Adding a cisco pix device to CSM 3.3
I've been trying to add a cisco pix6.3 to a New CSM 3.3 server and it complains that my credentials are bogus, I can log in to the pix's PDM using the same credentials so I'm stumped, Is there a way that I can get a better idea of what is happening under the hood? I tried a debug and the server is clearly hitting the pix and it is responding but no go.
I figured it out, the csm was set to use the users login credentials instead of the device credentials.
Try Disable Java on Internet Options. This issue oculd be releated to Java version also.
Similar Messages
-
Cisco PIX Device Manager Version 3.0(2)
Hi
I have a PIX 515E:
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
CCP-Firewall001 up 2 years 65 days
Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0012.80be.450d, irq 10
1: ethernet1: address is 0012.80be.450e, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
<--- More ---> Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 808480455 (0x30306ec7)
Running Activation Key: 0xac646fed 0xf8b86795 0xc3951ec2 0xb32aed09
It's operate with Java plug in 1.4.1 y I have a PC with IE 7 and Plug in 1.6.0 y doesn't download the PDM.
Are there a solution for it?Try Disable Java on Internet Options. This issue oculd be releated to Java version also.
-
Hello All,
I am having an issue with running SIP through my Cisco Pix. A VOIP solution has just been installed, and softphones from the outside are trying to call in using SIP and are failing. The configuration is below. and the code is 6.3 (5). You'll see below that I have the no fixup protocol for sip, as the fixup wasn't working either. Is there something that needs to be configured that I'm missing or could this be a bug in the code? Any other show commands or debug commands I can provide if needed. The call manager server in the below config is 1.2.3.4. Thanks in advance for all your help, you guys are always so helpful.
XXXt# show ver
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
XXX up 1 hour 45 mins
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 001c.582b.3c65, irq 10
1: ethernet1: address is 001c.582b.3c66, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 4
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
XXXt# show run
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vQ0/erypfvYyzFoc encrypted
passwd vQ0/erypfvYyzFoc encrypted
hostname DTPIX35thst
domain-name digitaltransitions.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out_in permit udp any host 1.2.3.4 eq 5060
access-list out_in permit tcp any host 1.2.3.43 eq 5060
pager lines 24
logging on
logging buffered informational
logging trap informational
logging queue 2048
mtu outside 1500
mtu inside 1500
ip address outside 4.34.119.130 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.100.50-192.168.100.75
pdm location 192.168.1.250 255.255.255.255 inside
pdm location 192.168.1.252 255.255.255.255 inside
pdm location 65.215.8.100 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.4 172.20.1.2 netmask 255.255.255.255 0 0
access-group out_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:00:00 sip_media 0:00:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 199.96.104.108 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enableHi Jumora,
No need to troubleshoot this direct issue anymore. The client will be upgrading to an ASA 5505. Is there anything you may know of before I configure the ASA that I need to do to allow SIP through with no issues? Thanks again Jumora -
Adding Pix device public interface through Proxy server into CSM Fails
Hi
I am trying to add a device into CSM. The device is only reachable through proxy server. If i try to add the device, the connectivity test fails" unable to communicate with device". If i debug on the PIX i see no connection attemps. If imake a https connection from the Explorer from the windows server running CSM i get connected. I have set the proxy settings under Server Administration. I can update packages from CCO through the proxy. Is there somewhere else to tell CSM to run through proxy ?Hello,
maybe your problem has to do something with loading SLPDA.NLM. If you
cannot get to open Autoexec.ncf then go back to DOS-Mode, rename this
file in C:\nwserver-directory and start again. i have seenthis behaviour
on servers loading SLPDA with no network-communication and they stop
loading at WPSD.NLM. Try to load SLPD.NLM manually when the server is
up. After that shift the line in Autoexec.ncf where you want to load
Slpda.NLM to the end of the file and boot the server again to see what
happens.
Good luck
Burkhard Wiegand
Netware Admin
Debeka-Versicherungen
D-56068 Koblenz -
If I help out a friend & download a free app (through my iTunes account) on their new iPod Touch, will their device automatically be added to my itunes device list (and they can see all my contacts, pix, music etc)?
Just wondering, what context is this in?
First up, is your iTunes account part of an iCloud account?
Secondly, if it's a free app, why don't they just download it? If they are having trouble finding it on the App Store, but you can find it easily, you can share the link for it via email with them, and if they view that email on their iPod they can just tap the link and it will open the App Store to that App for them, so they can download it themselves.
If you were to go to the Store settings pane and sign in with your iTunes account, that should only provide the possibility for download items from your iTunes account, such as purchased apps, music and movies. However, if you signed in, downloaded the app, and then went back and signed out of the account again, there shouldn't be any access apart from the app you downloaded. This is provided you sign in using the Store section of the Settings app, not the iCloud section.
One problem they will have if you download this in your account instead of theirs, in order to download updates for that app, they will need you to enter your iTunes password to download the updates. Doing that doesn't give them access to anythign to do with your account other than that update, but they will be unable to receive updates for it without your password. They would also likely be unable to sync the app onto their computer, as their computer would not be Authorised with your iTunes account.
If you can answer some of the questions I've asked, I may be able to suggest alternate ways for you get them the app on their device.
Hope this all helps a bit -
PIX loadbalancing woth CSM - probe problem
2 CSM/CATs on one side (FT)
2 CSM/CATS on other (also FT)
load balancing 2 PIX 535.
probing icmp pings only "direct" pix interface
the opposite interface will never answer to ping.
So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.
How to solve that ?I thinking about that:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625
when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".
Great solution will be pinging opposite pix interface
but this isn't supported by PIX ASA. So i have tried
ping "any" ip behind pix which is currentl ip address of CSM VLAN.
When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:
ip_behind_pix VIA ip_pix_direct_int
Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...
There is no way to put REPLY on different gate than ECHO REQ...
Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds
and then try set up static route that ping REQ and reply will go the same way. There is no such way...
IMHO 8-) -
Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance
Hi:
I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
a) Use the 506E as a firewall and use the 600 as a wireless access point, or
b) Use the 600 as a firewall and wireless access point.
Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
(Edited subject to keep threads from stretching. Thanks!)
Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AMThe PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support. -
Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
SamirHi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read) Okay
sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write) Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2 Failed
TELNET Okay
Waiting for your reply.
Samir -
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN? -
Can someone share their Cisco PIX config?
Running a Cisco PIX 515 with a front-end/back-end Exchange server set up. Problem I am having is that the calendar will sync once and then never again. I delete the account, recreate it and sometimes it will show up but for the most part it will not.
I have no issue with OWA, BlackBerrys or Windows Mobile devices. They all do everything perfect. Just the iPhone giving me grief. And that has only been really bad since the upgrade to 2.0.1!
I have checked everything except comparing my PIX config with someone elses. Can someone post their "timeout" lines from a PIX 5XX running 6.X.X?
Thanks so much!Oh trust me, I am in the same exact boat as most people. One man's configuration might work for him, but doesn't work for me. It's really, really bizarre that there does not seem to be any consistency.
Anyway, here's our timeout - good thing I checked!
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
-Sam -
Has anyone added a Cisco CSS to MARS as a reporting device?
If so what did you select as your "device type."?
And did you create custom parsers?I have a CSS in MARS but its listed as a generic router. The logs dont get parsed but I have some alerts setup for specific messages.
-
I have an orphan device in CSM 3.2 that is associated with a predefined policy object, specifically the TACACS+ object. How can I break this association? I have tried adding a new device with the same display name but get an error the device does not exist in ACS. I added the device in ACS but still get the same error. I then tried cloning a dvice and giving it the same display name but get an error the device already exists in CSM.
Any help on how to clear this orphan device would be greatly appreciated.Hi,
You might want to follow these steps
1- if not in workflow mode, switch to workflow mode
Tools -> Admin -> Workflow
2- open the activity manager
3- make sure that ALL the activities are either discarded or approved
4- disable workflow mode
5- try to delete the device
Hope this helps :-/
Stefano -
Cannot access share.acrobat using cisco proxy device
I have a user who has successfully uploaded a document to share, but is unable to access the resulting shared document e.g through a link like this one: https://share.acrobat.com/adc/document.do?docid=8e9f16eb-42f8-49d0-94a8-2013000eveec , (I have deliberately changed a couple of letters in this link)
The user gets the error message: 'Internet Explorer Cannot Display the webpage'. The address bar shows the link url.
I can repeat this behaviour and think I have narrorwed it down to an interaction between our cisco proxy device and acrobat.com.
As the user can successfully navigate other parts of the site, is there some different coding using in the 'shared document' area that the other areas of the site doesn't use?
Has anyone else experienced or reported with type of issue??
Any suggestions appreciated,
NickHi Michelle,
I'm afraid my previous post was misleading!
I managed to get to the login page (https://www.acrobat.com/#/share/HaveAdobeID and https://www.acrobat.com/#/share/ShareBegin) when I was trying IE6, and got over-enthusiastic.
When I double-checked, I again get 'the page cannot be displayed' as I try and log in (https://share.acrobat.com/?app=share). DOH!
I tried adding share.acrobat.com to trusted sites in both IE6 and 7 as you suggest, and also adding *.acrobat.com
I have tried the site on IE 6 and 7, using Vista and XP. Unfortunately the only common thing seems to be our Cisco content engine and those TCP_CLIENT_REFRESH logs I mentioned before.
Thanks very much for trying to help,
Salty -
Cisco PIX-515e reset to factory defaults *Expert Advice Only Please*
Hi,
I have a cisco PIX-515e which i have connected to a emulator through the console port, and im having trouble erasing data from it.
I can get into 'pixfirewall' mode and 'monitor' mode but thats as far as i get. i have tried 'write erase' and 'configure factory-default' in both modes to no success.
When i last posted this i had alot of replies mentioning ROMMON mode but i want to stress the PIX 515e does not have ROMMON mode it has MONITOR mode however the commands are not the same as ROMMON commands.
Any help would be much appreciated.
thanks,8 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10
00 11 00 14E4 5823 Co-Processor 11
00 13 00 8086 B154 PCI-to-PCI Bridge
01 04 00 8086 1229 Ethernet 11
01 05 00 8086 1229 Ethernet 10
01 06 00 8086 1229 Ethernet 9
01 07 00 8086 1229 Ethernet 5
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 123392 bytes of image from flash.
PIX Flash Load Helper
Initializing flashfs...
flashfs[0]: 8 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 16128000
flashfs[0]: Bytes used: 13963264
flashfs[0]: Bytes available: 2164736
flashfs[0]: Initialization complete.
Booting first image in flash
Launching image flash:/pix722.bin
128MB RAM
Total NICs found: 6
mcwa i82559 Ethernet at irq 10 MAC: 0016.9da2.5907
mcwa i82559 Ethernet at irq 11 MAC: 0016.9da2.5908
mcwa i82559 Ethernet at irq 11 MAC: 000d.8810.d91c
mcwa i82559 Ethernet at irq 10 MAC: 000d.8810.d91d
mcwa i82559 Ethernet at irq 9 MAC: 000d.8810.d91e
BIOS Flash=am29f400b @ 0xd8000 MAC: 000d.8810.d91f
Initializing flashfs...
flashfs[7]: 8 files, 3 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 13963264
flashfs[7]: Bytes available: 2164736
flashfs[7]: flashfs fsck took 15 seconds.
flashfs[7]: Initialization complete.
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
Cisco PIX Security Appliance Software Version 7.2(2)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to [email protected].
******************************* Warning *******************************
Copyright (c) 1996-2006 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cryptochecksum (unchanged): 43dccc97 2fb4bfec 15a33bef dad78b7e
Type help or '?' for a list of available commands.
pixfirewall>
I am unable to get onto enable mode because i do not no the password? any idea of a way round, i need to get into that enable mode. -
Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices
Hello
I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
So I am stuck...
What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
I was hoping Azure's VPN solution would be very flexible.
ThanksHello RTF_Admin,
1. Which is the Series of CISCO ASA device you are using?
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
I hope that this information is helpful
Thanks,
Syed Irfan Hussain
Maybe you are looking for
-
tell me please when i copy files from downloads it will be a new file with new capacity? i mean if a file is 2 mb, when i copy it it will be new 2mb ?
-
Multiple Apple IDs causing headache!
[I can't find a suitable category to post this in - iCloud on Mac seems closest as it's linked to the AppleID - if someone can find a better place to put this and is able to move it (or let me know and I'll re-post there) I would be grateful] I have
-
Why can't I sign into iCloud from my pc? I get en error message saying there is a server error.
-
MC371 not detect hard drive when install Windows 7
I use bootcamp to install Windows 7 on my Macbook Pro 15" core i5 Mid 2010. But when i boot from windows 7 installation disk, i receive "no drive was found". I think this is sata hard drive problem, any ideas or support?!
-
Problems in Introscope Agent Setting
Hi all, we are configuring ROOT CAUSE ANALYSIS on Solution Manager 7 EHP1 to manage SAP BPC 5.1 system. On managed system, we installed Introscope_Agent_dot_net_8.1.0.0 During the Introscope Agent Configuration in SolMan (transaction solman_setup -->