Upgrade from PIX 515

Hi all

My company needs upgrade its PIX 515 to have the function VPN 3DES for remote site connection. So I just need to buy a license of 3DES for the PIX functionality? and can I also upgrade the IOS 6.1 so that I can use PDM to config the PIX? And I also need to upgrade the memory in the PIX?

Thank you very much!

Best regards

Teru Lei

Yes to the first question.

Better 6.2 and pdm 2.1 I think.

How much memory do you have? Reach

http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html#xtocid4

There is memory for pix 6.2 requirements

Good luck!

--

Alexis Fidalgo

Systems engineer

AT & T Argentina

Tags: Cisco Security

Similar Questions

  • PIX-515E-R-BUN MEM upgrade with PIX-515-MEM-32

    Hi all

    is it maybe possible to upgrade the PIX 515E - r

    with this release of PIX-515-MEM-32, without having to pay

    for all PIX-525-SW-R-UR = update license.

    Concerning

    Richard

    The PIX will recognize this new memory but the configuration is not supported. The upgrade of UR's memory, but also an update of license for several interfaces, failover, etc... Unless you want to add these features to your PIX, it is not necessary to upgrade memory. 32 MB is more than enough for a PIX 515R.

    Does that help?

    Scott

  • Extracting rules from PIX 515 (PIX Ver: 7.0)

    Hello

    I have a lot of access configured in my PIX515 rules and since I am not the person responsible for this firewall from the beginning, I'm getting lost with all theses rules...

    I see a place that you can ' extract to ' rules and for each rule, how many times the rule was used...

    for example:

    3 tcp any any eq www (856)

    4 udp any any eq field (732249)

    etc.

    With this, I can find the rules that are not used...

    Do you know how I can do? (get statistics of the thesis)? Should I use a software or is there a command in the PIX for this specific information?

    Thank you in advance for your help!

    Just run the following command in the commnad line interface.

    See the access list

    You want to be behind each line the number of hitcoult that indictes how many times that ACL has been reached.

    Reference:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080637380.html#wp1078130

    sincerely

    Patrick

  • PDM with PIX 515 does not work

    I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

    Hello

    have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

    Enable http server

    http A.B.C.D 255.255.255.255 inside

    A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

    If you're still having problems after the addition of these two lines, you might have a look at this page:

    http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

    Kind regards

    Tom

  • How to block applications from Instant Messaging (socks Protocol) on my pix 515

    I would like to block all traffic application instant messaging on my pix 515. Some of them use the socks Protocol. Can someone help me to block these applications or SOCKS protocol on my pix 515?

    Concerning

    It was just answered by a thread below.

    MSN_Messenger_tcp tcp service object-group

    Description MSN Messenger tries to use these ports

    port-object eq www

    port-object eq 1863

    object-port 7001 eq

    the MSN_Messenger_hosts object-group network

    host Description MSN Messenger feeds

    object-network 65.54.195.0 255.255.255.0

    object-network 65.54.225.0 255.255.255.0

    network-object 65.54.226.0 255.255.254.0

    network-object 65.54.228.0 255.255.254.0

    host of the object-Network 65.54.240.61

    host of the object-Network 65.54.240.62

    network-object 207.46.104.0 255.255.252.0

    object-network 207.46.108.0 255.255.255.0

    object-network 207.68.171.0 255.255.255.0

    access list acl-inside tcp refuse any object-group MSN_Messenger_hosts-group of objects MSN_Messenger_tcp

    This applies to an acl on your inside interface.

    Patrick

  • PIX 515 6.1 (1) crashes every night

    We have a PIX 515 E Firewall (failover) with a simple configuration to allow web traffic only from inside. PIX with three interfaces ethernet and the DMZ is rarely used for specific needs. A www server is hosted with authentication through aaa for incoming users inside.

    For the last week, PIX crashes end each evening. No traffic doesn't cross the pix and we cannot ping all devices of pix as well. There are a lot of "no buffers" counts seen in all the PIX interfaces. The CPU usage is about 21%.

    Can anyone help to determine if this could be a hardware problem?

    Best regards, Murali

    Hi Murali,

    I'm not aware of any problem with the hardware, but there could be a software bug. I suggest that you open a case with cisco tac.

    or you can upgrade to 6.1.4 which has fix for most of the bugs.

    Thank you

    Syed

  • PIX 515 and software version 6.3 (4)

    We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?

    Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?

    Thank you.

    You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.

    If you use PDM, you will need to be updated also.

    Josh

  • Cisco Pix 515 VPN problems

    Hi all

    Here's my problem, I have 2 PIX 515 firewall...

    I'm trying to implement a VPN site-to site between 2 of our websites...

    Two of these firewalls currently run another site to site VPN so I know who works...

    I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

    Protected networks are:

    172.16.48.0/24 and 172.16.4.0/22

    If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

    2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

    It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

    Don't know what that might be, the other VPN are working properly.

    Any help would be great...

    I enclose a copy of one of the configs...

    Let me know if you need another...

    no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

    Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

  • PIX 515 DMZ problem

    Hello

    We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

    What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

    6.3 (3) version PIX

    interface ethernet0 car

    Auto interface ethernet1

    Auto interface ethernet2

    Auto ethernet3 interface

    !

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 dmz1 security50

    nameif ethernet3 dmz2 security40

    !

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    !

    names of

    !

    IP outside X.Y.Z.163 255.255.255.248

    IP address inside 192.168.0.9 255.255.255.0

    dmz1 192.168.10.1 IP address 255.255.255.0

    IP address dmz2 192.168.20.1 255.255.255.0

    !

    fromOut list of access permit icmp any host X.Y.Z.162 source-quench

    fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

    fromOut list of access permit icmp any unreachable host X.Y.Z.162

    fromOut list of access permit icmp any host X.Y.Z.162 time limit

    fromOut list access permit tcp any host X.Y.Z.162 EQ field

    fromOut list access permit tcp any host X.Y.Z.162 eq telnet

    fromOut list access permit tcp any host X.Y.Z.162 eq smtp

    fromOut list access permit tcp any host X.Y.Z.162 eq www

    !

    fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

    fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

    !

    fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

    !

    pager lines 24

    !

    Outside 1500 MTU

    Within 1500 MTU

    dmz1 MTU 1500

    dmz2 MTU 1500

    !

    Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

    Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

    NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

    NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

    NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

    static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

    !

    Access-group fromOut in interface outside

    Access-group fromDMZ1 in interface dmz1

    Access-group fromDMZ2 in the dmz2 interface

    Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

    Hi jamil,.

    There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

    REDA

  • DNS traffic blocked after PAT - PIX 515

    I have PIX 515 with 3 named NIC (internal, external, dmz)

    I have 2 servers (Exchange and Windows 2000 with SMTP) in the demilitarized zone.

    I currently have a static command pointing to doamin for exchange Server IP address in the DMZ.

    I wanted to PAT on the IP address of the e-mail domain so that the configuration will look like as follows.

    The IP field will be used for the global IP

    all pop3 for global ip traffic will go to Exchange

    all www for the global IP traffic will go to Exchange

    all smtp for global ip traffic will go to the Windows 2000-based SMTP relay (SMTP relay is configured to send the e-mail received in exchange Server)

    I hosted DNS udp and tcp traffic to the servers.

    before pat, the server can use DNS to resolve IP domain e-mail and send mail to the Internet.

    As soon as I PAT the Internet e-mail delivery stops.

    When I did an NSLOOKUP command returns an error indicating that the DNS server cannot be resloved.

    The servere DNS used by these 2 servers are servers DNS of ISP.

    Is there any concern when you PAT.

    Thank you

    Hello

    I found the problem:

    for now, your dmz servers can go to the internet with pop3, smtp, and www. Only for these protocols is a (static) translation to provide in the config file.

    You will need to will provide you a translation for other protocols (for example, dns) also. This can be accomplished with one of the following two things:

    create a nat - pair overall for the DMZ for outdoor

    NAT (dmz) 1 0.0.0.0 0.0.0.0

    Global (outside) 1 200.100.100.168 (already exists)

    create a static translation for each of the other protocols (next to pop3, smtp, www), you want to pass from the dmz to the internet (you already did that for www, pop3 and smtp).

    Kind regards

    Tom

  • Registration of pix 515 "authorized connections."

    Can someone tell me if it is possible to connect to a syslog "allowed connections."

    We have lists of access internal servers behind the Pix 515 with port forwarding.

    We want to connect all connections from internet to the external IP, two connections permits and denied.

    logging trap debug, does not record the allowed connections. I tried this. Is there another way this?

    Thanks in advance!

    Gregory Manglaris

    Network engineer

    [email protected] / * /.

    The pix records connections. These present yourself as a syslog message #30213 information and look like this "outside:207.207.58.100/32792 (207.207.58.100/32792) at inside:w.x.y.z/80 (a.b.c.d/80) built 529605 for incoming TCP connection.

    The IP address represented by w.x.y.z. will be the internal address of your host and the IP address represented by a.b.c.d is the public address of this host.

  • PIX 515 no traffic on the new IP address don't block

    We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

    The problem:
    We can not all traffic to the pix on the new 213.x.x.x/28 range.
    -If we try to ping 213.x.x.61, we get the lifetime exceeded.
    -ISP Gets the same thing of their router.
    -ISP tries ssh and gets no route to host.

    The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

    The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

    Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

    Excerpt from config:
    7.0 (7) independent running Pix 515
    outside 92.x.x.146 255.255.255.240
    inside 192.168.101.1 255.255.255.0
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
    Access-group acl_out in interface outside
    acl_out list extended access permit tcp any host 213.x.x.x eq www
    acl_out list extended access permit tcp any host 213.x.x.x eq ssh
    static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
    ICMP allow any inaccessible State

    192.168.101.99 is a test with http and ssh linux server

    Any help much appreciated.

    PM

    dsc_tech_1 wrote:
    

    I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0
    

    
    ISP says
    
    ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32

    

    Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
    

    Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.

    If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

    They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

    Jon

  • PIX 515 does not recognize the DIMM 128 MB

    PIX 515 does not recognize the DIMM 128 MB. Won't recognize only 32 MB. Also when the upgrade to 7.0, I get an error message that it has not enough flash, but I have 16 MB of flash needed.

    PIX 515 not recognizing 128 MB may be due to, in my opinion, pix-515 supports 64 MB. PIX-515e can support 128 MB. Now error Pix by reading not enough flash I got the same message when I tried to load 7.0 release using the tftp with padding interface configured to the local network with an attached TFTP server segment. I then tried the interruption during the startup control method, once the PIX reached ROMMON > issue 'auto of e1 interface', 'address 10.0.0.1', server 10.0.0.2, there are a few other commands. You may be familiar with them, otherwise use find under cisco.

    HTH

  • Translation problem group on PIX 515

    Hi can someone help me with this?

    I'm trying to configure a PIX 515 to pass messages icmp from the interface vlan dmz configured on interface (Vlan 3) PIX inside interface.

    setting it up like this

    interface ethernet0 100full

    interface ethernet1 100full

    interface ethernet2 100full

    physical interface ethernet2 vlan2

    logical interface ethernet2 vlan3

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 msx interieure4

    nameif dmz security7 vlan3

    SH nat

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

    NAT (msx) 1 0.0.0.0 0.0.0.0 0 0

    Global HS

    Global (inside) 1 interface

    Global interface (dmz) 1

    Global (msx) 1 interface

    At this stage I am not concerened with access lists that I get the error message is as follows

    155:-echo request ICMP dmz:192.168.3.1 to 10.240.2.2 ID = 512 seq = 11520 length = 40

    305005: no translation not found for icmp src dmz:192.168.3.1 dst domestic group: 10.240.2.2 (type 8, code 0)

    I'm not an expert when it comes to the PIX can someone help. Two other things can help shed light on the problem, there is no configuration of routing between Vlan interfaces, this could be a problem? I tried a static command and still have the same error that the order was... static (dmz, inside) 192.168.3.1 192.168.3.1

    Hi David:

    As you try to allow host from an interface for low security to a high security interface, you must have

    static (high, low) high high

    In this case, you must:

    static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0

    I assume that you already have an access list to allow the icmp message of echo applied to the DMZ interface. If it is not already there, just add an ACE to allow the icmp message to echo that you should be good to go.

    Sincerely,

    Binh

  • VPN access no longer works after upgrade from 10 IOS!  Any input to fix?

    VPN access no longer works after update IOS 10!  With the help of an iPhone 5 or 6, our employees use their hotspot phone to connect to our VPN.  Suddenly, he broke Monday after the upgrade to IOS 10.  We have experienced many versions of IOS, and it has always worked.  Any patch available?

    Hello howlindaug,
    Thank you for using communities of Apple Support.

    If I understand your message that your employees will no longer be able to connect to your virtual private network with their iPhone 5 or 6 after the upgrade to iOS 10. Sierra Mac OS and iOS 10 delete a VPN profile PPTP connections when a user upgrades from their device. If your VPN is a PPTP connection, you'll want to use one of the options listed in the section below:

    Prepare for removal of PPTP VPN before upgrade you to iOS 10 and macOS Sierra

    Alternatives for PPTP VPN connections

    Try one of these other VPN protocols for authentication by user that are safer:

    • L2TP/IPSec
    • IKEv2/IPSec
    • Cisco IPSec
    • VPN SSL clients on the App Store, such as those of AirWatch, Aruba, Check Point, Cisco, F5 Networks, MobileIron, NetMotion, Open VPN, Palo Alto Networks, Pulse Secure and SonicWall

    Best regards.

Maybe you are looking for