Cisco PIX SIP Issue

Similar Messages

• Cisco Pix 501 / DNS - DNS resolution stops working over time

  Hello,
  I currently have a Cisco Pix 501 with the configuration listed below. It  connects to the public internet via a cable modem and acts as a DCHP  server for the local LAN.
  When it first turns on, all computers obtain the correct IP settings and  can access the internet. Within 10-15 minutes, computers begin to loose  access to the Internet. What’s strange is that each computer that lost  Internet access can ping the remote address but cannot perform an  nslookup. (it shows as Server UnKnown)
  The DNS server is 167.206.254.2 which is the external dns server  provided by my ISP. I can ping this address but the local computer is  unable to use it for domain to ip resolution.
  Then network used to have an existing Windows Small Business Server that  was a DNS and WINS Server. I ran dcpromo to remove the role of the  server and uninstalled dns via add/remove components.
  Can someone please help me determine why the computers over time loose  the ability to resolve domain names and therefore loose internet access?  Can there be some bad DNS entries created? Is there anything I can run  on the local computers to further troubleshoot dns errors? Is it  possible that the existing Windows SBS server is still running DNS and  therefore causing conficts in some way?
  One thing to note is that when I reset the Pix 501, everything begins to  work again but only for a short time until one by one each computer can  no longer resolve domain names. Also, I noticed that once someone  connects via VPN and disconnects, one of the local computers looses the  ability to resolve DNS.
  Cisco Pix Config
  PIX# show config
  : Saved
  : Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password chiuzjKkSD33lwEw encrypted
  passwd chiuzjKkSD33lwEw encrypted
  hostname PIX
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names        
  access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
  access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
  access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
  access-list ping_acl permit icmp any any
  pager lines 24
  logging timestamp
  logging monitor debugging
  logging buffered debugging
  logging history debugging
  logging queue 0
  icmp permit any echo-reply outside
  icmp permit any unreachable outside
  icmp permit any echo outside
  mtu outside 1500
  mtu inside 1500
  ip address outside dhcp setroute
  ip address inside 192.168.2.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
  pdm location 192.168.2.0 255.255.255.0 inside
  pdm location 192.168.3.0 255.255.255.0 inside
  pdm logging informational 512
  no pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.2.0 255.255.255.0 0 0
  access-group ping_acl in interface outside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ACS protocol tacacs+
  aaa-server ACS max-failed-attempts 3
  aaa-server ACS deadtime 10
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.3.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
  crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
  crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
  crypto map MYMAP client authentication LOCAL
  crypto map MYMAP interface outside
  isakmp enable outside
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption des
  isakmp policy 10 hash md5
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup VPNGRP idle-time 1800
  vpngroup VPNGROUP address-pool VPN
  vpngroup VPNGROUP dns-server 167.206.254.2
  vpngroup VPNGROUP wins-server 192.168.2.50
  vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
  vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
  vpngroup VPNGROUP idle-time 1800
  vpngroup VPNGROUP password ********
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.3.0 255.255.255.0 inside
  telnet timeout 30
  ssh 192.168.2.0 255.255.255.0 inside
  ssh 192.168.3.0 255.255.255.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd address 192.168.2.2-192.168.2.33 inside
  dhcpd dns 167.206.254.2 167.206.254.2
  dhcpd lease 7200
  dhcpd ping_timeout 750
  dhcpd enable inside
  username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
  username andrew password A340D92MQ0zV0hGs encrypted privilege 15
  terminal width 80
  Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec

  Wow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
  In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine.

• Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

  Hi:
  I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
  a) Use the 506E as a firewall and use the 600 as a wireless access point, or
  b) Use the 600 as a firewall and wireless access point.
  Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
  Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
  (Edited subject to keep threads from stretching. Thanks!)
  Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

  The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
  The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
  Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
  To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
  Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
  BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

• Amazon S3 Backup with Cisco PIX 501 Router - slowww

  We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
  I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
  Thanks!

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
  - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
    This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  THANKS

• Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access

  Hello folks,
  I need your help.
  We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
  So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
  But I was not successull to establish it.
  Here is the pix config. the acl?s are only for testing and will be replaced if it works.
  PIX Version 6.3(4)
  interface ethernet0 10baset
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxx
  passwd xxx
  hostname PIX-AU
  domain-name araukraine.ua
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside permit ip any any
  access-list inside_access_in permit ip any any
  pager lines 24
  logging on
  logging monitor warnings
  logging buffered warnings
  mtu outside 1456
  mtu inside 1456
  ip address outside pppoe setroute
  ip address inside 192.168.x.x 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm location 192.168.x.x 255.255.255.224 inside
  pdm logging warnings 500
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group outside in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.x.x 255.255.x.x inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 192.168.x.x 255.255.x.x inside
  telnet timeout 5
  ssh 194.39.97.0 255.255.255.0 outside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname [email protected]
  vpdn group pppoe_group ppp authentication pap
  vpdn username [email protected] password *********
  encrypted privilege 15
  vpnclient server 212.xx.xx.xx
  vpnclient mode network-extension-mode
  vpnclient vpngroup vpntest password ********
  vpnclient username pixtest password ********
  terminal width 80
  on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
  And that?s all.
  I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
  What can be wrong ?
  Thanks for the replies

  This sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

• Cisco Pix 501 - Need help with VPN passthrough

  Greetings!
  Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
  Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
  I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
  I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
  : Saved
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password RysZD25GpRAOMhF. encrypted
  passwd 0I6TSwviLDtVwaTr encrypted
  hostname Lorway-PIX
  domain-name lorwayco.com
  fixup protocol ftp 21
  fixup protocol ftp 22
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_access_in permit icmp any any
  access-list outside_access_in permit tcp any any eq 50000
  access-list outside_access_in permit udp any any eq 50000
  access-list outside_access_in permit tcp any any eq smtp
  access-list outside_access_in permit tcp any any eq www
  access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
  access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
  access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
  access-list outside_access_in permit tcp any any eq pop3
  access-list outside_access_in permit tcp any any eq https
  access-list outside_access_in permit tcp any any eq ftp
  access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
  access-list outside_access_in permit tcp any any eq ftp-data
  access-list outside_access_in permit tcp any any eq 1009
  access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
  access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
  access-list outside_access_in permit tcp any any eq 7000
  access-list outside_access_in permit tcp any any eq pptp
  access-list outside_access_in permit gre any any
  access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 74.221.188.249 255.255.255.0
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 80
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.118
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  sysopt connection permit-l2tp
  crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
  crypto map lorwayvpn 30 ipsec-isakmp
  crypto map lorwayvpn 30 match address 30
  crypto map lorwayvpn 30 set peer 66.18.55.250
  crypto map lorwayvpn 30 set transform-set lorway1
  crypto map lorwayvpn interface outside
  isakmp enable outside
  isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
  isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 9 authentication pre-share
  isakmp policy 9 encryption 3des
  isakmp policy 9 hash sha
  isakmp policy 9 group 2
  isakmp policy 9 lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  terminal width 80
  Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
  : end

  Config looks good to me.
  I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
  If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?

• Cisco PIX Device Manager Version 3.0(2)

  Hi
  I have a PIX 515E:
  Cisco PIX Firewall Version 6.3(4)
  Cisco PIX Device Manager Version 3.0(2)
  Compiled on Fri 02-Jul-04 00:07 by morlee
  CCP-Firewall001 up 2 years 65 days
  Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
  Flash E28F128J3 @ 0x300, 16MB
  BIOS Flash AM29F400B @ 0xfffd8000, 32KB
  0: ethernet0: address is 0012.80be.450d, irq 10
  1: ethernet1: address is 0012.80be.450e, irq 11
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Disabled
  Maximum Physical Interfaces: 3
  Maximum Interfaces: 5
  Cut-through Proxy: Enabled
  Guards: Enabled
  URL-filtering: Enabled
  Inside Hosts: Unlimited
  <--- More ---> Throughput: Unlimited
  IKE peers: Unlimited
  This PIX has a Restricted (R) license.
  Serial Number: 808480455 (0x30306ec7)
  Running Activation Key: 0xac646fed 0xf8b86795 0xc3951ec2 0xb32aed09
  It's operate with Java plug in 1.4.1 y I have a PC with IE 7 and Plug in 1.6.0 y doesn't download the PDM.
  Are there a solution for it?

  Try Disable Java on Internet Options. This issue oculd be releated to Java version also.

• Can someone share their Cisco PIX config?

  Running a Cisco PIX 515 with a front-end/back-end Exchange server set up. Problem I am having is that the calendar will sync once and then never again. I delete the account, recreate it and sometimes it will show up but for the most part it will not.
  I have no issue with OWA, BlackBerrys or Windows Mobile devices. They all do everything perfect. Just the iPhone giving me grief. And that has only been really bad since the upgrade to 2.0.1!
  I have checked everything except comparing my PIX config with someone elses. Can someone post their "timeout" lines from a PIX 5XX running 6.X.X?
  Thanks so much!

  Oh trust me, I am in the same exact boat as most people. One man's configuration might work for him, but doesn't work for me. It's really, really bizarre that there does not seem to be any consistency.
  Anyway, here's our timeout - good thing I checked!
  timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  -Sam

• Windows 8 Cisco VPN Client Issue

  I connect to several of my customers with the Cisco VPN Client Version 5.0.07.0290 and all has been working fine. In the last week, virtually every Windows 8 machine has stopped working. The client connects fine, shows it's connected, but if I go to Status -> Statistics it just shows 0 in the Bytes Received and Sent. The Bypassed and Discarded increases, but I am unable to reach any system. Does anyone know what causes this or how to resolve it? This is a HUGE problem for me as all of the work we do for our customers is via their VPNs. Every non-Windows 8 PC still works fine. And these Windows 8 PCs have been working fine until just the last week. Browsing through, I've seen posts with this same issue, but none related to Windows 8 recently. They are all Windows 7, and my Windows 7 machines are working flawlessly.
  Someone help!
  Thanks,
  Brian

  Hi Brian,
  IPSEC client on Windows 8 machine is not supported.
  Cisco VPN Client 5.0.07 supports the following Microsoft OSs:
  •Windows 7 on x64 (64-bit)
  •Windows 7 on x86 (32-bit) only
  •Windows Vista on both x86 (32-bit) and x64
  •Windows XP on x86
  VPN Client does not support the Tablet PC 2004/2005; and Windows 2000, NT, 98, and ME.
  VPN Client supports smart card authentication on Windows 7, Vista, and  XP. However, VPN Client does not support the ST Microelectronics smart  card Model ST23YL80, and smart cards from the same family.
  VPN Client supports up to one Ethernet adapter and one PPP adapter. It  does not support the establishment of a VPN connection over a tethered  link.
  VPN Client 5.0.x is incompatible with the combination of Cisco Unified  Video Advantage 2.1.2 and McAfee HIPS Patch 4 Build 688. To avoid system  failures, uninstall either of these two applications, upgrade McAfee to  the latest version, or use VPN Client 4.6.x.
  To install the VPN Client, you need
  •Pentium®-class processor or greater
  •Microsoft TCP/IP installed. (Confirm via Start > Settings > Control Panel > Network > Protocols or Configuration.)
  •50 MB hard disk space.
  •128 MB RAM
  (256 MB recommended)
  •Administrator privileges
  The VPN Client supports the following Cisco VPN devices:
  •Cisco Series 5500 Adaptive Security Appliance, Version 7.0 or later.
  •Cisco VPN 3000 Series Concentrator, Version 3.0 or later.
  •Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).
  •Cisco IOS Routers, Version 12.2(8)T or later.
  you can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp63537
  Regards,
  Naresh

• Pix firewall issue

  Hello,
  I'm trying to configure some firewall rules and a nat in our pix 525 and I'm having some issue with the connection
  Here are the details:
  172.40.40.40 destination host.
  1.- I configured an ACL
  ACL test 172.80.0.0 255.255.0.0 destination 172.40.40.40
  ACL test 172.90.0.0 255.255.255.0 destination 172.40.40.40
  inside interface IP 172.20.20.20
  outside inteface IP 192.169.1.2
  interfaces inside outside (ping and icmp are allow)
  static (outside, inside) 172.40.40.40 172.40.40.40
  nat (outside)  5 access-list test
  global (inside) 5 interface
  route inside 172.40.40.40 255.255.255.255 172.30.30.30
  route outside 172.80.0.0 255.255.0.0 192.168.1.1
  route outside 172.90.0.0 255.255.0.0 192.168.1.1
  I'm trying to nat the traffic comming from the outside interface because we want to avoid interal ip conflicts, I'm seeing the hits on the ACL
  but can not telnet from 172.80.0.1 to 172.40.40.40 , there are routes and porta enable for that connection
  and my flag logs shown me SaAB from the destination host, what could be the problem?
  We can ping between the destination host and the pix inside interface and the icmp is allow in all the interfaces.

  Hello Thank you for your help, we will try to apply that command in our test .
  About our test the incoming connection from 172.90.0.0 are telnet session to 172.40.40.40
  So we are doing a PAT for those connection (172.90.0.0 PAT to 172.30.30.29) my question is that kind of scheme and configuration is supported on Pix Firewall?
  Here is the version: PIX 525
  Cisco PIX Firewall Version 6.3(5)
  This is the path
                                   MPLS                                    PIX                                              Destination HOST
  subnet 172.90.0.0/16 ---- ------------------------- ACL TEST -PAT(172.30.30.29 inside inteface) --------  172.40.40.40 port 25

• Cisco PIX 515E multiple ISP support in a VPN scenario

  Iam currently running a cisco 7.2 ios in a Cisco PIX 515E appliance. I have terminated two ISP links in the two ports, and I also have a inside network (LAN). I want to establish 2 Site-Site VPN tunnels using each one of these ISP links respectively (Site 1 in ISP link 1 && Site 2 in ISP link 2).
  Is this possible to achieve??

  Hello,
  This should work. Route the remote endpoint for site 1 out link 1 (using a static route) and for site 2 out link 2 (using a static route) and that should do it.
  Return traffic should work, assuming both ISPs aren't advertising the networks your interfaces are on via BGP (ie, you don't want return traffic from site one coming down the link to site 2 because that ISP is advertising that AS as well.)
  --Jason

• Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1

  Hi,
  we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
  Any help would be greatly appriciated.
  Thanks in advance
  Samir

  Hi,
  Here is the output.
  *** Device Details for  ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> TFTP,SSH,HTTPS
  Execution Result:
  RUNNING
  CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
  Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
  But when I do mangement station to Device  it gives me following results:
  Interface Found:  10.192.18.10
  Status:  UP
  Test Results
  UDP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
  TCP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
  HTTP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
  TFTP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
  SNMPRv2c(Read)     Okay
       sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
  SNMPWv2c(Write)     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
  SSHv2     Failed
  TELNET     Okay
  Waiting for your reply.
  Samir

• Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

  crypto ipsec client ezvpn TEST
  connect auto
  group Cisco key cisco123
  mode client
  peer 172.1.1.1
  xauth userid mode interfactive
  interface FastEthernet4
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  ip nat outside
  crypto ipsec client ezvpn TEST
  Internet Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 out
  ip nat inside
  crypto ipsec client ezvpn TEST inside
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254
  ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
  access-list 100 permit ip any any
  access-list 101 permit ip any any
  access-list 103 permit ip 192.168.1.0 0.0.0.255 any
  route-map EzVPN1 permit 1
  match ip address 103
  These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
  Cisco IOS on 871W is 12.3(8)Y12

  1) Isn't your default route supposed to be pointing towards the external interface?
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
  2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
  Have a look at the following (I'm assuming you already have as your config seems to be similar):
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
  For old 6.x code on PIX, have a look at:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
  Regards
  Farrukh

• Cisco PIX to Cisco ASA Migration Tool

  Hello,
  I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
  http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
  Thanks in Advance
  Francisco Almeida

  As a registered user, go to the download page for Pix Software here.
  Navigate on the menu tree to "Version 1.0" and you should see the software available to download:

• Oracle 8i through CISCO PIX Firewall

  HI all,
  I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
  The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
  =============================
  oracle error con 440
  unable to make connection oracle - 12514 tns.couldn't resolve service name
  the menu was not connectable with oracle. a menu is ended
  ==============================
  Many thanks for PIX and Oracle config.
  HATO

  Varun,
  Thank you for your help.
  I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
  Memory Requirements:
  If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
  What is the difference between the restricted Licenses and the Unrestricted Licenses?
  Thanks!