Using PIX 515E configuration require

Dear all,

Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?

Pls. find the details following and configuration of VLAN attached router.

# I want to put as

«Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.

# Now it's

"My LAN on CISCO 2900 - VLAN (external) router - ISP.

Details of router & PIX:

#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

VLAN router Config:

Current configuration: 1028 bytes

!

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname VLANRouter

!

boot-start-marker

boot-end-marker

!

activate the gcsroot password

!

No aaa new-model

IP subnet zero

!

!

no record of conflict ip dhcp

DHCP excluded-address IP 172.16.29.1 172.16.29.240

DHCP excluded-address IP 172.16.29.250 172.16.29.254

!

IP dhcp pool dhcppool

network 172.16.29.0 255.255.255.0

DNS-server 208.144.230.1 208.144.230.2

router by default - 172.16.29.1

!

!

!

!

controller E1 0/0

!

controller E1 0/1

!

!

interface FastEthernet0/0

IP 208.144.230.197 255.255.255.224

NAT outside IP

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 172.16.29.1 255.255.255.0

IP nat inside

automatic duplex

automatic speed

!

IP nat inside source list 7 interface FastEthernet0/0 overload

IP http server

IP classless

IP route 0.0.0.0 0.0.0.0 208.144.230.200

!

!

access-list 7 permit 172.16.29.0 0.0.0.255

!

Line con 0

line to 0

line vty 0 4

opening of session

!

!

!

end

All advice is appreciated.

Kind regards

Hiren s Mehta.

ORG Informatics Ltd.

Bamako, MALI

AFRICA

Hi hiren,.

See the answers below:

#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.

Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.

#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...

#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.

Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

didn't get it... is that on the internet router or switch?

#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...

Tags: Cisco Security

Similar Questions

  • PIX 515E configuration problems

    I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

    -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

    -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

    Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

    Thanks for your replies.

    Hello

    Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

    Jay

  • Configuration of RADIUS and accounting AAA + PIX-515E

    Dear All;

    I want to put the accounting of PIX.

    Here is the composition of the equipment.

    ACS SE: 4.1.1.23.5

    PIX 515E: 7.0 (6)

    PIX of setting is as follows.

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + host xx.xx.xx.xx

    key xxxxx

    order of accounting AAA GANYMEDE +.

    Console telnet accounting AAA GANYMEDE +.

    Thus, the configuration setting was written in ACS.

    But the user name is enable_15. (attached 1.jpg)

    Is it a restriction?

    Kind regards

    Reiji

    Hi Marilou,

    Looks like we have the authority to command configured on the pix. You must enable authentication configured on the RADIUS server then only we would get username is accounting, unlike pix Device IOS doesn't send user name to the RADIUS server, he would send enable_15 as username for all users.

    Configure the following command to make it work.

    AAA authentication enable console LOCAL + Ganymede

    HTH

    -Philou

  • ASDM 5.02 on PIX-515E

    When I use ASDM to administer my PIX-515E (v7.0), I get messages from 2 following error if I update the screen after being inactive in the session for about 2-3 minutes about:

    Error message 1

    ASDM is temporarily unable to communicate with the firewall.

    Error message 2

    ASDM is unable to reach the PIX. Please check the configuration and your connection and try again by clicking the Refresh button.

    These messages were recently and I don't know why. Is there an ASDM idle session time-out setting? I could not found.

    Thank you

    Bill Fanning

    Hello

    What version of Java are you using. If you have Java 1.6, can you go back to 1.5 and see if the problem goes away.

    Also, here is the URL indicating the operating system for client PC and browser requirements

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa70/asdm50/release/notes/RN505.html#wp231810

    I hope it helps.

    Kind regards

    Arul

    * Please note all useful messages *.

  • 4240 IPS blocking queries with Pix 515E

    I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John

    Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.

    Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.

    You have to look at what signatures you really want to block, and then enable blocking on them individually.

  • PIX 515E failover

    I have a pair of PIX 515E (6.3) running in failover mode. They are currently connected to a single chassis base. We are upgrading our network with the heart, dual 6500's. Is there a way to connect each PIX to a separate kernel (1 PIX - Core1, PIX 2 - Core2) to allow a failure of the base?

    Core 1 and Core 2 will have a L2 link between them. If the current active PIX is connected to Core1 and Core 1 dies, this would not lead to support PIX failover. All LAN traffic would go through Core 2, but since he does not have an active path to the active PIX 1, traffic would drop. My reasoning is correct?

    Is there a way to connect the PIX to two cores running V6.3?

    Hello

    If you use the cable-based failover, you can change the basis of LAN failover.

    Read http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1024836

    I hope this helps.

    Best regards.

    Massimiliano.

  • Cisco VPN Client behind PIX 515E,-> VPN concentrator

    I'm trying to configure a client as follows:

    The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

    Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

    You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

  • PIX 515E and remote access VPN

    I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

    I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

    Any help is appreciated,

    Hello

    Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

    Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

    There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

  • Question of PIX 515E

    Hi all

    We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

    PIX-151st #show version

    Cisco PIX Firewall Version 6.3 (1)

    Cisco PIX Device Manager Version 3.0 (1)

    Updated Thursday 19 March 03 11:49 by Manu

    PIX-515E up to 5 hours and 15 minutes

    Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

    Flash E28F128J3 @ 0 x 300, 16 MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 000f.2457.4b12, irq 10

    1: ethernet1: the address is 000f.2457.4b13, irq 11

    Features licensed:

    Failover: enabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Maximum Interfaces: 6

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Flow: IKE peers unlimited: unlimited

    This PIX has a failover license only (FO).

    Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

    PIX-515E # config t

    WARNING *.

    Configuration of replication is NOT performed the unit from standby to Active unit.

    Configurations are no longer synchronized.

    PIX-515e (config) #.

    Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

    you have in your possession a PIX failover. That's why says in the "sh run".

    This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

    Good luck

    Steve

  • PIX 515e Install

    I am installing a PIX 515e with an ADSL router. I have all the IP addresses for the router etc. I'm trying to connect to a network on the interface internal of the PIX. (Please bare with me as I am new on the firewall!)

    I ping the network firewall, but I can not access to the internet. The initial configuration for the PIX documentation implies that by default, it has access form the firewall but no! I'm obviously missing something here, i.e. of Thompson the network to route requests through the firewall interent! ???

    Sorry to be so simplistic but I'm learning all the time!

    Thanks for any help.

    Robin

    After you enter the acl to allow ping, can you ping now?

    Watch newspaper reveal something?

    For DNS and testing, create a static on the PIX for your DNS server. For example "x.x.x.x (indoor, outdoor) static 192.168.0.x netmask 255.255.255.255" where x.x.x.x is a public IP address and 192.168.0.x is your dns server. Then let the outside to your DNS server dns - "access-list 101 permit host udp/tcp host x.x.x.x eq 53 z.z.z.z ' where z.z.z.z is a public dns server (or use one for testing) and x.x.x.x IP NAT'ed to your dns server. See what is happening, look in your journal.

    What version of PIX you run.

    Let know use.

    Steve

  • PIX 515e - can't view the site from the inside

    Hi people

    I have a PIX 515E with a Web server in the DMZ. Using a static control that is on the web with an internet address and can be viewed from anywhere outside of the firewall. But users inside can't display it, by ip address or domain name. Would be grateful for any help on the access for this list

    Thank you

    Oops...

    I did not understand how you want this configuration...

    It should work...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#DMZ

  • PIX 515E failover recover

    I have two PIX 515E firewall v7.01 configured in a failover scenario.

    The two units were operating without problem. Primary worked very well and the configuration changes have been transferred to secondary school.

    By TAC support, the only thing needed to test the failover was to issue a command to 'reload' in the primary and the secondary, take on main. Then, "active failover" question on the once rebooted device it was up in the secondary role.

    Failover to the secondary unit worked without problem, it is a smooth transition to the secondary unit.

    The problem came in that the original primary unit is stuck in a loop when you try to reload with what looks like now configuration errors. It will not properly start upward.

    Is not a valid procedure to test the failover?

    It seems that in the real world, this could actually happen that failover should work?

    Among what is shown:

    Config ERROR: invalid journal / level keyword specified; level must be emergencies (0) - debugging (7)

    Config error - acl_in list extended access permit tcp any newspaper SMTP host 208.13.32.36 eq

    Out of config line 359, "access-list acl_in exten...". »

    Config sync error: Suite not command could be executed in standby mode

    Platform

    acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

    Use BREAK or ESC to interrupt boot.ridge/vlan/modify flash): m

    e inactivea VLAN

    REPLICATION OF CONFIGURATION OF ACTIVE TOWARDS THE RESCUE UNIT IS INCOMPLETE,

    Reading of 115200 bytes of the image of the flash.

    TO AVOID THE EVE OF TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION UNIT, THE EMERGENCY UNIT WILL NOW RESTART *.

    You're not going to like this answer.

    It seems that commands typed in and abstract by cisco in the configuration are not valid when copied/pasted in or when the firewall is rebooted or receives an active firewall configuration.

    I don't know exactly what you did, but here's what I did to reproduce your problem:

    I typed in the command:

    acl_in list access permit tcp any host 208.13.32.36 eq smtp interval 300 inactive information newspaper

    Given that "interval 300 ft newspaper is the default, it is actually saved in the running-config like:"

    acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

    It's * not * a command invalid (the word "journal" following address must be a logging level), if you try to kick it. When you restarted the firewall, he tried to shoot the active configuration of the device (because it is now pending), received this line and since he can't run it (because it is not a valid command), it keeps restarting itself so that it cannot take over and be the active firewall.

    Best way to do is to hold this line (and other lines like him) outside the firewall active now - the line is marked "inactive" in any case, this should not affect you. The other way would be to change that line to something by default (the recording level change may be easier). In this way when the primary/secondary itself restarts again, the order received will have a valid log level (or if you take the lines out, they will not be a problem) and will allow the rest of the configuration process.

    You can also report to cisco as a bug, if they are not combing these forums already.

    -Jason

    This rate if this can help.

  • Cannot ping PIX 515e Interfaces

    I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.

    It's my (very easy) installation:

    Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.

    I configured the PIX firewall to allow pings (I used different commands):

    ICMP allow any response of echo outdoors

    ICMP allow all outside

    ICMP permitted - echo outside response

    I tried to configure each of them and also combined.

    Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured.

    I have configured the ports on both sides to 100 Full

    On both sides of the link (PIX and router) I have the links to the top. The lights are on.

    The 'show interest' on the PIX firewall shows to the top/top

    The same thing on the router...

    The two interfaces are configured in

    10.1.1.0/24 (10.1.1.1 & 10.1.1.2)

    What I am doing wrong?

    This should be very easy...

    Hello

    Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you)

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00805521b6.html#wp1059645

    Thank you

    Chris

  • License - PIX 515E, restricted or unrestricted?

    How can I know what license I have on a PIX515E? I need to know if it is limited or unlimited. Here is the output of sh worm but nothing jumps on me and said: that which.

    Cisco PIX Firewall Version 6.2 (2)

    Cisco PIX Device Manager Version 1.1 (2)

    Updated Saturday, June 7 02 17:49 by Manu

    ABC-FW01 up to 3 hours and 24 minutes

    Material: PIX-515E, 32 MB RAM, Pentium II 433 MHz processor

    Flash E28F128J3 @ 0 x 300, 16 MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 000a.b7bc.4b30, irq 10

    1: ethernet1: the address is 000a.b7bc.4b31, irq 11

    2: ethernet2: the address is 0002.b3ad.8176, irq 11

    Features licensed:

    Failover: enabled

    VPN - A: enabled

    VPN-3DES: disabled

    Maximum Interfaces: 6

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Throughput: unlimited

    Peer IKE: unlimited

    Serial number: 806343913 (0x300fd4e9)

    Activation key running: xxxx

    Modified configuration of enable_15 to 10:26:27.064 UTC Tuesday, February 7, 2006

    It is an unrestricted license. The number of maximum interfaces is a way of saying. Restricted is only 3 where UR is 6. You can use this page to see other differences.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

    You could also paste your show in output interpreter tool version, if you are a registered user.

    Steve

  • Cisco VPN Client Authentication - PIX 515E-UR

    Hi all

    I need your expert help on the following issues I have:

    1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

    2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

    3 can. what command I use to debug RADIUS authentication?

    Thanks in advance for your help.

    Hi vincent,.

    (1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

    (2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

    (3) use the "RADIUS session debug" or "debug aaa authentication..."

    I hope this helps... all the best... the rate of responses if found useful

    REDA

Maybe you are looking for