VPN pix 515 questions

Hello

We strive to provide access to the remote client to a server on the inside interface. We have read a lot of topics similare, but still does not work. Can someone please take a look at our configuration and let us know what we're doing wrong?

Our int are as follows:

outside = 204.222.162.0

inside = 192.168.1.1 - 254

DMZ = 204.222.161.0

Thank you

Hello

You must have a static nat translation for the internal server.

static (Inside, Outside) netmask 255.255.255.255 0 0

Then create an access list to allow access to the host (public IP) with port...

ex:

out_to_in list access permit tcp any host 1.1.1.1 eq telnet

Apply the ACL to the external interface.

HTH

Thank you

Tags: Cisco Security

Similar Questions

PPTP VPN pix 501 question

I'm relatively new to the security stuff. I'm a guy of the voice. I created a Pix 501 for IPSEC VPN and works very well. Then I tried it setting up PPTP VPN. I use Windows XP to connect. It connects fine, but I can't ping to the inside interface on the PIX. I can do this by using IPSEC. Any ideas? Here is my config:

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

host name *.

domain name *.

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit icmp any any echo response

access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 24

opening of session

emergency logging console

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *. *. * 255.255.255.0

IP address inside 10.0.0.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pool1 192.168.5.100 - 192.168.5.200

IP local pool pool2 192.168.6.100 - 192.168.6.200

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Sysopt connection permit-l2tp

Crypto ipsec transform-set high - esp-3des esp-sha-hmac

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto dynamic-map cisco 4 strong transform-set - a

Crypto-map dynamic dynmap 10 transform-set RIGHT

Cisco dynamic of the partners-card 20 crypto ipsec isakmp

partner-map interface card crypto outside

card crypto 10 PPTP ipsec-isakmp dynamic dynmap

ISAKMP allows outside

ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 8

ISAKMP strategy 8 3des encryption

ISAKMP strategy 8 md5 hash

8 2 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

vpngroup address pool1 pool test

vpngroup default-field lab118 test

vpngroup split tunnel 80 test

vpngroup test 1800 idle time

Telnet timeout 5

SSH 10.0.0.0 255.0.0.0 inside

SSH 192.168.5.0 255.255.255.0 inside

SSH 192.168.6.0 255.255.255.0 inside

SSH timeout 5

management-access inside

Console timeout 0

VPDN PPTP-VPDN-group accept dialin pptp

VPDN group PPTP-VPDN-GROUP ppp authentication chap

VPDN group PPTP-VPDN-GROUP ppp mschap authentication

VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

VPDN group VPDN GROUP-PPTP client configuration address local pool2

VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

VPDN group VPDN GROUP-PPTP pptp echo 60

VPDN group VPDN GROUP-PPTP client for local authentication

VPDN username bmeade password *.

VPDN allow outside

You will have to connect to an internal system inside and out run the PIX using pptp.

For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

Concerning

Cisco Pix 515 VPN problems

Hi all

Here's my problem, I have 2 PIX 515 firewall...

I'm trying to implement a VPN site-to site between 2 of our websites...

Two of these firewalls currently run another site to site VPN so I know who works...

I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

Protected networks are:

172.16.48.0/24 and 172.16.4.0/22

If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

Don't know what that might be, the other VPN are working properly.

Any help would be great...

I enclose a copy of one of the configs...

Let me know if you need another...

no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

termination of VPN client 4.0 on pix 515

I am trying to connect the cisco 4.0 vpn client to a worm of pix 515 6.1 and receive as a result of errors that I guess are the related hashing algorithm but am not sure. Only DES is not enabled 3DES. Config output Cisco post interprets but apparently no error in config.

Journal of VPN client:

Cisco Systems VPN Client Version 4.0 (Rel)

Copyright (C) 1998-2003 Cisco Systems, Inc. All rights reserved.

Customer type: Windows, Windows NT

Running: 5.0.2195

1 10:58:34.890 25/09/03 Sev = Info/4 CM / 0 x 63100002

Start the login process

2 10:58:34.906 25/09/03 Sev = Info/4 CVPND/0xE3400001

Microsoft's IPSec Policy Agent service stopped successfully

3 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100004

Establish a connection using Ethernet

4 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "x.x.x.226".

5 10:58:35.953 25/09/03 Sev = Info/6 IKE/0x6300003B

Attempts to establish a connection with x.x.x.226.

6 10:58:36.000 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Nat - T), VID (Frag), VID (Unity)) at x.x.x.226

7 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

8 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

9 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

10 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

11 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

12 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

13 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

14 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

15 10:58:56.093 25/09/03 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 10:58:56.593 25/09/03 Sev = Info/4 IKE/0x6300004A

IKE negotiation to throw HIS (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 10:58:56.593 25/09/03 Sev = Info/4 CM / 0 x 63100014

Could not establish the Phase 1 SA with the server 'x.x.x.226' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

18 10:58:56.593 25/09/03 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

19 10:58:56.593 25/09/03 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

20 10:58:56.625 25/09/03 Sev = critique/1 CVPND/0xE3400001

Service Microsoft's IPSec Policy Agent started successfully

21 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

22 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

23 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

24 10:58:57.093 25/09/03 Sev = Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Journal of Pix:

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: approved new addition: ip:x.x.x.194 Total VPN peer: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 1 Total VPN EEP

RS: 1

Exchange OAK_AG

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform against the policy of priority 1 2

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 5 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 1

ISAKMP: encryption... What? 7?

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 1

ISAKMP: 3DES-CBC encryption

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: preshared extended auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

RS: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

RS: 1

crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

RS: 1

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

RS: 1

ISAKMP (0): retransmission of phase 1...

ISAKMP (0): retransmission of phase 1...

ISAKMP (0): delete SA: src x.x.x.194 dst x.x.x.226

ISADB: Reaper checking HIS 0x80db91c8, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 0 Total of VPN EEP

RS: 1

Peer VPN: ISAKMP: deleted peer: ip:x.x.x.194 VPN peer Total: 0

ISAKMP: Remove the peer node for x.x.x.194

Thanks for any help

Hello

Pix isakmp policy should have DES, MD5, and group 2 for the 4.x to connect Cisco VPN client, these are proposals that the client sends to the server...

http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals be configured on the PIX (VPN server)

Arthur

VPN to pix 515

Good day to all,

I'm trying to configure the client VPN to a PIX 515. Once VPN'ed in, the traffic is going no where, but on THIS subnet. The Vlan that we are trying to achieve is a 10.111.250.x/23. Once VPN'ed in the allocation of an IP address is 10.111.250.33 - 10.111.250.63. We can VPN in and get VPN IP assigned, but we cannot get anywhere inside VLANs. I was sure that it could be done in a layer 2. You can view the assigned addresses VPN arped entries and the inside address Vlan on the Pix.

Keep in mind, my first thought was to change the VPN address assigned, but we do not want to carry on this Vlan especially because access is very limited.

Is it possible to make this work? If I have to redo attributes and policy, I.

Thank you

Dwane

The output shows that the PIX is decrypt packets, but not encryption.

So there is a good chance that packets are sent within the network but not to return.

Check the following:

management-access within the--> this command should allow ping to the IP of the VPN PIX inside (make sure you that if you can TEST this IP address when connected)

Verify that the default gateway within the network (behind the PIX) is the current inside the property intellectual of the PIX.

After these tests, post again "sh cry ips its"

Federico.

VPN for PIX 515 allowing access to a single host

I have already setup on my PIX 515 a VPN connection, which allows the user to connect to our network via a cisco VPN client to access network resources.

I want to configure now is an another VPN connection that external users can use but would only allow access to a host.

E.g. I would like to VPN in my site but would be allowed to access the 10.1.1.1 on my network.

How can I do this? What I have to install VPNGROUP another and somehow an access list to allow only traffic to a host of configuration. Can anyone help with the correct syntax for the PIX.

Thank you

Scott

You will now have a bunch of commands "vpngroup" in your PIX, simply go into config mode and add more commands 'vpngroup' but with a different groupname. The VPN client then uses this group name to connect to the PIX.

Another way to allow only access to a host for this PIX is to split tunnelling on this group, as well as in the tunnel of split ACL set only as a host.

Accounting customer VPN on PIX 515 worm problem. 6.3

Hello everyone! Is it possible to configure PIX 515 worm. 6.3 to send logs to the RADIUS to break when a VPN Client user loggs in and outside loggs? I can't find any aaa accounting command which allows this.

Hello

Accounting of VPN was added in PIX 7.x. It is not available with 6.x

Kind regards

Vivek

A question about the old Pix 515

Hi Experts.

My client needs additional interfaces of FE and do not want to migrate the chassis 515E.

Can the data sheet of the former 515 Pix no longer available due to the declaration of the EOS, you please confirm that the Pix 515 supports 1FE - PIX and PIX - 4FE cards before ordering one of them?

Thank you

The 515 supports 4 interface cards. Make sure they are running a UR pix license if - 515R takes only supported 3 interfaces.

question static pix 515

I have installed a pix 515 at home on my broadband for the test connection. I was wondering if it is possible to use the static command to map an internal on the dhcp address assigned by ISP. I have reverse DNS client installation to map the dhcp WAN attributed to a public dns server address.

Example:

outside interface0

Interface1 inside

IP address outside dhcp setroute

inside the 172.16.0.1 IP address

IP route 0.0.0.0 0.0.0.0 dhcp

Thank you

Assuming you have something like:

> nat (inside) 1 0 0

> global (1 external interface)

for your outgoing traffic, you can proceed as follows for incoming traffic:

> static (inside, outside) tcp interface 80 172.16.0.2 80 netmask 255.255.255.255

It maps all TCP port 80 package intended for the PIX outside interface to the internal server at 172.16.0.2 on port 80. The keyword "interface" means interfaces external IP address. You can add as many of these port mappings as you want. The ports must be the same either, you can map port 80 to port 345 if you wish.

Upgrade from PIX 515

Hi all

My company needs upgrade its PIX 515 to have the function VPN 3DES for remote site connection. So I just need to buy a license of 3DES for the PIX functionality? and can I also upgrade the IOS 6.1 so that I can use PDM to config the PIX? And I also need to upgrade the memory in the PIX?

Thank you very much!

Best regards

Teru Lei

Yes to the first question.

Better 6.2 and pdm 2.1 I think.

How much memory do you have? Reach

http://www.Cisco.com/en/us/customer/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html#xtocid4

There is memory for pix 6.2 requirements

Good luck!

--

Alexis Fidalgo

Systems engineer

AT & T Argentina

Remote access VPN pix version 8.0 (3)

Hi all

First of all, I would like to thank to all members of the forum who got help in several messages on the configuration of the pix 515.

I am now configuring remote VPN access with radius authentication to my network, but I can't connect.

I use the cisco vpn client 5.0.03.0560, I have also tested my pix radius (inside) server authentication and works very well.

I already tried to retype the key of the cli, but I still can't remote access vpn to work.

I also tried to create another remote vpn with another name and local authentication, but I have the same problem.

I use 8.0 (3) version pix.

Can someone help me

I attach the log file of the cisco vpn client to help solve the problem, as well a configuration of the pix folder.

Thank you very much in advance and I seek prior information.

http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/vpnadd.html#wp999516

[Pls RATE if HELP]

PIX - 515 does not identify Tokenring Interfacecard

Hello

I installed a PIX-1 TR interface in the PIX 515. Start ok, 'answer' no configuration. SH LVE and sho int etc. presents only the build Ethernet0 and Eth1 but no interface tokenring.

HS release looks like as follows.

Thanks Ruedi

pixfirewall # sh ver

Cisco PIX Firewall Version 6.2 (2)

Cisco PIX Device Manager Version 2.0 (2)

Updated Saturday, June 7 02 17:49 by Manu

pixfirewall until 10 mins dry 14

Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

I28F640J5 @ 0 x 300 Flash, 16 MB

BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

0: ethernet0: the address is 0003.6bf6.a8a9, irq 11

1: ethernet1: the address is 0003.6bf6.a8aa, irq 10

Features licensed:

Failover: disabled

VPN - A: enabled

VPN-3DES: disabled

Maximum Interfaces: 3

Cut - through Proxy: enabled

Guardians: enabled

URL filtering: enabled

Internal hosts: unlimited

Throughput: unlimited

Peer IKE: unlimited

Serial number: 405341167 (0x182903ef)

Activation key running: xxxxxxxxx

Modified configuration of enable_15 to 13:11:47.490 UTC Tuesday, December 23, 2003

pixfirewall #.

Hello

Token-Ring is no longer supported, I think since version 6.0.

PIX 515 DMZ problem

Hello

We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

6.3 (3) version PIX

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Auto ethernet3 interface

!

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 dmz1 security50

nameif ethernet3 dmz2 security40

!

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!

names of

!

IP outside X.Y.Z.163 255.255.255.248

IP address inside 192.168.0.9 255.255.255.0

dmz1 192.168.10.1 IP address 255.255.255.0

IP address dmz2 192.168.20.1 255.255.255.0

!

fromOut list of access permit icmp any host X.Y.Z.162 source-quench

fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

fromOut list of access permit icmp any unreachable host X.Y.Z.162

fromOut list of access permit icmp any host X.Y.Z.162 time limit

fromOut list access permit tcp any host X.Y.Z.162 EQ field

fromOut list access permit tcp any host X.Y.Z.162 eq telnet

fromOut list access permit tcp any host X.Y.Z.162 eq smtp

fromOut list access permit tcp any host X.Y.Z.162 eq www

!

fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

!

fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!

pager lines 24

!

Outside 1500 MTU

Within 1500 MTU

dmz1 MTU 1500

dmz2 MTU 1500

!

Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

!

Access-group fromOut in interface outside

Access-group fromDMZ1 in interface dmz1

Access-group fromDMZ2 in the dmz2 interface

Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

Hi jamil,.

There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

REDA

PIX 515 adding a second DMZ

Hello

This is the specification of our PIX:

Cisco PIX Firewall Version 6.2 (2)

Cisco PIX Device Manager Version 2.0 (2)

Updated Saturday, June 7 02 17:49 by Manu

Firewall of the hours - days.

Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

I28F640J5 @ 0 x 300 Flash, 16 MB

BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

0: ethernet0: the address is 0003.6bf6.74a2, irq 11

1: ethernet1: the address is 0003.6bf6.74a3, irq 10

2: ethernet2: the address is 00a0.c944.395b, irq 9

Features licensed:

Failover: disabled

VPN - A: enabled

VPN-3DES: enabled

Maximum Interfaces: 3

Cut - through Proxy: enabled

Guardians: enabled

URL filtering: enabled

Internal hosts: unlimited

Throughput: unlimited

Peer IKE: unlimited

Is it possible to add a second DMZ simply by adding another network card to the system? If this is not the case, what I have to do to get a second DMZ?

Kind regards

Alan

You have already 3 interfaces, and your license only allows 3 (that you run limited license). Read the line of your worm above show: maximum Interfaces: 3

You must update your Unrestricted license, then you can have up to 6 interfaces.

It will be useful.

Steve

MM, pix 515 and mac filtering

I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.

MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.

You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.

VPN pix 515 questions

Similar Questions

Maybe you are looking for