Question of config PIX 515E
I'm an amateur at this so please be patient with me.
One of my users is to get an application that needs to communicate with the host of vendors. The seller tells me that my workstation users needs a public IP address to make it work, but they did the job with a NAT IP address ' ed. This is my preferred method of as giving commection to this user that a public IP address would be a difficult task.
The question is: How can I go about setting up the IP address of users for port 80 and a few other ports (I did receive the other ports still)?
Relevant config info:
> outgoing ip access list allow a whole
> IP outside 170.x.x.242 255.255.255.248
> IP inside the 10.x.x.1 255.255.254.0
> route outside 0.0.0.0 0.0.0.0 170.x.x.241 1
From other access rules we have put in place for other needs, that's what I think of adding:
> list of allowed inbound ip access any host 170.x.x.246
> static (inside, outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0
Which would be correct and if not, what Miss me? If any other information is needed, let me know.
Thanks in advance,
Ben
You have the line:
Permitted connection ipsec sysopt
in the configuration?
If so, that's why you can even remove the command line which allows the ESP. The sysopt opens IPSEC throughout the world and does not check if the list of access on the interfaces.
sincerely
Patrick
Tags: Cisco Security
Similar Questions
-
I got some new PIX 515E security infra-red and I had sex 2 questions about everything I tried. I installed a 5 port switch inside and cannot ping anything from the console. I have a computer on the switch, and he is able to ping other devices on the switch, but not the PIX.
What I find strange is that when I try to ping from the inside interface on the PIX of one inside computers, PIX displays the MAC address of the computer inside in the arp table.
My goal is to upgrade the PIX to ver7.0 but I can't do so until I can solve this problem.
Here are some information among the PIX.
#sh worm
Cisco PIX Firewall Version 6.3 (4)
Cisco PIX Device Manager Version 3.0 (2)
Updated Saturday 2 July 04 00:07 by Manu
pixfirewall up to 29 minutes 33 seconds
Material: PIX-515E, 128 MB RAM, Pentium II 433 MHz processor
Flash E28F128J3 @ 0 x 300, 16 MB
BIOS Flash AM29F400B @ 0xfffd8000, 32 KB
Hardware encryption device: VAC + (Crypto5823 revision 0 x 1)
0: ethernet0: the address is 0015.625a.f7da, irq 10
1: ethernet1: the address is 0015.625a.f7db, irq 11
2: ethernet2: the address is 000d.8810.902c, irq 11
3: ethernet3: the address is 000d.8810.902d, irq 10
4: ethernet4: the address is 000d.8810.902e, irq 9
5: ethernet5: the address is 000d.8810.902f, irq 5
Features licensed:
Failover: enabled
VPN - A: enabled
VPN-3DES-AES: disabled
The maximum physical Interfaces: 6
Maximum Interfaces: 10
Cut - through Proxy: enabled
Guardians: enabled
URL filtering: enabled
Internal hosts: unlimited
Throughput: unlimited
Peer IKE: unlimited
This PIX has a failover license only (FO).
#sh run
interface ethernet1 100full
nameif ethernet1 inside the security100
pixfirewall hostname
domain testlan
access-list acl_out permit icmp any one
No external ip address
IP address inside 192.168.1.222 255.255.255.0
No IP failover outdoors
No IP failover inside
#sh int e1
interface ethernet1 'inside' is up, line protocol is up
The material is i82559 ethernet, the address is 0015.625a.f7db
IP 192.168.1.222, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
Hi M8,
Your firewall has a license of FO, you must enable this device to be able to see it.
Run the command:
active failover
With this command, the device turns into the 'Active' from a perspective of failover state. It will work after that.
See you soon.
Salem.
-
When failover primary and secondary pix is supposed to swap their ip and mac address. This includes the IP addresses of the interface?
That is right. IP addresses of the interface will be swapped. Make sure that your two firewalls is:
-the same model number
-have the same software versions and types of activation key
-have the same amount of Flash and RAM memory.
-
Hi all
We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:
PIX-151st #show version
Cisco PIX Firewall Version 6.3 (1)
Cisco PIX Device Manager Version 3.0 (1)
Updated Thursday 19 March 03 11:49 by Manu
PIX-515E up to 5 hours and 15 minutes
Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor
Flash E28F128J3 @ 0 x 300, 16 MB
BIOS Flash AM29F400B @ 0xfffd8000, 32 KB
0: ethernet0: the address is 000f.2457.4b12, irq 10
1: ethernet1: the address is 000f.2457.4b13, irq 11
Features licensed:
Failover: enabled
VPN - A: enabled
VPN-3DES-AES: enabled
Maximum Interfaces: 6
Cut - through Proxy: enabled
Guardians: enabled
URL filtering: enabled
Internal hosts: unlimited
Flow: IKE peers unlimited: unlimited
This PIX has a failover license only (FO).
Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:
PIX-515E # config t
WARNING *.
Configuration of replication is NOT performed the unit from standby to Active unit.
Configurations are no longer synchronized.
PIX-515e (config) #.
Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.
you have in your possession a PIX failover. That's why says in the "sh run".
This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.
Good luck
Steve
-
Hello
I have a PIX 515E current of execution to 7.
Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).
I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?
I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?
Is there a way to fix this?
Any help appreciated gratefully.
apply the commands below:
ISAKMP identity address
ISAKMP nat-traversal 20
If the problem persists, then please post the entire config with ip hidden public.
-
I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
Automatic stop of interface ethernet3
Automatic stop of interface ethernet4
Automatic stop of interface ethernet5
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 securite6
nameif ethernet4 intf4 security8
ethernet5 intf5 security10 nameif
enable password xxxx
passwd xxxx
hostname pix1
apprendrefacile.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
aetest name 10.10.10.1
name 10.10.10.2 aetest1
name 13.13.13.3 aetestdmz
name 13.13.13.4 aetestdmz1
access-list from-out-to allow tcp any any eq www
pager lines 24
opening of session
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
dmz1 MTU 1500
intf3 MTU 1500
intf4 MTU 1500
intf5 MTU 1500
IP address outside the 12.x.x.x.255.255.0
IP address inside 10.10.10.2 255.255.255.0
IP address dmz1 13.x.x.x.255.255.0
No intf3 ip address
No intf4 ip address
No intf5 ip address
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
history of PDM activate
ARP timeout 14400
public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0
public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0
Access-group from-out-to external interface
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.207 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 20
SSH timeout 5
Console timeout 0
Terminal width 80
Cryptochecksum:XXXXX
: end
Thank you... Jay
with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.
the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.
for example
static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
clear xlate
in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.
If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.
for example
alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255
the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.
-
I have two PIX 515E firewall v7.01 configured in a failover scenario.
The two units were operating without problem. Primary worked very well and the configuration changes have been transferred to secondary school.
By TAC support, the only thing needed to test the failover was to issue a command to 'reload' in the primary and the secondary, take on main. Then, "active failover" question on the once rebooted device it was up in the secondary role.
Failover to the secondary unit worked without problem, it is a smooth transition to the secondary unit.
The problem came in that the original primary unit is stuck in a loop when you try to reload with what looks like now configuration errors. It will not properly start upward.
Is not a valid procedure to test the failover?
It seems that in the real world, this could actually happen that failover should work?
Among what is shown:
Config ERROR: invalid journal / level
keyword specified; level must be emergencies (0) - debugging (7) Config error - acl_in list extended access permit tcp any newspaper SMTP host 208.13.32.36 eq
Out of config line 359, "access-list acl_in exten...". »
Config sync error: Suite not command could be executed in standby mode
Platform
acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive
Use BREAK or ESC to interrupt boot.ridge/vlan/modify flash): m
e inactivea VLAN
REPLICATION OF CONFIGURATION OF ACTIVE TOWARDS THE RESCUE UNIT IS INCOMPLETE,
Reading of 115200 bytes of the image of the flash.
TO AVOID THE EVE OF TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION UNIT, THE EMERGENCY UNIT WILL NOW RESTART *.
You're not going to like this answer.
It seems that commands typed in and abstract by cisco in the configuration are not valid when copied/pasted in or when the firewall is rebooted or receives an active firewall configuration.
I don't know exactly what you did, but here's what I did to reproduce your problem:
I typed in the command:
acl_in list access permit tcp any host 208.13.32.36 eq smtp interval 300 inactive information newspaper
Given that "interval 300 ft newspaper is the default, it is actually saved in the running-config like:"
acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive
It's * not * a command invalid (the word "journal" following address must be a logging level), if you try to kick it. When you restarted the firewall, he tried to shoot the active configuration of the device (because it is now pending), received this line and since he can't run it (because it is not a valid command), it keeps restarting itself so that it cannot take over and be the active firewall.
Best way to do is to hold this line (and other lines like him) outside the firewall active now - the line is marked "inactive" in any case, this should not affect you. The other way would be to change that line to something by default (the recording level change may be easier). In this way when the primary/secondary itself restarts again, the order received will have a valid log level (or if you take the lines out, they will not be a problem) and will allow the rest of the configuration process.
You can also report to cisco as a bug, if they are not combing these forums already.
-Jason
This rate if this can help.
-
IPSEC VPN between Pix 515E and 1841 router
Hi all
BACKGROUND
We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.
PROBLEM
The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.
Any help much appreciated.
You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.
As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.
For a feature, it would be preferable to static IP addresses on both sides.
-
PIX 515E and remote access VPN
I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.
I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.
Any help is appreciated,
Hello
Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7
Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18
There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue
-
Hello
I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.
I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.
Users are connected to the internet via an ADSL router and the LAN switch.
--------------------------------------------------
PIX Config:
6.3 (4) version PIX
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx encrypted passwd
hostname ABCDEFGH
ABCD.com domain name
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside xxx.xxx.xxx.xxx 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 192.168.2.1 - 192.168.2.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_out-nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server RADIUS (inside) host ABCDE timeout 10
AAA-server local LOCAL Protocol
RADIUS protocol radius AAA-server
Radius max-failed-attempts 3 AAA-server
AAA-radius deadtime 10 Server
RADIUS protocol AAA-server partnerauth
AAA-server partnerauth max-failed-attempts 3
AAA-server deadtime 10 partnerauth
partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
card crypto client outside_map of authentication partnerauth
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP identity address
part of pre authentication ISAKMP policy 8
ISAKMP strategy 8 3des encryption
ISAKMP strategy 8 md5 hash
8 2 ISAKMP policy group
ISAKMP life duration strategy 8 the 86400
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup myvpn address vpnpool pool
vpngroup myvpn ABCDE dns server
vpngroup myvpn by default-field ABCD.com
splitting myvpn vpngroup split tunnel
vpngroup idle 1800 myvpn-time
vpngroup myvpn password *.
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.1.200 - 192.168.1.254 inside
dhcpd dns ABCDE
dhcpd lease 3600
dhcpd ping_timeout 750
field of dhcpd ABCD.com
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
--------------------------------------------------
Thanks in advance.
-Amit
Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.
If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.
-
Using PIX 515E configuration require
Dear all,
Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?
Pls. find the details following and configuration of VLAN attached router.
# I want to put as
«Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.
# Now it's
"My LAN on CISCO 2900 - VLAN (external) router - ISP.
Details of router & PIX:
#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)
Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)
#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)
#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)
Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN
#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services
VLAN router Config:
Current configuration: 1028 bytes
!
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname VLANRouter
!
boot-start-marker
boot-end-marker
!
activate the gcsroot password
!
No aaa new-model
IP subnet zero
!
!
no record of conflict ip dhcp
DHCP excluded-address IP 172.16.29.1 172.16.29.240
DHCP excluded-address IP 172.16.29.250 172.16.29.254
!
IP dhcp pool dhcppool
network 172.16.29.0 255.255.255.0
DNS-server 208.144.230.1 208.144.230.2
router by default - 172.16.29.1
!
!
!
!
controller E1 0/0
!
controller E1 0/1
!
!
interface FastEthernet0/0
IP 208.144.230.197 255.255.255.224
NAT outside IP
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 172.16.29.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
IP nat inside source list 7 interface FastEthernet0/0 overload
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 208.144.230.200
!
!
access-list 7 permit 172.16.29.0 0.0.0.255
!
Line con 0
line to 0
line vty 0 4
opening of session
!
!
!
end
All advice is appreciated.
Kind regards
Hiren s Mehta.
ORG Informatics Ltd.
Bamako, MALI
AFRICA
Hi hiren,.
See the answers below:
#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)
When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.
Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)
Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.
#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)
PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...
#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)
PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.
Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN
didn't get it... is that on the internet router or switch?
#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services
If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...
-
Hello
Just a quick question, am I right to think that a PIX 515e would not support Web VPN?
Concerning
J Mac
You are right!
-
PIX 515E, 7.2 (1), restarts randomly several times per day
Hello
We have a PIX 515E race 7.2 (1) that reboots randomly. It has happened 4 times this morning and has been for several days.
There is no significant syslog messages prior to the restart of the box. Monitoring CPU and memory usage shows nothing ununusual.
No failover and without VPN. Pretty basic config, a flow low traffic.
I've attached the crashinfo file - I looked through and it is meaningless to me.
Someone at - it an idea?
see you soon
Chris
The inspect esmtp is causing your ASA crashing. See: CSCse41795
HTH pls note
-
Cannot ping PIX 515e Interfaces
I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.
It's my (very easy) installation:
Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.
I configured the PIX firewall to allow pings (I used different commands):
ICMP allow any response of echo outdoors
ICMP allow all outside
ICMP permitted
- echo outside response I tried to configure each of them and also combined.
Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured.
I have configured the ports on both sides to 100 Full
On both sides of the link (PIX and router) I have the links to the top. The lights are on.
The 'show interest' on the PIX firewall shows to the top/top
The same thing on the router...
The two interfaces are configured in
10.1.1.0/24 (10.1.1.1 & 10.1.1.2)
What I am doing wrong?
This should be very easy...
Hello
Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you)
Thank you
Chris
-
problems after Pix 515e of 6.34 to 7.12
Recently upgrade a PIX 515e of 6.34 to 7.12. Everything seemed to work well, but having a problem of access to certain web sites. Basically, allow us all IP from the "inside" network traffic Log errors are:
609001: built outide:199.230.128.100 local-home
106015: TCP (no relation) to deny djm/1646 199.230.128.100/80 flags ACK on the interface inside
609002: dismantling of the local-host ouside: 199.230.128.100 duration 0:00:00
Config is attached...
We also find that the problems on the same platform. Have removed the inspection of HTTP the default control as a temporary workaround rule:
Policy-map global_policy
class inspection_default
don't inspect http
Still looking for a solution...
Maybe you are looking for
-
Since the day of Firefox (Mac) 21.0 scroll of the mouse wheel works is not on some sites
Since I updated Firefox on my Mac (Mountain Lion) for version 21.0 yesterday, scroll wheel on the mouse does not work on some sites (e.g. www.nu.nl). It does not work on most of the sites. Does anyone else have this problem? I've updated my addons.
-
RALink RT5390 802.11b/g/n WiFi Adapter will remain not connected
I use a laptop of Hp 2000, and the adapter installed on the computer provided wireless is a Ralink RT5390 802.11b/g/n WiFi Adapter. I ran the driver update tool, and it says I have install the driver update. I have also run the tool to "Diagnose th
-
Satellite A30 151: motherboard power connector broken
I have an old toshiba A30-151 that has fallen down a while a go because of the power connector snap into the power socket. This had happened before at the back of the power supply, but I managed to solder back together. Unfortunately it broke again a
-
OfficeJet 4500 g: cannot download HP Driver Vista
unablle to find the installation CD. Went to HP site and after completing it at the screen where you can click on the drivers, after clicking on it just pulls up a blank screen. No driver to select
-
Report generation-> generate an exe from a PC with different Version of Office
Hello I want to build an exe from a VI that use Report Generation Toolkit. The application must be deployed on multiple PCs using Office 2000. During the development phase, I installed Office 2000 on my PC, and everything was ok. After that I was wit