Cisco PDM 3.0.1
Hi
I installed latest java(1.5.0_02-b09) and now Cisco PDM 3.0.1 don't work.
Error I get is:
excetion: java.security.AccessControlExcetion: access denied(java.util.PropertyPremission java.version read)
Where is problem?
Hi,
*** Device Details for d0151-100 ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Resource Manager Essentials -> Admin -> Config Mgmt -> Archive Mgmt ->Fetch Settings
This is the error while doing syn archieve.
I am not sure about Rtr7000 version but we have latest Rtr7000.
Waiting for your kind reply.
Samir
Similar Messages
-
ASDM 7.1 fails to start on MacOS
Hi,
I have an ASA-5505 which I have been managing using ASDM from a PC and a Mac.
I just happens that the Mac has not been used in a little while and when I tried to use ASDM on it, it fails.
I've had a trawl through various posts and release notes (after updating various components in the process, incl Java with all the diabling/security updates of late) but am still having the problem and this is where I'm at:
- the ASA runs v8.4(2) and ASDM 7.1(1)52
- release notes state that ASDM 7.1 should work on Java 7 on Windows 7 and MacOS 10.7
- ASDM starts fine on my Windows 7 PC running Java 1.7.0_13
- I am also running Java 1.7.0_13 on MacOS 10.7.5
- on MacOS, ASDM starts, asks for credentials, download/refreshes the cached app... and then crashes with the following exception message:
Java Web Start 10.13.2.20
Using JRE version 1.7.0_13-b20 Java HotSpot(TM) 64-Bit Server VM
User home directory = /Users/[myusername]
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
0-5: set trace level to <n>
CacheEntry[https://192.168.1.1/admin/public/asdm.jnlp]: updateAvailable=false,lastModified=Mon Dec 17 19:55:35 GMT 2012,length=-1
Match: beginTraversal
Match: digest selected JREDesc: JREDesc[version 1.6+, heap=67108864-536870912, args=-XX:MaxNewSize=1024k, href=null, sel=false, null, null], JREInfo: JREInfo for index 0:
platform is: 1.7
product is: 1.7.0_13
location is: http://java.sun.com/products/autodl/j2se
path is: /Library/Internet Plug-ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
args is: null
native platform is: Mac OS X, x86_64 [ x86_64, 64bit ]
JavaFX runtime is: JavaFX 2.2.5 found at /Library/Internet Plug-ins/JavaAppletPlugin.plugin/Contents/Home/
enabled is: true
registered is: true
system is: true
Match: selecting maxHeap: 536870912
Match: selecting InitHeap: 67108864
Match: digesting vmargs: -XX:MaxNewSize=1024k
Match: digested vmargs: [JVMParameters: isSecure: true, args: -XX:MaxNewSize=1024k]
Match: JVM args after accumulation: [JVMParameters: isSecure: true, args: -XX:MaxNewSize=1024k]
Match: digest LaunchDesc: https://192.168.1.1/admin/public/asdm.jnlp
Match: digest properties: [-Dhttp.agent=ASDM/]
Match: JVM args: [JVMParameters: isSecure: true, args: -XX:MaxNewSize=1024k -Dhttp.agent=ASDM/]
Match: endTraversal ..
Match: JVM args final: -Xmx512m -XX:MaxNewSize=1024k -Dhttp.agent=ASDM/
Match: Running JREInfo Version match: 1.7.0.13 == 1.7.0.13
Match: Running JVM args mismatch: have:<-Xmx512m -Dhttp.agent=ASDM/> !satisfy want:<-Xmx512m -XX:MaxNewSize=1024k -Dhttp.agent=ASDM/>
Application Logging Started at Thu Feb 07 14:01:25 GMT 2013
Local Launcher Version = 1.5.56
Local Launcher Version Display = 1.5(56)
OK button clicked
Trying for ASDM Version file; url = https://192.168.1.1/admin/
Server Version = 7.1(1)52
Server Launcher Version = 1.5.56, size = 758784 bytes
invoking SGZ Loader..
Cache location = /Users/[myusername]/.asdm/cache
Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NoClassDefFoundError: apple/laf/AquaTableHeaderUI
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at com.cisco.nm.dice.loader.l.loadClass(DashoA19*..:232)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at com.cisco.nm.dice.loader.l.loadClass(DashoA19*..:232)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:188)
at dla.updateUI(Unknown Source)
at javax.swing.table.JTableHeader.<init>(JTableHeader.java:159)
at dlz.<init>(Unknown Source)
at dla.<init>(Unknown Source)
at do6.<init>(Unknown Source)
at do5.createDefaultTableHeader(Unknown Source)
at javax.swing.JTable.initializeLocalVars(JTable.java:5531)
at javax.swing.JTable.<init>(JTable.java:635)
at javax.swing.JTable.<init>(JTable.java:574)
at dns.<init>(Unknown Source)
at dlk.<init>(Unknown Source)
at dn5.<init>(Unknown Source)
at dk9.<init>(Unknown Source)
at dk5.<init>(Unknown Source)
at dkv.<init>(Unknown Source)
at do5.<init>(Unknown Source)
at ds.<init>(ds.java:64)
at ds.<init>(ds.java:60)
at _d.<init>(_d.java:36)
at _f.<init>(_f.java:36)
at _g.<init>(_g.java:71)
at bb6.a(bb6.java:98)
at px.b(px.java:461)
at px.<init>(px.java:280)
at com.cisco.pdm.PDMApplet.start(PDMApplet.java:160)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)
Caused by: java.lang.ClassNotFoundException: apple.laf.AquaTableHeaderUI
at com.cisco.nm.dice.loader.l.loadClass(DashoA19*..:246)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 36 more
The root cause of the issue seems to be that a Java class called apple.laf.AquaTableHeaderUI is not found...
Now, I don't know much about Java, but that seems to be an Apple UI related class - I presume that it would be good to use this to give ASDM a more native look and feel, but why on earth is there no fallback? or am I missing something?
Any information or help on the matter will be very welcome... even if it's only to say that you are experiencing the same issue!
OlivierI had exactly the same problem on a Mac mini running OS X 10.9.3 and 10.9.4 with Java 1.7.0_60. I spent any amount of time flushing caches, deleting my ~/.asdm directory and re-installing the dm-launcher.dmg file.
I eventually got it running by installing Apple's Java for OS X 2014-001 from http://support.apple.com/kb/dl1572, deleting my ~/.asdm directory, using the Java Control Panel to delete all cached files and installed apps, then reinstalling from a fresh download of the dm-installer.dmg file.
Bit of a blunderbus approach, I know, but it worked for me. I think the Apple Java installation was what tipped the balance, but who knows, as it really ought to have been there already, shouldn't it?!
YMMV :-)
[followup comment]
I just checked the Software Installations history on my Macbook Air on which ASDM has been working just fine. It had Java for OS X 2013-005, which is the predecessor of 2014-001, and I remember having to install it to sort out compatibility problems between Java 6, Java 7 and ASDM 7.1. The Mac mini, on the other hand, had Java for OS X 2012-005, which I suspect is the root of my problems.
You can find out which Java you have by running "java -version" from a Terminal, and cross-check against the table on https://developer.apple.com/library/mac/technotes/tn2002/tn2110.html. -
Unable to access the Firewall through ASDM
Hi All,
Thanks in advance ,
in my organisatin we are facing one issue with launching of ASDM in ASA 5520 , when wer are trying to access the Firewall through ASDM we are unable to access that , see the java error loggs below , yes i know if we reload the firewall then this problem will solve , but my organisation management donsent want to reload the firewall , other procedure is to upgrage the ASDM version , just let me know the procedure for this
Using JRE version 1.7.0_25 Java HotSpot(TM) Client VM
User home directory = C:\Users\shussain
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
q: hide console
s: dump system properties
ASDM Application Logging Started at Tue Aug 20 11:04:48 AST 2013
Local Launcher Version = 1.5.30
Local Launcher Version Display = 1.5(30)
OK button clicked
Trying for ASDM Version file; url =
https://192.168.50.2/admin/
Server Version = 6.1(3)
Server Launcher Version = 1.5.30, size = 319488 bytes
invoking SGZ Loader..
Cache location = C:/Users/shussain/.asdm/cache
Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NumberFormatException: For input string: "1 year 192"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at com.cisco.pdm.Check.h(DashoA10*..:1358)
at com.cisco.pdm.Check.c(DashoA10*..:858)
at com.cisco.pdm.Check.a(DashoA10*..:438)
at com.cisco.pdm.PDMApplet.start(DashoA10*..:132)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)dear marvin,
find my firewall sh version output, and asdm version ,
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 year 193 days
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0021.a09a.ba76, irq 9
1: Ext: GigabitEthernet0/1 : address is 0021.a09a.ba77, irq 9
2: Ext: GigabitEthernet0/2 : address is 0021.a09a.ba78, irq 9
3: Ext: GigabitEthernet0/3 : address is 0021.a09a.ba79, irq 9
4: Ext: Management0/0 : address is 0021.a09a.ba7a, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1304L0HA
Running Activation Key: 0x0313c076 0x58bdf52e 0xa83245ac 0xb460b058 0x88201caa
Configuration register is 0x1
Configuration last modified by enable_15 at 10:18:47.850 AST Wed Aug 21 2013
ciscoasa#
ciscoasa# sh run asdm
asdm image disk0:/asdm-613.bin
asdm location internal-network1 255.255.0.0 internal -
I am trying to access the Cisco PIX device manager to get access to my firewall, but get the error message above when trying to start the applet: Is this a bug? Thankful for any input! See the Java concole output below:
Java Plug-in 1.5.0_06
Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\Kari
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
Requesting URL: https://10.1.1.1/jploader.jar
java.security.AccessControlException: access denied (java.util.PropertyPermission java.version read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.cisco.pdm.e.c.q(Unknown Source)
at com.cisco.pdm.e.c.h(Unknown Source)
at com.cisco.pdm.a.byte(Unknown Source)
at com.cisco.pdm.PDMApplet.start(Unknown Source)
at com.cisco.nm.util.sgz.Env.start(Env.java:37)
at com.cisco.nm.util.sgz.Loader.start(Loader.java:109)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)I had the same problem trying to open a Pix 506e through Internet Explorer.
After downloading and installing and uninstalling again differt versions; the working solution for me was version JRE 1.4.2_07
Be sure to download the 07, other versions of the 1.4.2 were not working! -
System : PIX 506E ver 6.3(5) PDM 3.0(4)
XP SP3
Firefox 3.0.8 and IE 6 BOTH have the same result so it is not a browser setting.
JRE 6 update 11 would log errors but open the PDM. Updating java uninstalls update 11 and installs update 13. This update also logs errors (ArrayIndexOutOfBoundsException) but the PDM fails to open. Full error at the end.
Is there any way to use update 13? All other apps that I use that run under java are running fine. I would like to have all the machines in the company with the same versions of SW.
Brian
==== Java errors ====
Java 6 update 11 and PDM opens
Exception in thread "AWT-EventQueue-2" java.lang.NullPointerException
at com.cisco.nm.util.sgz.Loader.repaint(Loader.java:128)
at sun.java2d.d3d.D3DScreenUpdateManager$2.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Java 6 updates 12 & 13 and PDM does NOT open.
java.lang.ArrayIndexOutOfBoundsException: No such child: 0
at java.awt.Container.getComponent(Unknown Source)
at symantec.itools.b.n.getComponent(Unknown Source)
at java.awt.Component.calculateCurrentShape(Unknown Source)
at java.awt.Component.applyCurrentShape(Unknown Source)
at java.awt.Component.mixOnShowing(Unknown Source)
at java.awt.Component.addNotify(Unknown Source)
at java.awt.Label.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at symantec.itools.b.n.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at symantec.itools.b.n.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Panel.addNotify(Unknown Source)
at java.awt.Container.addNotify(Unknown Source)
at java.awt.Window.addNotify(Unknown Source)
at java.awt.Frame.addNotify(Unknown Source)
at java.awt.Window.show(Unknown Source)
at com.cisco.pdm.PDMApplet.start(Unknown Source)
at com.cisco.nm.util.sgz.Env.start(Env.java:37)
at com.cisco.nm.util.sgz.Loader.start(Loader.java:109)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Exception: java.lang.ArrayIndexOutOfBoundsException: No such child: 0Symptom Intermittently, while using Microsoft Internet Explorer, a message box stating DDHelp caused an invalid page fault in module at ... appears after RTR has been running for awhile. Subsequently, the machine pauses indefinitely.
Possible Cause The DirectDraw function in the Java Runtime Environment (JRE) causes interruption to the video driver, as related in Bug4713003 reported by Sun Microsystems.
Recommended Action Upgrade Internet Explorer to version 5.5SP2. If the problem persists, go to Start > Settings > Control Panel open the Java Plug-in panel and add -Dsun.java2d.noddraw=true flag as a parameter. -
I am receiving an exception error when launching ASDM. I have see on the web (and have experienced an issue similar to this before) where a reload resolves the issue. However, I did issue a reload and the error continues. Strange thing is, when I look at the uptime in SH TECH-SUPPORT it shows over a year . Now this firewall is on an active/passive cluster, so my question is, did the reload work on just one and the other took over and so a reload actually did not occur?
We have an issue going on right now where it would be extremely helpful to have this console working.
Thanks In Advance.
JT
Using JRE version 1.4.2 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\User
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
q: hide console
s: dump system properties
ASDM Application Logging Started at Tue Apr 09 09:45:02 PDT 2013
Local DM Launcher Version = 1.5.22
Local DM Launcher Version Display = 1.5(22)
OK button clicked
Cache location = C:/Documents and Settings/User/.asdm/cache
Checking the DM Launcher Version; url = https://10.1.1.1/admin/
Server DM Version = 6.0(2)
Server DM Launcher Version = 1.5.22, size = 318464 bytes
DM Launcher version checking is successful.
invoking SGZ Loader..
java.lang.NumberFormatException: For input string: "1 year 16"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at com.cisco.pdm.Check.h(DashoA10*..:1339)
at com.cisco.pdm.Check.c(DashoA10*..:842)
at com.cisco.pdm.Check.a(DashoA10*..:442)
at com.cisco.pdm.Check.<init>(DashoA10*..:221)
at com.cisco.pdm.PDMApplet.start(DashoA10*..:124)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)Hello Jason,
It could actually be that you reloaded the primary ASA and you are now looking at the secondary(now active) ASA.
do a "show version" and "fail exec mate sho ver" to see the up time for both active and standby ASAs.
You can also try switching to the primary (now standby ASA) using the command "no failover active" and try to access the ASDM again.
Regards,
Felipe -
After downloading the update this morning I am encountering errors on two Cisco device applications. Both were working this morning.
On a PIX PDM I get this when trying to start:
java.security.AccessControlException: access denied (java.util.PropertyPermission java.version read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.cisco.pdm.e.c.q(Unknown Source)
at com.cisco.pdm.e.c.h(Unknown Source)
at com.cisco.pdm.a.byte(Unknown Source)
at com.cisco.pdm.PDMApplet.start(Unknown Source)
at com.cisco.nm.util.sgz.Env.start(Env.java:37)
at com.cisco.nm.util.sgz.Loader.start(Loader.java:109)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I can't seem to find any place to check that access error.
Also on a Cisco ACS server I am unable to access some screens with a Page not available error.
Any suggestions on what to check for would be appreciated.Hello,
Here's a work around. It requires Microsoft Internet Explorer. This was tested with IE v 6.0.2900.2180:
From the IE Tools Pulldown choose "Internet Options" then the "Advanced" tab.
Find the section called "Java (Sun)" and un-check "Use JRE 1.5...."
Find the section called "Microsoft VM" and make sure "JIT compiler for virtual machine..." is checked.
Restart IE.
I think this causes IE to use the Microsoft Java VM instead of the Sun plugin.
The problem with this workaround is that it forces you to use Internet Explorer.
Someone please post a note when the bug is fixed.
Thanks.
--Tom -
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Adding a cisco pix device to CSM 3.3
I've been trying to add a cisco pix6.3 to a New CSM 3.3 server and it complains that my credentials are bogus, I can log in to the pix's PDM using the same credentials so I'm stumped, Is there a way that I can get a better idea of what is happening under the hood? I tried a debug and the server is clearly hitting the pix and it is responding but no go.
I figured it out, the csm was set to use the users login credentials instead of the device credentials.Try Disable Java on Internet Options. This issue oculd be releated to Java version also.
-
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN? -
Cisco Pix 501 / DNS - DNS resolution stops working over time
Hello,
I currently have a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.
When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What’s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)
The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.
Then network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.
Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?
One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.
Cisco Pix Config
PIX# show config
: Saved
: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password chiuzjKkSD33lwEw encrypted
passwd chiuzjKkSD33lwEw encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
access-list ping_acl permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging buffered debugging
logging history debugging
logging queue 0
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 512
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ACS protocol tacacs+
aaa-server ACS max-failed-attempts 3
aaa-server ACS deadtime 10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map MYMAP client authentication LOCAL
crypto map MYMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPNGRP idle-time 1800
vpngroup VPNGROUP address-pool VPN
vpngroup VPNGROUP dns-server 167.206.254.2
vpngroup VPNGROUP wins-server 192.168.2.50
vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 167.206.254.2 167.206.254.2
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd enable inside
username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
username andrew password A340D92MQ0zV0hGs encrypted privilege 15
terminal width 80
Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbecWow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine. -
Hi,
We have a customer with a Pix 501(v6.3.4)(PDM v3.02) Firewall.
We can succesfully setup a VPN connection, but the client loses the Internet connection when the VPN connection is up. I found some articles on the Internet about split tunneling, but I cant figure out how to do this.
Can someone please help me out?I suppose 501 is Easy VPN server
Split tunnel says what traffic goes to VPN tunnel if you dont have split tunnel enabled all traffic iis encrypted you need specify with ACL what traffic should be encrypted
check following example whe is ACL 80 used for split tunnel
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1062497
M.
Hope that helps rate if it does -
PIX 501 - prefix-list causes PDM to fail
Hi
I am configuring a redundant link via ADSL between 2 501 routers
I cant get the link to activate when the system is connected to the local network because it picks up a OSPF route to the remote site via the main internal network.
I tried to ad a filter to prevent the the route being recieved. And here is my problem
Either using PDM or the command line, the creation of a filter
prefix-list mel-backup seq 9 deny melbackup/30 causes the PDM to lock on startup or save.
And the area filter command seems to have no effect
I even tried a random internal route.
The commands I am adding are
prefix-list backup_melb seq 3 deny Level9/24
router ospf 22
network 10.150.102.22 255.255.255.255 area 0
area 0 filter-list prefix backup_melb in
Does anyone know of a problem with this ?
Thanks in Advance
Mark CaseyHi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni
Maybe you are looking for
-
Documentary payment in MM - Foreign Trade
Hi all, I have a question regarding documentary payment in MM, Foreign trade. In SD module, foreign trade there is a nice transaction regarding documentary payment and letter of credit but in MM module is not set up. When I want to enter vendor code
-
Profit center clearing accounts line item display
Dear all, I have implemented document splitting at profit center level. The zero balance clearing account (profit center clearing account) is open item managed and also line item display tick is put. eg both ticks are active. I am trying to see th
-
Problem - Multiple recordsets in one page
Hi, Is it possible to use more than 1 recordset in a single page? Dreamweaver acts like there should be no problem, but when I upload & test the page I just get an error message saying there's a problem processing the requested URL. Each table and fi
-
Oracle rdf protege plugin and owl
Does the oracle rdf plugin for protege support writing owl files into oracle rdf storage backend? I tried saving a new protege owl project, and get stack dumps (see below). Thanks In saveKnowledgeBase 1 java.sql.SQLException: Io exception: The Networ
-
Stock transfer purchase requisition through project builder
Hi Friend's, For transfering material from one plant to another plant we have to create stock transfer purchase requisition through project builder. Can is it possible to create stock transfer purchase requisition through project builder which will h