Cisco pix 501 open port problem

Similar Messages

• Amazon S3 Backup with Cisco PIX 501 Router - slowww

  We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
  I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
  Thanks!

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
  - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
    This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  THANKS

• Cisco Pix 501 - Need help with VPN passthrough

  Greetings!
  Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
  Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
  I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
  I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
  : Saved
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password RysZD25GpRAOMhF. encrypted
  passwd 0I6TSwviLDtVwaTr encrypted
  hostname Lorway-PIX
  domain-name lorwayco.com
  fixup protocol ftp 21
  fixup protocol ftp 22
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_access_in permit icmp any any
  access-list outside_access_in permit tcp any any eq 50000
  access-list outside_access_in permit udp any any eq 50000
  access-list outside_access_in permit tcp any any eq smtp
  access-list outside_access_in permit tcp any any eq www
  access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
  access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
  access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
  access-list outside_access_in permit tcp any any eq pop3
  access-list outside_access_in permit tcp any any eq https
  access-list outside_access_in permit tcp any any eq ftp
  access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
  access-list outside_access_in permit tcp any any eq ftp-data
  access-list outside_access_in permit tcp any any eq 1009
  access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
  access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
  access-list outside_access_in permit tcp any any eq 7000
  access-list outside_access_in permit tcp any any eq pptp
  access-list outside_access_in permit gre any any
  access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 74.221.188.249 255.255.255.0
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 80
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.118
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  sysopt connection permit-l2tp
  crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
  crypto map lorwayvpn 30 ipsec-isakmp
  crypto map lorwayvpn 30 match address 30
  crypto map lorwayvpn 30 set peer 66.18.55.250
  crypto map lorwayvpn 30 set transform-set lorway1
  crypto map lorwayvpn interface outside
  isakmp enable outside
  isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
  isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 9 authentication pre-share
  isakmp policy 9 encryption 3des
  isakmp policy 9 hash sha
  isakmp policy 9 group 2
  isakmp policy 9 lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  terminal width 80
  Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
  : end

  Config looks good to me.
  I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
  If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?

• IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

  I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

  Dear Mr.
  The same problem has occured with me.

• Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access

  Hello folks,
  I need your help.
  We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
  So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
  But I was not successull to establish it.
  Here is the pix config. the acl?s are only for testing and will be replaced if it works.
  PIX Version 6.3(4)
  interface ethernet0 10baset
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxx
  passwd xxx
  hostname PIX-AU
  domain-name araukraine.ua
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside permit ip any any
  access-list inside_access_in permit ip any any
  pager lines 24
  logging on
  logging monitor warnings
  logging buffered warnings
  mtu outside 1456
  mtu inside 1456
  ip address outside pppoe setroute
  ip address inside 192.168.x.x 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm location 192.168.x.x 255.255.255.224 inside
  pdm logging warnings 500
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group outside in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.x.x 255.255.x.x inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 192.168.x.x 255.255.x.x inside
  telnet timeout 5
  ssh 194.39.97.0 255.255.255.0 outside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname [email protected]
  vpdn group pppoe_group ppp authentication pap
  vpdn username [email protected] password *********
  encrypted privilege 15
  vpnclient server 212.xx.xx.xx
  vpnclient mode network-extension-mode
  vpnclient vpngroup vpntest password ********
  vpnclient username pixtest password ********
  terminal width 80
  on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
  And that?s all.
  I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
  What can be wrong ?
  Thanks for the replies

  This sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

• Cisco Pix 501 / DNS - DNS resolution stops working over time

  Hello,
  I currently have a Cisco Pix 501 with the configuration listed below. It  connects to the public internet via a cable modem and acts as a DCHP  server for the local LAN.
  When it first turns on, all computers obtain the correct IP settings and  can access the internet. Within 10-15 minutes, computers begin to loose  access to the Internet. What’s strange is that each computer that lost  Internet access can ping the remote address but cannot perform an  nslookup. (it shows as Server UnKnown)
  The DNS server is 167.206.254.2 which is the external dns server  provided by my ISP. I can ping this address but the local computer is  unable to use it for domain to ip resolution.
  Then network used to have an existing Windows Small Business Server that  was a DNS and WINS Server. I ran dcpromo to remove the role of the  server and uninstalled dns via add/remove components.
  Can someone please help me determine why the computers over time loose  the ability to resolve domain names and therefore loose internet access?  Can there be some bad DNS entries created? Is there anything I can run  on the local computers to further troubleshoot dns errors? Is it  possible that the existing Windows SBS server is still running DNS and  therefore causing conficts in some way?
  One thing to note is that when I reset the Pix 501, everything begins to  work again but only for a short time until one by one each computer can  no longer resolve domain names. Also, I noticed that once someone  connects via VPN and disconnects, one of the local computers looses the  ability to resolve DNS.
  Cisco Pix Config
  PIX# show config
  : Saved
  : Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password chiuzjKkSD33lwEw encrypted
  passwd chiuzjKkSD33lwEw encrypted
  hostname PIX
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names        
  access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
  access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
  access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
  access-list ping_acl permit icmp any any
  pager lines 24
  logging timestamp
  logging monitor debugging
  logging buffered debugging
  logging history debugging
  logging queue 0
  icmp permit any echo-reply outside
  icmp permit any unreachable outside
  icmp permit any echo outside
  mtu outside 1500
  mtu inside 1500
  ip address outside dhcp setroute
  ip address inside 192.168.2.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
  pdm location 192.168.2.0 255.255.255.0 inside
  pdm location 192.168.3.0 255.255.255.0 inside
  pdm logging informational 512
  no pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.2.0 255.255.255.0 0 0
  access-group ping_acl in interface outside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ACS protocol tacacs+
  aaa-server ACS max-failed-attempts 3
  aaa-server ACS deadtime 10
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.3.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
  crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
  crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
  crypto map MYMAP client authentication LOCAL
  crypto map MYMAP interface outside
  isakmp enable outside
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption des
  isakmp policy 10 hash md5
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup VPNGRP idle-time 1800
  vpngroup VPNGROUP address-pool VPN
  vpngroup VPNGROUP dns-server 167.206.254.2
  vpngroup VPNGROUP wins-server 192.168.2.50
  vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
  vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
  vpngroup VPNGROUP idle-time 1800
  vpngroup VPNGROUP password ********
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.3.0 255.255.255.0 inside
  telnet timeout 30
  ssh 192.168.2.0 255.255.255.0 inside
  ssh 192.168.3.0 255.255.255.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd address 192.168.2.2-192.168.2.33 inside
  dhcpd dns 167.206.254.2 167.206.254.2
  dhcpd lease 7200
  dhcpd ping_timeout 750
  dhcpd enable inside
  username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
  username andrew password A340D92MQ0zV0hGs encrypted privilege 15
  terminal width 80
  Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec

  Wow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
  In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine.

• Open ports problem ASA5505

  Hi everyone.
  I'm trying to open ports on a specific host but I can't make it work.
  I tried to make it clear as possible,
  Thanks for helping.
  There is my config:
  Result of the command: "show run"
  : Saved
  ASA Version 9.1(3)
  hostname ciscoasa
  enable password *** encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd *** encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 1.1.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address MY-FIREWALL-IP 255.255.255.240
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network LAN-SITE-B
  subnet 1.1.2.0 255.255.255.0
  object network LAN-SITE-A
  subnet 1.1.1.0 255.255.255.0
  object network Firewall-SITE-B
  host VPN-SITE-B-IP
  object network SERVER01
  host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)
  object-group service ALL-IP tcp-udp
  description ALL-IP
  port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
  access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SERVER01
  nat (inside,outside) static MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no user-identity enable
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 1.1.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer SITE-B
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 1.1.1.100-1.1.1.125 inside
  dhcpd dns 24.200.241.37 24.201.245.77 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_SITE-B internal
  group-policy GroupPolicy_SITE-B attributes
  vpn-tunnel-protocol ikev1 ikev2
  username MY-USER password *** encrypted privilege 15
  tunnel-group SITE-B type ipsec-l2l
  tunnel-group SITE-B general-attributes
  default-group-policy GroupPolicy_SITE-B
  tunnel-group SITE-B ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e
  : end

  Hi Jouni,
  Thanks for helping again,
  Looks like i'm getting the same problem.
  ciscoasa# show run access-list
  access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
  access-list OUTSIDE-IN extended permit ip any object SERVER01
  ciscoasa#
  ciscoasa# show run access-group
  access-group OUTSIDE-IN in interface outside
  ciscoasa#
  ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345
  Phase: 1
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  object network SERVER01
  nat (inside,outside) static MY-SERVER01-PUBLIC-IP
  Additional Information:
  NAT divert to egress interface inside
  Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

• Cisco pix 501 VPN question

  Hi,
  We have a customer with a Pix 501(v6.3.4)(PDM v3.02) Firewall.
  We can succesfully setup a VPN connection, but the client loses the Internet connection when the VPN connection is up. I found some articles on the Internet about split tunneling, but I cant figure out how to do this.
  Can someone please help me out?

  I suppose 501 is Easy VPN server
  Split tunnel says what traffic goes to VPN tunnel if you dont have split tunnel enabled all traffic iis encrypted you need specify with ACL what traffic should be encrypted
  check following example whe is ACL 80 used for split tunnel
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1062497
  M.
  Hope that helps rate if it does

• Cisco PIX 501 Firewall Config

  Hi,
  I know this is an old firewall but its just a simple firewall I need, my question is this.
  I am not getting any internet with my current config, see below:
  show conf
  : Saved
  : Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
  PIX Version 6.3(5)
  interface ethernet0 auto shutdown
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password PVSASRJovmamnVkD encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname bmi-501-fw-1
  domain-name buildmeit.internal
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any source-quench
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 78.XX.XXX.XXX 255.255.240.0
  ip address inside 10.52.100.123 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm history enable
  arp timeout 14400
  nat (inside) 101 0.0.0.0 0.0.0.0 0 0
  access-group allow_ping in interface outside
  access-group allow_ping in interface inside
  route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 10.52.10.0 255.255.255.0 inside
  http 10.52.66.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet timeout 5
  ssh timeout 5
  management-access inside
  console timeout 0
  terminal width 80
  Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
  bmi-501-fw-1#
  What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?

  Hi, Thanks for the reply, I've managed to sort it now with the following config below:
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  hostname bmi-501-fw-1
  domain-name buildmeit.internal
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  access-list PERMIT_IN deny tcp any any
  access-list PERMIT_IN deny ip any any
  access-list PERMIT_IN deny udp any any
  access-list PERMIT_OUT permit tcp any any
  access-list PERMIT_OUT permit ip any any
  access-list PERMIT_OUT permit udp any any
  access-list PERMIT_OUT permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside XXX.XX.XXX.XXX 255.255.240.0
  ip address inside 10.52.100.123 255.255.255.0
  global (outside) 1 interface
  outside interface address added to PAT pool
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group PERMIT_IN in interface outside
  access-group PERMIT_OUT in interface inside
  route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1
  route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
  wr mem
  Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear!

• Cisco ASR 9010 Copper port problem

  Recently we have purchased Cisco ASR 9010 router. We have setup a 1Gbps copper based SFP module in the line card. It detect the module and I have found this by using show controller. But when I coonect a RJ-45 cable between thre router and my laptop, port do not up, even I connect the cable to a cisco switch that time also it is not working. Is there any command to up this port!
  Please help.
  Regards,
  Shuvo

  You likely need "negotiation auto" configured under this port, as many devices have autonegotiation enabled by default but the ASR9000 does not. The "media-type" command is not present on the ASR9000 as it's used to switch between SFPs and fixed copper ports - not for copper SFPs.

• PIX 501 Not working, why??

  Hi,
      I have just purchased a nex Cisco pix 501 firewall and i have installed these  certificates it asks for. Now the situation is that the certificates have been installed but this stupid thing won't even goto the PDM window.it just tell me that a new window will open but nothing happens and i am just tired of this thing. I have even installed java latest version but same issue then i read on the forums to use java 1.5x version, tried that too and it won't go to the. Now can anyone tell me how can i make this thing to work and move on to the PDM window. i also used tried it on mozilla, IE, chrome but same issue.
  Please help me out here ppl. Its getting really annoying
  Regards,
  Ali

  Hi Julio,
  Thank you so much for taking the time to assist me with this issue.  I'm not sure it's an ISP issue though (at least I hope not!)  Please consider:
  - When I first attempted to implement this change, I didn't even think to install a router between the cable modem, and switch.  I figured I would simply install a switch (or hub) between the cable modem and firewall, and that I would be able to plug my IDS into that switch (or hub),  But it wouldn't work.  The PIX couldn't pull an IP.  I found out the problem was that the ISP was seeing the switch as the primary device, and grabbing it's MAC address.  The PIX was ignored, and therefore never able to connect.  I called the ISP and they confirmed this is how they control how many devices are connected,  And since I only want to pay for 1 IP address from them, that's how it is.
  - Then I decided to try the router approach.  And it seems to work.  The 1st router interface is getting the IP address from the ISP.  I have communications between the pix and router, and also between the router and internal hosts.  I don't think the ISP cares what's on the other side of the router (do they?)
  - Each time I go home to try your recommendations I unplug the PIX from the cable modem, and connect the router inline.  That's when I lose internet connectivity.  But once I revert back to that configuration, it works again.  So the internet connection works fine.  It's only when I add the router to the mix that I lose it.
  Please let me know if you think there's anything else I can try here.  I can't help thinking it is my configuration and not an ISP issue - hoping you are able to find something else I may have done incorrectly.
  Thank you!
  -Bk

• PIX 501 and Linksys VPN Router (WRV200)

  I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
  sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
  I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
  Key Exchange Method: Auto (IKE)
  Encryption: Auto, 3DES, AES128, AES192, AES256
  Authentication: MD5
  Pre-Shared Key: xxx
  PFS: Enabled/Disabled
  ISAKMP Key Lifetime: 28800
  IPSec Key Lifetime: 3600
  On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
  I chose the following settings when doing the VPN Wizard:
  Type of VPN: Remote Access VPN
  Interface: Outside
  Type of VPN Client Device used: Cisco VPN Client
  (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
  VPN Client Group
  Group Name: RabyEstates
  Pre Shared Key: rabytest
  Extended Client Authentication: Disabled
  Address Pool
  Pool Name: VPN-LAN
  Range Start: 192.168.2.200
  Range End: 192.168.2.250
  DNS/WINS/Default Domain: None
  IKE Policy
  Encryption: 3DES
  Authentication: MD5
  DH Group: Group 2 (1024-bit)
  Transform Set
  Encryption: 3DES
  Authentication: MD5
  I have attached the VPN log from the Linksys VPN Router.
  This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
  Thanks for your help!

  Hi again,
  I believe the pix has a 3des license because of the following parts of the "show version"
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Enabled
  This PIX has a Restricted (R) license.
  I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
  As for the other show commands they give:
  pixfirewall# show crypto isakmp sa
  Total : 0
  Embryonic : 0
  dst src state pending created
  pixfirewall# show crypto ipsec sa
  interface: outside
  Crypto map tag: transam, local addr. 10.0.0.1
  local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
  current_peer: 10.0.0.2:0
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
  path mtu 1500, ipsec overhead 0, media mtu 1500
  current outbound spi: 0
  inbound esp sas:
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  outbound ah sas:
  outbound pcp sas:
  pixfirewall#
  Thanks again Daniel, i really appreciate your help on this matter.

• PIX 501 passthrough with to a Win VPN Server

                     Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?
  pix  6.3(5)
  Outside staic IP - whatever 111.111.111.111
  Inside 192.168.1.1
  Win VPN server 192.168.1.10
  Thanks to anybody that can help.
  Note - I wnat to know if thi can be accomplished using PDM 3.0.4
  This pix has to have a use other than a glorified 4 port switch

  Yes you can enable PIX501 with version 6.3.5 for PPTP pass through.
  Command line:
  static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255
  fixup protocol pptp 1723
  access-list permit tcp any host 111.111.111.111 eq 1723
  If you don't already have an access-list applied to outside interface, then you also need the following:
  access-group in interface outside
  Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:
  static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
  Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.
  Hope that helps a little.

• Is there any alternative to console cable for pix 501 firewall?

  I need help on CISCO PIX 501 Firewall, it comes with console cable having serial port, but systems now a days & the one i am having are not having serial port so i am not able to access command-in-line , is there any alternative way, can it be accessed using ethernet or lan wire, if so please provide steps, waiting for your valueable responses, ...

  Hi,
  Have you considered getting an USB adapter for the Console cable?
  I had to get that for my first work laptop since they happened to order a model without the serial port. For the most part it worked just fine.
  I guess depending on your PIX configurations you might be able to boot it up and attach a PC directly to it and manage it.
  - Jouni

• Trouble with PIX 501 user limit?

  I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.
  I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.
  The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.
  I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?
  Thanks very much for any advice you can offer.
  Best regards,
  Zac

  Any chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?
  pixfirewall# show local-host
  Interface inside: 10 active, 10 maximum active, 3493 denied
  local host: <192.168.1.2>,
  TCP connection count/limit = 12/unlimited
  TCP embryonic count = 2
  TCP intercept watermark = unlimited
  UDP connection count/limit = 0/unlimited
  AAA:
  Xlate(s):
  PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)
  PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)
  PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)
  PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)
  PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)
  PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)
  PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)
  etc, etc.