Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!
Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS
Similar Messages
-
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN? -
Cisco Pix 501 / DNS - DNS resolution stops working over time
Hello,
I currently have a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.
When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What’s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)
The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.
Then network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.
Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?
One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.
Cisco Pix Config
PIX# show config
: Saved
: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password chiuzjKkSD33lwEw encrypted
passwd chiuzjKkSD33lwEw encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
access-list ping_acl permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging buffered debugging
logging history debugging
logging queue 0
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 512
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ACS protocol tacacs+
aaa-server ACS max-failed-attempts 3
aaa-server ACS deadtime 10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map MYMAP client authentication LOCAL
crypto map MYMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPNGRP idle-time 1800
vpngroup VPNGROUP address-pool VPN
vpngroup VPNGROUP dns-server 167.206.254.2
vpngroup VPNGROUP wins-server 192.168.2.50
vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 167.206.254.2 167.206.254.2
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd enable inside
username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
username andrew password A340D92MQ0zV0hGs encrypted privilege 15
terminal width 80
Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbecWow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine. -
Hi,
We have a customer with a Pix 501(v6.3.4)(PDM v3.02) Firewall.
We can succesfully setup a VPN connection, but the client loses the Internet connection when the VPN connection is up. I found some articles on the Internet about split tunneling, but I cant figure out how to do this.
Can someone please help me out?I suppose 501 is Easy VPN server
Split tunnel says what traffic goes to VPN tunnel if you dont have split tunnel enabled all traffic iis encrypted you need specify with ACL what traffic should be encrypted
check following example whe is ACL 80 used for split tunnel
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1062497
M.
Hope that helps rate if it does -
IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501
I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.
Dear Mr.
The same problem has occured with me. -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
TC wireless failed; Use as USB backup with Netgear R7000 as router?
TC wireless failed. Can TC (500Gb hard drive) be used as USB backup with Netgear R7000 as router or to nearby iMac?
No, you cannot use the USB to access an internal disk in the TC.
If its wireless has failed the rest will not be far behind.. the 500GB is Gen1 or early Gen2.. and they are simply failing in numbers.. you can probably repair it with a power supply, I kind of doubt the wireless itself would die but is symptomatic of failure of the unit as a whole.
If you want a backup just buy a large USB drive and plug it straight into the iMac. Choose the fastest interface you can afford.. ie firewire 800 is still head and shoulders better than usb2.. but usb3 or thunderbolt in the later machines are a big improvement.. with the later costing an arm and leg still, with most of the bits in between. -
Strange issue - unable to establish PPP with Cisco 887 VAG router on one particular ADSL line
I have a strange problem that I’m struggling to get to the bottom of with my ISP and wondered if anyone could help.
We have a site with an older Cisco 877 ADSL router which was working happily until a few weeks ago when the connection dropped suddenly (out-of-hours at 2am if that’s of any significance – made me think most likely something carrier/ISP related?) When connectivity was lost, the router could sync with the BT exchange (we are in the UK) but could not establish PPP.
We logged fault with our ISP – after some to’ing and fro’ing, they passed it onto BT and their engineers visited site, they fixed “a line fault” (we don’t get much detail on what was actually fixed) but we still could not establish connectivity – same thing, solid CD light but no PPP.
So, we replaced the router with another 877 – same again, solid CD but no PPP. We replaced all the cables and microfilter etc but no difference.
We tried a different Cisco router (a newer Cisco 887VAG) which, as I understand, uses a different modem chipset but no matter – PPP could still not be established. We tested this router on another ADSL line with the same ISP and it worked without issue, using the same ADSL account details, it was able to establish connectivity. So we figured this must still be a BT/ISP issue.
Since then we’ve had BT out again twice but they say there is no fault. The ISP say there is no issue with them. But we still cannot establish ADSL connectivity on this line, despite having tried 3 different ADSL routers and despite the fact the routers work with the same account details on another ADSL line.
The 887VAG router we have currently connected has 3G backup so that is keeping us going in the meantime and also means I can login to the router remotely to check on the ADSL status.
But I’m struggling to pinpoint where the problem may lie. Strangely, if I turn on PPP negotiation and authentication debug then I’m not actually seeing any output from it at all?
Yet, the ATM interface is up and shows packets being sent and received:
ATM0 is up, line protocol is up
Hardware is MPC ATMSAR, address is bc16.6596.9b00 (bia bc16.6596.9b00)
MTU 1600 bytes, sub MTU 1600, BW 704 Kbit/sec, DLY 520 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ATM, loopback not set
Keepalive not supported
Encapsulation(s): AAL5
4 maximum active VCs, 1024 VCs per VP, 1 current VCCs
VC Auto Creation Disabled.
VC idle disconnect time: 300 seconds
Last input 00:00:28, output 00:00:07, output hang never
Last clearing of "show interface" counters 6d23h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Per VC Queueing
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
23886 packets input, 1676964 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56469 packets output, 4418592 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Does anyone have any ideas on where the problem may be and what more I can do to troubleshoot and provide the relevant evidence to our ISP (assuming it is an ISP/BT issue though the fact the same router works ok with the exact same details etc would seem to indicate it must be their issue!)Hi Jody,
thanks for the suggestions. Here's what I see from the ppp debugs (but I'm not sure how to interpret?)
Jan 6 14:50:22.838: pppoe_send_padi:
contiguous pak, size 74
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 FF FF
FF FF FF FF BC 16 65 96 9B 00 88 63 11 09 00 00
00 10 01 01 00 00 01 03 00 08 0C 00 00 01 00 00
04 A3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 ...
Jan 6 14:50:22.878: PPPoE 0: I PADO R:0030.8810.000b L:bc16.6596.9b00 0/38 ATM0.1
contiguous pak, size 71
BC 16 65 96 9B 00 00 30 88 10 00 0B 88 63 11 07
00 00 00 33 01 03 00 08 0C 00 00 01 00 00 04 A3
01 02 00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73
2D 62 61 73 2D 42 32 32 36 45 34 37 30 39 45 30
31 34 5A 01 01 00 00
Jan 6 14:50:24.885: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:50:35.125: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:50:45.364: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:50:55.603: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:51:05.843: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:51:16.114: OUT PADR from PPPoE Session
contiguous pak, size 85
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
61 73 2D 42 32 32 36 45 ...
Jan 6 14:51:26.353: [0]PPPoE 0: O PADT R:0000.0000.0000 L:0000.0000.0000 0/38 ATM0.1
contiguous pak, size 74
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 00
00 00 00 00 00 00 00 00 00 00 88 63 11 A7 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 ...
Jan 6 14:51:46.576: pppoe_send_padi:
contiguous pak, size 74
00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 FF FF
FF FF FF FF BC 16 65 96 9B 00 88 63 11 09 00 00
00 10 01 01 00 00 01 03 00 08 0C 00 00 01 00 00
04 A3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 ...
Jan 6 14:51:46.608: PPPoE 0: I PADO R:0030.8810.000b L:bc16.6596.9b00 0/38 ATM0.1
contiguous pak, size 71
BC 16 65 96 9B 00 00 30 88 10 00 0B 88 63 11 07
00 00 00 33 01 03 00 08 0C 00 00 01 00 00 04 A3
01 02 00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73
2D 62 61 73 2D 42 32 32 36 45 34 37 30 39 45 30
31 34 5A 01 01 00 00
Provider wouldn't have bumped us from ADSL to VDSL - but here's the output of show controller vdsl 0:
Controller VDSL 0 is UP
Daemon Status: Up
XTU-R (DS) XTU-C (US)
Chip Vendor ID: 'BDCM' 'IFTN'
Chip Vendor Specific: 0x0000 0x71C8
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'CSCO' ' '
Modem Vendor Specific: 0x4602 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: FCZ1111C08V C887VAG 15.2(4)M
Serial Number Far:
Modem Version Near: 15.2(4)M
Modem Version Far: 0x71c8
Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.992.1 (ADSL) Annex A
TC Mode: ATM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Trellis: ON ON
SRA: disabled disabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 1 8
Line Attenuation: 54.5 dB 31.5 dB
Signal Attenuation: 54.5 dB 0.0 dB
Noise Margin: 6.7 dB 11.0 dB
Attainable Rate: 2132 kbits/s 888 kbits/s
Actual Power: 16.7 dBm 12.7 dBm
Total FECC: 546 0
Total ES: 6 0
Total SES: 0 0
Total LOSS: 0 0
Total UAS: 486 486
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
Full inits: 14
Failed full inits: 1
Short inits: 0
Failed short inits: 1
Firmware Source File Name (version)
VDSL user config flash:vdsl.bin-A2pv6C035d_d23j (10)
Modem FW Version: 110802_1752-4.02L.03.A2pv6C035d.d23j
Modem PHY Version: A2pv6C035d.d23j
Vendor Version:
DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 1664 0 704
SRA Previous Speed: 0 0 0 0
Previous Speed: 0 1600 0 736
Total Cells: 0 2786872 0 0
User Cells: 0 68 0 0
Reed-Solomon EC: 0 546 0 0
CRC Errors: 0 9 0 0
Header Errors: 0 10 0 0
Interleave (ms): 0.00 8.00 0.00 8.00
Actual INP: 0.00 1.12 0.00 1.28
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin
And here's the output from the ATM and dialer interfaces:
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
end
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/38
pppoe-client dial-pool-number 2
end
interface Dialer2
description OUTSIDE
ip address negotiated
ip access-group firewall in
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname ###removed###
ppp chap password ###removed###
no cdp enable
crypto map dcvpn
end
As I say though, config-wise, everything should be correct - the same router works fine on another line (which should also confirm the authentication details are correct - at least in as far as it matches what the ISP have on their RADIUS)
Any further thoughts? -
Cisco pix 501 open port problem
Hi,
I'm running a Pix 501 for Home office and I want to open first ports for my mail client for an outside located server.
But i get following error in the log:
106023: Deny tcp src outside:<ipmailserver>/993 dst inside:<ipoutsideinterface>/1729 by access-group "outside-mail"
here's my basic config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YYYYYY encrypted
passwd YYYYYY encrypted
hostname sunny
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
pager lines 24
logging on
logging monitor emergencies
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
access-group outside-mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.10.10-192.168.10.39 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username stefan password YYYYY encrypted privilege 2
terminal width 80
Cryptochecksum:
: end
[OK]
What's the problem?
Any recommondations for the config anyway?
ThanksThanks Gerhard for the answer, but i don't want to redirect the port to an inside mail server.
I try to connect to an outside mail server with a mail client from an inside pc (who is in the dhcp ip pool, i.e. 192.168.10.22).
to open the ports i added:
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
access-group outside-mail in interface outside
but why is there a deny because of the access-group in the log?
106023: Deny tcp src outside:/993 dst inside:/1729 by access-group "outside-mail"
Regards S. -
Problem with cisco series 800 router and SMTP
Hello,
we bought a 877 cisco router and have some problem with SMTP.
I try to read all forum and KB about but do not find any solution.
the problem is that when i try to send any email from client (windows mail) i receive a error 533: you need to supply the correct username and password.
when trying throught hmailserver i receive an email "undeliverable" with this error in body:
Error Type: SMTP
Remote server (62.149.128.202) issued an error.
hMailServer sent: EHLO Globalnet
Remote server replied: 502 unimplemented (#5.5.1)
receving email work correctly.
i'm already using smtp auth, and with my old router everything work fine.
so i beleive is a config problem, maybe with ESMTP (ehlo)?.
i attach my config:Dear sirs
Thank you for answer so quickly
I download this document from Cisco âConfiguring the (Remote) Common Application Programming Interface for Cisco 800 Series Routerâ.
I have a Lan with Asterisk IP-PBX , the Cisco router have a BRI to public exchange (ISDN) , the router act like a DCP (ISDN- Device Control Protocol) server and listen (DCP messages) in 2578 port.
I need o know the contents of the TCP frame that carry (ISDN-TCP, the DCP messages) to put a SIP client to talk with PSTN/ISDN using the router. I want to write a software module in Asterisk that translate SIP in (ISDN-DCP) to connect the SIP Phones to the PSTN/ISDN using the BRI ports of the Cisco router. I need to now the contents of this message to dialogue with RCAPI server of the router.
If forum is the right place perhaps to put this, Could you give me a better place, a mail or other forum to receive the speciation of (ISDN-DCP)
thank you
With kinds Regards
João Pereira Rosa -
Problem with Cisco 3250 mobile router WMIC configuration
I have two 3250 mobile routers, and each one has 2 WMICs, 1 MARC and 1 4-port FEMIC. WIC1 seems to be the AP since its FE port connects to the FE0/0 or MARC, and WIC2 seems to be the bridge since its FE0 connects to FEMIC's FE2/3. The IOS version of router is 12.4(2)T3, and IOS version of both WMIC is 12.2(15).
I configured two routers in the following way (similar configuration as the police car example in the 3200 router software configuration guide):
1. Router1's WIC2 (bridge) acts as WGB, and router2's WIC2 (bridge) acts as root bridge.
2. Router2 is the DHCP server also.
3. WIC1 of each router is configured as root AP.
During my testing, the following scenarios happened:
1. WIC2 of both router can successfully associated.
2. Wired client can get IP address from router2 when it is pluged into either router's FE ports.
3. Wirless client can associate with the bridge connection, i.e. connected to the wirless bridge connection. (Weired! Can bridge work as a AP?)
4. Wireless client can't stably associate with WIC1 of either router, which is supposed to work as AP. A lot of authentication and deauthentication messages are flushing in the console. IP address can be leased, however, Ping was not successful.
My question is:
1. Why did this kind of problem happen?
2. How should i configure each WIC to achieve the set up of wireless client associate with AP and routers communicate through bridge?
3. Is my understanding on 3200 router wrong?
Thanks a lot for reply!Hello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
Hi,
I know this is an old firewall but its just a simple firewall I need, my question is this.
I am not getting any internet with my current config, see below:
show conf
: Saved
: Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 101 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group allow_ping in interface inside
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.52.10.0 255.255.255.0 inside
http 10.52.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
bmi-501-fw-1#
What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?Hi, Thanks for the reply, I've managed to sort it now with the following config below:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list PERMIT_IN deny tcp any any
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN deny udp any any
access-list PERMIT_OUT permit tcp any any
access-list PERMIT_OUT permit ip any any
access-list PERMIT_OUT permit udp any any
access-list PERMIT_OUT permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
global (outside) 1 interface
outside interface address added to PAT pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group PERMIT_IN in interface outside
access-group PERMIT_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
wr mem
Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear! -
Airport with Cisco / Linksys E4200 Router
Hi, I have not been able to find a straight forward answer so i'm posting this.
I'm looking to switch my Linksys router over to N wireless, vs N and G or Just G- Not sure what it is now. I don't have great connection on my 2nd floor, with my Linksys router on the first floor. I want to use this as a bridge (instead of the RE1000), because i want the 5ghz, and AirPlay.
Can i use this as a plug and play bridge? I just want it to extend the signal, and be able to use airplay. No new network.
Some info i thought i would add:
ISP Cat 5 or 6? to Modem to Router (E4200)
Ping at 64 bytes
WPA2/WPA Mixed Mode Security
Thanks in advance.No you will not be able to use an AirPort to extend the wireless range of the Cisco/Linksys router if they will be interconnected by wireless. However, if they can be interconnected by wire, you could configure them for a roaming network.
-
All,
I have a friend trying to configure an existing PIX. They needed to change IP addresses due to ISP switch. Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config. Does anyone have any ideas what this could be? He only changed outside IP address, a static translation
All replies rated. Thanks in advance!Hi Angel,
My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
You have statically set the outside interface "interface ethernet0 10baset"
Please post :
show int e0
PS : nice software version 6.2
Regards
Dan -
PIX 501 and Linksys VPN Router (WRV200)
I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
Key Exchange Method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre-Shared Key: xxx
PFS: Enabled/Disabled
ISAKMP Key Lifetime: 28800
IPSec Key Lifetime: 3600
On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
I chose the following settings when doing the VPN Wizard:
Type of VPN: Remote Access VPN
Interface: Outside
Type of VPN Client Device used: Cisco VPN Client
(can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
VPN Client Group
Group Name: RabyEstates
Pre Shared Key: rabytest
Extended Client Authentication: Disabled
Address Pool
Pool Name: VPN-LAN
Range Start: 192.168.2.200
Range End: 192.168.2.250
DNS/WINS/Default Domain: None
IKE Policy
Encryption: 3DES
Authentication: MD5
DH Group: Group 2 (1024-bit)
Transform Set
Encryption: 3DES
Authentication: MD5
I have attached the VPN log from the Linksys VPN Router.
This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
Thanks for your help!Hi again,
I believe the pix has a 3des license because of the following parts of the "show version"
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
This PIX has a Restricted (R) license.
I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
As for the other show commands they give:
pixfirewall# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall#
Thanks again Daniel, i really appreciate your help on this matter.
Maybe you are looking for
-
My iPhone wont let me download some apps that i have payed for on on my account; it says my iPhone is not authorized for this computer, but it is.
-
Master date maintenance for cost centers
Hi Experts i want to create new variant in KS12, for mass change of department field in cost center . i want to add this field in variant but don't found how to add. regards MuR!
-
Hello All, I am facing the below issue while reading the node. My Requirement is user selects no of langugaes from itemlist box means i will get selected languages in internal table. I have to generate three Text Edit elemnts for each language.If use
-
Retrieving Detailed Calculation in a group by query
I am writing a query that has a calculation based on an ID column or every detailed record in the table, but the output/report needs to be grouped by another column. The calculation is days_open/count(*). The days_open column is a field in the table.
-
IPod_Control\iTunes defect - what now?
my pod when connected cant be fully updated, it says there is a file damaged see above and i should do a CHKDSK ?? what the heck is this ? i have this problem also when trying to copy the songs from the ipod back to my laptopp via poddmaxx....?? than