CE560 and PIX

Has anyone had problems implementing a CE560 that sits behind a PIX? I am installing a CE560 that is speaking WCCP2 with a Catalyst 6509. All web traffic travels from the clients to the 6509, to the CE560, back to the 6509, through a PIX and on to the web (assumimg that the page was not cached). The problem I have is that the when the cache engine is used the Firewall logs increase from 10MB daily to 80MB daily. All of the PIX syslogs are Deny TCP connection due to no matching entry in the state table. All of the messages are to or from the CE560. Web traffic itself does not seem to be affected. It just causes the PIX logs to grow so large that they are unmanageable.
Thanks,
Kevin

does the cache have a public to private static translation in the pix? might be better if it does.
but, the problem you see may be related to the way the pix closes sessions once a FIN packet is seen. you can alter this behavior with the pix command "sysopt connection timewait", so try adding or removing this command and see if it stops the deny messages.

Similar Messages

Problem with VPN by ASA 5505 and PIX 501

Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

CE560 and problems with Websense onboard

I am testing Websense on the local CE to filter URL's. I recently had to move it from a test environment to a production environment and in the process had to change IP addresses. I used the Websense ChangeIP utility to do this but now when I try to access the CE with Websense manager I get the following error: Cannot read configuration data from /EIMServer/Global/OldConfig/K2097153. Error 1100021762. In the config.xml file on the CE, there is no K2097153 listed under the OldConfig section. Also, when I go to the CE Web GUI the Websense server says it cannot connect to openserver on localhost.
I have spoken to Websense and they have not helped me at all at this point.
Any help on this problem woud be greatly appreciated.

Resolved. Copied a configuration file from a working CE560 and replaced the IP's in the configuration file with the IP of the new CE and WebSense is now working.

Photoshop Elements 8 Mac - All fonts look jagged and pixely

HI,
I have the problem that all fonts look jagged and pixely when using Photoshop Elements 8 on Mac OS X 10.6.3. I am using the right image size 300dpi and so forth. Interestingly enough this only happens in Photoshop. If I repeat the procedure in Pixelmator everything is normal.
I would really appreciate any suggestions.

Are you simplifying the font layer and then making it larger? Can you explain exactly, step by step, what you're doing?

Recommanded reboot of cisco routers and pix

is it recommanded to reboot all networking equipents which are on for 24 hours once in six month time ?
is there any documentation related to this please let us kow
regards
pushpak

Nope. You can have the devices on for years if you are not seeing any issues and have no need for an IOS upgrade. That being said you may not want to go for years without doing any sort of IOS upgrade. Keep a check on security advisories. I personally have seen 6500's and PIX's with over 1000 days of uptime. These are not your average MS Server.

Problem with VPN Client and PIX 7.0(5)

Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
Thanks in Advanced

Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255

Music all in cloud and pix gone

GRRRR.... I have an iphone 5s. Until downloading the new IOS or maybe it was when I paid for that music match thing, everything changed.
I had that music match thing (I'm sorry I can't remember what its called) since they offered it. I don't even know why I got it because I have no idea what it does. I think my daughter told me to get it. At any rate when I initially paid for it nothing changed on my phone or anywhere as far as I could tell.
Then it came up for the yearly renewal and renewed automatically. I wouldn't have renewed it because again I'm not sure what the heck it does.
Then I noticed my ios on my phone updated as well. So I'm not sure what changed on my phone but something did. I listen to all my thousands of songs when I'm in my car. Well I can't do that any more because the music is no longer on my phone it has a cloud symbol by it. So now unless I use the data on my ATT plan I don't have any music. How do I get my music back to my phone and off the cloud?
Secondly, I think my photos changed when the IOS recently updated (or maybe it was that match thing I have no idea). Now all of a sudden my phone has all 5,000 photos on it from Aperture. I never had that before and I don't want them there. But how did that happen??? Other then the Match and an IOS update nothing changed.
But worse the photos that I use to have on my phone are gone. Not the ones I took with my phone but photo back when I had Mobile me... I made an album and transfered those pix (somehow) to my phone. They were all there until last week. Now they are gone and as far as I know I don't have them anywhere. They are not in aperture because they were not taken with my Nikon.
Some were old pix that I scanned in a few years ago. Some were sent to me and I moved to my older phones and each time I got a new phone I moved the pix. Again they were on my new iphone 5s as recently as January cuz I was showing them to a friend. Now they are gone.
To sum it up, 2 questions:
How do I get my music back into my iphone?
Any suggestions on where to find my old ipod album?
Susan

There are two ways to sync music across your computers and devices (e.g., iPads, iPhones).
One (the "traditional" method) is to connect a cable between the PC or Mac and the device, open iTunes, and sync all or some of your music.
The cloud method requires an iTunes Match subscription ($25/year in the US, £22/year in UK). With this method, you sign up, and all your iTunes music is copied up to the cloud, where it then becomes available on all devices. If you stop the subscription you lose cloud access to the music - however, you should keep a copy of the music in its original location (e.g., the PC you started with), or download everything from the cloud to another authorized computer, to keep a local copy just in case. If you're not sure whether or not you have an iTunes Match subscription active, check your emails from Apple, or just try to sign into iTunes Match on the iPad (Settings - iTunes - iTunes Match) and see if it lets you.
"Device backup" is a separate thing from "syncing". You can back up an iPad to a computer or to iCloud. Much of your information is backed up - however, it does NOT include music. If the Apple representative told you that an iCloud backup would restore your music, he was mistaken.
I don't know if that helps you
Matt

Vonage VoIP and PIX 501

I have a SOHO currently using cable modem connected to the outside interface of a PIX 501. The inside interface of the PIX connects to a hub with 8 ports.I have 2 PC's and a LinkSys AP plugged into the hub. I have been looking at using Vonage VoIP. My questions are:
1) Is it possible?
2) Do I need to use a special fixup protocol or config?
3) Has anyone used Vonage VoIP and how is it working?
Thanks,
Paul Lane

Paul,
I have been using Vonage succesfully with a very similar configuration. You don't neet any fixups or special configurations to make this work.
My only suggestion is to connect your ATA to a switch port behind the PIX, as opposed to the hub.
Have fun!
Fernando Macias

AT&T Pre Plus and Pixi Reception are lacking

I had an iphone and I use to think that phone had bad signal. Now my pre plus gets barely 1 bar when iphones around me are getting 4bars of 3g. Its killing my battery switching between edge and 3g. I didn't want to make a big deal but my friend just bought a pixi and asked "Why do I always have low reception on this phone?" he was comparing to his old nokia 71x. But I do agree the reception I get is far below average, and worse than iphones.
Can this be fixed through software? I love my pre but I never had so many problems with signal before.

I've never had an iPhone to compare (though one of my kids has), but I am trying out an AT&T Pre Plus for awhile before deciding whether to keep it and pay Sprint's early termination fee. I live in a borderline area and still find that my signal strength on the AT&T Pre Plus here at the house seems to be as good as it was on my Moto Razr and Palm Centro. OTOH, one of my kids who used to have an iPhone before it died about a month out of warranty, used to routinely complain that it would drop calls and lose signal in places where I never used to experience problems.
Anecdotal, I know. But my experience seems to be different than yours.
smkranz
I am a volunteer, and not an HP employee.
Palm OS ∙ webOS ∙ Android

Why there is a difference between Router and PIX ACL

Hi,
I have a very basic question about the differences beween ACL behaviour in PIX and Router.
In Router if we put an extended acl entry and want to remove an mid entry then either we have to clear the entire ACL or remove the entries all the below.
Whereas in case of PIX we can remove any of the entry.
Why this difference is there.
Would appreciate your quick answers.
Thanks
Irshad

The PIX OS is designed such a way. Anyway, even in routers you can remove a mid entry by configuring named access-lists. You need not clear the entire ACL in this case.
ip access-list extended ROUTER-ACL
permit ip host x.x.x.x host y.y.y.y any

Only sync does is backup. Can't add vids and pix from my desktop

I cannot ad pix and vids to my ipad2 since new system. It backs up all the time but does not allow me to ad photos and vids

Have you made any permissions changes to your Home folder or its other folders? Are you transferring documents that are owned by another user than yourself?
What are the permissions for your Home, Desktop, and Documents folders? Select a folder. Press COMMAND-I to open the Get Info window. In the bottom section you will find the information for Owner, Group, and Everyone. What are they?
Aha! Got it. Thanks

BorderManager and Pix Firewall

Hello,
Just implemented NSBS6.5 for a small bank with Pix firewall's inner IP
address as my next router on hop.Was able to send mails out but could not
receive inbound mails.Also the Bank's web site could no longer be
assesible from within the bank but could be connected to from any where
outside the bank's network.Could ping from the BorderManager proxy with
public IP of 172.16.1.2 to the Pix private with IP of 172.16.1.1
Moreover,a MaCafe Antivirus appliance was brought in and connected btw
the BorderManager Proxy server and the Pix firewall with a bridged
connection and an assigned IP address of 172.16.1.3 and 172.16.1.4 At
this
instance,could no longer ping the Pix 172.16.1.1, but could ping both
interface of the MaCafe appliance.Could not also send nor receive mails
via the mail proxy.
I intend bringing the MaCafe appliance before the BorderManager Proxy
and
assign a LAN address to it since it has a bridged config,so as to isolate
the problem of this appliance.
I need to get the mail server running perfectly and the website
assesible.Pls kindly help my case.
Regards,
Sesan.

you need to go ask this in the support.bordermanager.install-setup
group as this group is for the client firewall product only.
Cheers!
Richard Beels
http://www.dsi-consulting.com
Collaboration without complication

Trying to create VPN between a Fortigate and Pix

Here is the Pix config:
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 85
crypto map outside_map 10 set peer 10.48.4.6
crypto map outside_map 10 set transform-set fortinet
crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 90
crypto map outside_map 20 set peer 10.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface EPORT
isakmp enable EPORT
isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
Here is the output of debug crypto on the Pix:
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
    dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
    src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
I'm having trouble understanding the debug message and what might be wrong in the settings.

Jon,
Can you verify the cryto accees list on fortinet? I can see that you have configured crypto acees list as subnet. Fortinet should also be subnet and not range type
    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4)
type 4 is type subnet
let me know

3560 PBR from VLANs to Router and PIX each with ISP

I want to know is it possible to use a 3560, with Advanced IP Services, to policy based route from VLANs to different ISP's?
Setup looks like:
PIX to 3560
2821 to 3560
VLAN 100 on 3560
VLAN 200 on 3560
Is it possible to send VLAN 100 out the PIX and send VLAN 200 out the 2821?

You are correct. Route-map support for 3560 is limited and it doesn't give you many options that you would normally see on a router.
I guess you only wanted to policy route the traffic from your SVI (vlan) interfaces to two different ISPs and this can be achieved by using the 'set ip next-hop' command.
You need a config like the one below. You could configure the ACL to disallow policy routing between your local subnets and policy route all other traffic to the ISP of your choice.
int vlan 100
ip policy route-map cisco
route-map cisco permit 10
match ip address 100
set ip next-hop (ISP_1)
access-list 100 deny ip (vlan_100) (vlan_200)
access-list 100 permit ip any any
HTH,
Sundar

IPIPGW and PIX firewall

I am trying to make an IPIPGW accessible through a PIX 6.3(5) firewall. The H.323 ras and H225 fixups are enabled, but connections to the IPIPGW are not established; the firewall generates an error "call proceeding before setup". The workaround appears to be to disable both fixups and open >1024 ports, which is less than ideal. What generates the "call proceeding before setup" and can it be worked around on the IPIPGW; I've tried both slow- and fast-start connections.

Hi,
this is really an odd issue. The Q.931 sequence of call setup is:
A SETUP --> B
(optionally B can reply with "SETUP->ACK", or if it is an overlapped number, but this does not count for H.323)
B CALL PROCEEDING / PROGRESS / ALERT --> A
B CONNECT --> A
It is very basic, but in general that is the procedure. Cisco says that a SETUP message has arrived after the CALL PROCEEDING one, which is incorrect. An H.323 (H225) debug would bring some light to the issue.
We have a network of Cisco voice gateways, Call managers, thirf party gatekeepers and gateways, calling each other through a Cisco 6.4 PIX and it works (however we had some nasty troubles with path mtu discovery).

CE560 and PIX

Similar Messages

Maybe you are looking for