheep (dmz)

  Let us know how it works, I'll be back on your config and after some more later.

  Concerning

• Problems of NAT with AnyConnect and 8.3 of the ASA

  I have set up on an ASA 8.3 AnyConnect.  I'm properly connect and pulling an IP from the pool that I created.  The problem I have is that I'm quite see "receive" packets in the AnyConnect details.  I know about the ASA 8.2 and earlier you would use a "waiver" NAT to do the translation of the identity.  How is what is done with 8.3 and later?

  Within 8.3 and later networks are defined as objects using groups of objects. Then, these groups of objects are referenced in the NAT statement to define both pre and post NAT (real / mapped) addresses.

  network of the LOCAL_LAN object
  Subnet 192.168.0.0 255.255.0.0

  network of the REMOTE_LAN object
  subnet 172.16.0.0 255.255.0.0

  NAT static LOCAL_LAN LOCAL_LAN destination (indoor, outdoor) static source REMOTE_LAN REMOTE_LAN

• PIX 515E (7.0.1) - problem with the VPN connection between inside and outside

  Hello

  I ve creates a VLAN on the pix.

  In this VLAN, users are allowed to connect only to the Internet. Everything is fine, but when trying to connect with his VPN Client to their company, it has problems... (Outside traffic flow, but no traffic came back.)

  Is the only solution for this problem to create a Pool of Nat with public ip addresses, one to one mapping, or is there another solution with a public IP address (NAT on PAT) possible for this problem?

  Thanks for your replies.

  D.

  The problem is that the esp is an IP Protocol, so PAT will not work in this scenario. When the return traffic returns to pix he doesn't know how to get to the inside host. The only way to do this is by adding a static nat (1 to 1 mapping) and create a rule to allow esp. Is what type of vpn client? Microsoft vpn? Cisco vpn? If cisco VPN, perhaps, they can use NAT - T on the vpn that overcomes the question PAT by encapsulating ipsec within UDP packets. You need to talk to the admin VPN and itself it allow.

  -kevin

• PIX 515E configuration problems

  I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

  -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

  -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

  Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

  Thanks for your replies.

  Hello

  Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

  Jay

• PIX-515E-R-BUN MEM upgrade with PIX-515-MEM-32

  Hi all

  is it maybe possible to upgrade the PIX 515E - r

  with this release of PIX-515-MEM-32, without having to pay

  for all PIX-525-SW-R-UR = update license.

  Concerning

  Richard

  The PIX will recognize this new memory but the configuration is not supported. The upgrade of UR's memory, but also an update of license for several interfaces, failover, etc... Unless you want to add these features to your PIX, it is not necessary to upgrade memory. 32 MB is more than enough for a PIX 515R.

  Does that help?

  Scott

• problems after Pix 515e of 6.34 to 7.12

  Recently upgrade a PIX 515e of 6.34 to 7.12. Everything seemed to work well, but having a problem of access to certain web sites. Basically, allow us all IP from the "inside" network traffic Log errors are:

  609001: built outide:199.230.128.100 local-home

  106015: TCP (no relation) to deny djm/1646 199.230.128.100/80 flags ACK on the interface inside

  609002: dismantling of the local-host ouside: 199.230.128.100 duration 0:00:00

  Config is attached...

  We also find that the problems on the same platform. Have removed the inspection of HTTP the default control as a temporary workaround rule:

  Policy-map global_policy

  class inspection_default

  don't inspect http

  Still looking for a solution...

• PIX 515E with 7.1 SMTP banner (2) changed to 220 * how to disable the fix?

  We have a PIX 515E firewall and the SMTP banner is changed to 220 *.

  I need to disable this and I can't use the command "no fixup protocol SMTP" as it is not present in 7.1.

  Any suggestions?

  Kind regards

  Keyvan

  This is done under the map class 'class-map inspection_default' in this version of the PIX OS.

  pls rate if useful!

• UAL IP on a PIX 515E with 6.2 (2)

  Sorry, I have not found this in a search. I need to understand how to connect what specific host IPs access only. I have a 6.2 (2) running of PIX 515E and no other devices to use for this - no router, etc., nor lead us auth servers. I have used the parameter "log" on router ACL several times but do not see that in this version of PIX. Thanks in advance.

  Hi Brian,.

  The feature of logging for PIX ACL not brought up to version 6.3. The following link has some info on it:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/63rnotes/pixrn63.htm#wp68356

  I'm afraid you will have to upgrade to get this functionality.

  Hope that help - rate pls post if it does.

  Paresh

• PIX 515E v7 VPN config help

  Hello

  I have a PIX 515E current of execution to 7.

  Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

  I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

  I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

  Is there a way to fix this?

  Any help appreciated gratefully.

  apply the commands below:

  ISAKMP identity address

  ISAKMP nat-traversal 20

  If the problem persists, then please post the entire config with ip hidden public.

• Cisco VPN Client Authentication - PIX 515E-UR

  Hi all

  I need your expert help on the following issues I have:

  1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

  2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

  3 can. what command I use to debug RADIUS authentication?

  Thanks in advance for your help.

  Hi vincent,.

  (1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

  (2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

  (3) use the "RADIUS session debug" or "debug aaa authentication..."

  I hope this helps... all the best... the rate of responses if found useful

  REDA

• Cisco VPN Client behind PIX 515E,-> VPN concentrator

  I'm trying to configure a client as follows:

  The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

  Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

  You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

• Question of PIX 515E

  Hi all

  We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

  PIX-151st #show version

  Cisco PIX Firewall Version 6.3 (1)

  Cisco PIX Device Manager Version 3.0 (1)

  Updated Thursday 19 March 03 11:49 by Manu

  PIX-515E up to 5 hours and 15 minutes

  Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

  Flash E28F128J3 @ 0 x 300, 16 MB

  BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 000f.2457.4b12, irq 10

  1: ethernet1: the address is 000f.2457.4b13, irq 11

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Maximum Interfaces: 6

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Flow: IKE peers unlimited: unlimited

  This PIX has a failover license only (FO).

  Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

  PIX-515E # config t

  WARNING *.

  Configuration of replication is NOT performed the unit from standby to Active unit.

  Configurations are no longer synchronized.

  PIX-515e (config) #.

  Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

  you have in your possession a PIX failover. That's why says in the "sh run".

  This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

  Good luck

  Steve