Dmz on pix
Hi all, how do these work, do they still allow all access from internal, but you have to open ports up to it inbound ?
Hello carl
Yeah of course... thats how the algorithm works... higher security to lower security - packets are allowed
traffic from lower security to higher security - you need to allow it through ACLs...
hope this helps.. all the best .. rate replies if found useful..
Raj
Similar Messages
-
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
By design or sheer dumb luck? Is configuration necessary in this case?
Hey all, I saw something that stumped me for a moment today and then got me thinking.
A colleague of mine had set up a test lab at work. This was to evaluate a PIX environment, but was nothing too fancy: a couple of host pc's emulating internet-based servers, a pc emulating an internal lan machine, a machine pretending to be a host in a dmz, the pix itself, and a router pointing where necessary between them all.
Now normally, to keep this all segregated for testing purposes, I would vlan everything up, with a separate vlan for all the networks involved. Or use separate, dumb switches.
But my partner here takes an unconfigured switch with all ports up and...just plugs everything in. I am aghast, but his reasoning is that, when devices arp for the mac of the device they want to speak to, the switch will know whats on each port anyway and will forward it via the appropriate port. Which sort of makes sense... but I cant help but feel that this is too straightforward, and that the law of unintended consequences will take over.
(Oddly enough, I've discovered that this has happened in production, and I'm currently trying to debug some odd traffic thats appearing in a dmz interface on a PIX. I'm starting to wonder...)
Anyone have any thoughts? Timesaving good idea or lazy shortcut?
Cheers all,
GarGar
I think that it is a lazy shortcut. When your colleague connected the devices this way things did work as expected. And you probably did not check to see if unexpected things would work - and they would have. If you configure a PC in a certain subnet with a default gateway and you configure other devices in other networks you expect that the PC will forward to its default gateway to get to the other devices. But the way the switch was installed the PC COULD communicate directly with any other device without needing the gateway. Since all devices were effectively in the same VLAN on the switch they were all in the same broadcast domain. In this situation every device would hear the ARP request from every other device. So the PC could have done an ARP directly for some other device, received an ARP response and begun to communicate directly.
There are reasons why we generally put things into VLANs in our network: reducing the broadcast domain being one of them, increasing security is another, and there are a number of other reasons. When you install a switch in the way that you describe you undo those things.
It was a test environment and it worked. But I certainly would not want to see you do it that way in a production environment.
HTH
Rick -
WLC+Anchor+Guest NAC
Hello all
I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
Sorry for the long post..
RajGreg
Thanks again.. that was useful too. One last query.. and this was grilling my head:
1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
Raj -
My case is like this: an (web)applcation server hosts multiple web apps for the public to access. Moderate traffic. The server is located in a Commercial Hosting Company's server room. So the server can directly plug into the LAN (which is connected to the internet).
1) Among the PIX 50x series, which firewall fits this situation better? (I'll need the firewall to support the NAT, DMZ and VPN). Or I may even need other firewalls (budget sensitive).
2) Is the double firewall necessary to build the DMZ? (i.e. PIX --DMZ-- PIX)
3) Any opinion or comment on the Microsoft ISA Server 2004 (which claims to be a better firewall).
Many thanks.
Scotthi
AFAIK if you have a PIX firewall like either 501 which has 2 Fastethernet port or 515E which can have max 6 fastethernet port can serve your purpose.
If you want to configure DMZ with PIX itself then you would require on more fastethernet port additional to one input and one output interface.
output interface is the one which gets you connected to the outside public world (LAN here) and the inside port connects to your local lan or server farm.
you can alwasys isolate the local lan and server farm to 2 different zones if its present or else you can connect you server up to the inside port itself.
But do remember that you are configuring it to allow all the reqd ports which ius accessed by the public.
Also you have the advantage of configuring normal VPNs and also configuring the pix as easy vpn server too to cater your mobile users .
regds -
Dual-homed servers connected directly to redundant CSSs
Hi.
I have no experience with Cisco content switches and I need help with this implementation:
I have DMZ on PIX cluster, where are 3 couples of servers and I need to load balance traffic to them.
I want to connect PIX cluster to L2 switches then connect L2 switches to redundant CSSs and servers directly connect to CSSs with dual-home (primary NIC to primary CSS and secondary NIC to backup CSS). I'm not sure whether this dual home connection will work correctly. What kind of CSS redundancy ssould I use?dual NIC does not work with server directly connected to CSS.
You should connect your servers to a pair of L2 switch and then connect the L2 switch to the CSS.
Regards,
Gilles. -
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Load balancing of PIX firewalls with multiple DMZs
I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
In all the documentation related to the subject, I see always the firewalls with only two interfaces:
http://www.cisco.com/warp/customer/117/fw_load_balancing.html
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
What if I need to balance on more than 2 interfaces?
Do I have to add more content switches, one for each interface ?
Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
Thank you in advance for any help.We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure. -
What syntax would I use to take off a DMZ, Outside static route from a Pix
I am having a problem with mail coming in and currently have all smtp traffic going to a mail filtering server. I want to point the traffic directly to the exchange server instead, but, before I do I want to make sure that I can take that static route off after the test.
This is the syntax that I have and would like to change.
static (DMZ,outside) tcp xxx.xxx.xxx.xxx smtp 172.16.xxx.xxx smtp netmask 255.255.255.255 0 0
I would like to point it to another IPA and then take it off.Hello,
not sure if this is what you are asking, but check this link to the PIX command reference:
static
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
HTH,
GP -
Can we place content engine outside interface on PIX DMZ interface. At this moment both the WCCP router and content Engine are on outside. I want to place Content Engine Outside interface on PIX DMZ and then to run WCCP between Content Engine and Outside router.
Thank you.Yes. You can place the content engine towards the outside interface on PIX. This should work.
-
PIX/ASA not able to reach DMZ
Hi everyone ,
I am able to ping from outside to inside all ips , but there is no communication from inside and outside to DMZ .
I did debug icmp trace 255 and it gives below debug , anyone can guide me if i am doing any mistake here in config .
pixfirewall(config)# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
DMZ>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.0.1 YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
FastEthernet1/0 20.1.1.2 YES NVRAM administratively down down
Loopback0 192.168.10.10 YES manual up up
Loopback1 4.4.4.4 YES NVRAM up up
DMZ>
INSIDE-RTR>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.10.254.2 YES NVRAM up up
Ethernet0/1 unassigned YES NVRAM administratively down down
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback0 10.14.8.50 YES NVRAM up up
Loopback1 10.10.10.10 YES manual up up
INSIDE-RTR>
OUTSIDE>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES TFTP administratively down down
Ethernet0/1 131.1.23.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback0 5.5.5.5 YES manual up up
Loopback1 1.1.1.1 YES NVRAM up up
OUTSIDE>
pixfirewall# sh run
: Saved
PIX Version 7.2(4)
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0
speed 100
duplex full
nameif INSIDE
security-level 100
ip address 10.10.254.1 255.255.255.0
interface Ethernet1
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 131.1.23.2 255.255.255.0
interface Ethernet2
speed 100
duplex full
shutdown
no nameif
security-level 50
no ip address
interface Ethernet3
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.2 255.255.255.0
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any log
access-list ACL-BW extended permit ip any any
access-list DMZtoINSIDE extended permit ip any any log
pager lines 24
logging buffered debugging
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 131.1.23.12-131.1.23.254
nat (INSIDE) 1 10.0.0.0 255.0.0.0
static (INSIDE,OUTSIDE) 131.1.23.11 10.14.8.50 netmask 255.255.255.255
static (INSIDE,DMZ) 192.168.11.11 10.10.10.10 netmask 255.255.255.255
static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
access-group 101 in interface OUTSIDE
access-group DMZtoINSIDE in interface DMZ
route INSIDE 10.14.8.0 255.255.255.0 10.10.254.2 1
route INSIDE 10.10.10.0 255.255.255.0 10.10.254.2 1
route OUTSIDE 0.0.0.0 0.0.0.0 131.1.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue OUTSIDE
class-map CLASS-BW
match access-list ACL-BW
class-map bw-limit1
policy-map POLICY-BW
class CLASS-BW
police output 8000 1000 conform-action drop
service-policy POLICY-BW interface OUTSIDE
prompt hostname context
Cryptochecksum:2544d2c2a04267b55ac2ae90ba42d40f
: end
=====================
thanks 4 replyHi Julio ,
Thanks 4 your reply .
Here are the outputs u asked me -
1-Can you ping 131.1.23.1 from the ASA ----yes pinging
pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=36579 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
2-Can you ping 192.168.10.10 from the ASA. ---not reachable
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
Success rate is 0 percent (0/5)
pixfirewall#
I have applied all below captures ----->>
access-list capout permit icmp 131.1.23.1 255.255.255.255 host 131.1.23.10
access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255
access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10
access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1
capture capdmz access-list capdmz interface dmz
capture capout access-list capout interface outside
pixfirewall# clear access-list capout counters
pixfirewall#
pixfirewall# clear access-list capdmz counters
pixfirewall#
pixfirewall# clear access-list 101 counters
pixfirewall#
pixfirewall# clear access-list DMZtoINSIDE counters
pixfirewall#
---then ---->
OUTSIDE#ping 131.1.23.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
Success rate is 0 percent (0/5)
OUTSIDE#
pixfirewall# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
pixfirewall#
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
Success rate is 0 percent (0/5)
pixfirewall#
pixfirewall#
pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/50/90 ms
pixfirewall# ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
pixfirewall#
pixfirewall#
pixfirewall# sh access-list
access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa
access-list ACL-BW; 1 elements
access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad
access-list DMZtoINSIDE; 1 elements
access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b
access-list capout; 2 elements
access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61
access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d
access-list capdmz; 2 elements
access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b
access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706
pixfirewall#
==================
Thanks 4 your reply again -
Hi all,
I have a routing problem here with routing in PIX515E version 6.35. I have some Client PCs located in the DMZ interface of the PIX515E, they connect to PIX using Cisco VPN Client (IPSEC VPN), after that these PCs can be routed to access Servers (static route) located behind Internal interfaces of PIX. I have some Servers located remotely having Internet Access, the gateway router remotely connect to PIX Outside Interface (Internet) using IPSEC VPN then routed to inside Interface (static route).
After establishing IPSEC VPN, the Client PCs behind the DMZ interfaces can access Servers located behind Internal Interface of PIX. So do the remote servers. However, the Client PCs cannot access the remote servers.
Just wondering if there is any restriction for the routing in PIX?
Thanks for the answer.Hi Jorge,
Please see the config below;
Servers behind inside interface 172.16.0.0/16
Remote Server 172.16.0.199/32
RA_Client:172.16.45.129-172.16.45.254
dmz: 192.168.0.0/16
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list from-outside remark
access-list from-outside permit icmp any any echo-reply
access-list from-outside remark
access-list nonat permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.45.128 255.255.255.128
access-list Remote_Server permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
ip address outside x.x.x.70 255.255.255.248
ip address inside 172.16.58.20 255.255.255.0
ip address dmz 192.168.68.20 255.255.255.0
ip verify reverse-path interface outside
ip local pool RA_Client_pool 172.16.45.129-172.16.45.254
global (outside) 1 x.x.x.67 netmask 255.255.255.248
global (dmz) 1 192.168.68.129-192.168.68.254 netmask 255.255.255.128
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
access-group from-outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route outside 172.16.0.199 255.255.255.255 x.x.x.65 1
route inside 172.16.0.0 255.255.0.0 172.16.58.1 1
route dmz 172.16.45.128 255.255.255.128 192.168.68.1 1
route dmz 192.168.0.0 255.255.0.0 192.168.68.1 1
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto dynamic-map map2 40 set transform-set 3des-sha
crypto map IPSEC 40 ipsec-isakmp dynamic map2
crypto map IPSEC 50 ipsec-isakmp
crypto map IPSEC 50 match address Remote_Server
crypto map IPSEC 50 set peer y.y.y.y
crypto map IPSEC 50 set transform-set 3des-sha
crypto map IPSEC 50 set security-association lifetime seconds 900 kilobytes 4608000
crypto map IPSEC client authentication AuthInbound
crypto map IPSEC interface outside
crypto map IPSEC interface dmz
isakmp enable outside
isakmp enable dmz
vpngroup RA_Client address-pool RA_Client_pool
vpngroup RA_Client dns-server 172.16.9.5
vpngroup RA_Client wins-server 172.16.9.5
vpngroup RA_Client split-tunnel 101
vpngroup RA_Client idle-time 1800
vpngroup RA_Client password ******** -
Pix vpn tunnel using certificates problem
hi
I have set up a small network at home to practice a branch office
pix 501 obtaining a digital certificate from a windows 2000 server
which is located on a dmz on a pix 515 over an encrypted tunnel
the tunnel is initually set up using pre-shared keys and once the
branch pix has its certificate altering the configs on both pix's
to use certificates for authentication,but have run into a problem
i have included an attachment to explain how i went about it and
the problem i have encounterd
would appreciate it if someone could take a look and tell me where
the problem lies
regards
melvyn brownI am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple. -
Help needed to connect to remote PPTP VPN via PIX 515e
Hello,
A user in our office needs to connect to a client's remote PPTP VPN but can't connect. The user is running Windows 7. We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
The client's network guys have come back and said the issue is at our side. They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
"A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
I have very little firewall experience and absolutely no Cisco experience I'm afraid. From looking at the PIX config I can see the following line:
fixup protocol pptp 1723.
Does this mean that the PPTP protcol is enabled on our firewall? Is this for both incoming and outgoing traffic?
I can see no reference to GRE 47 in the PIX config. Can anyone advise me what I should look for to see if this has been enabled or not?
I apologise again for my lack of knowledge. Any help or advice would be very gratefully received.
RosHi Eugene,
Thank you for taking the time to reply to me. Please see our full PIX config below. I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum. I hope that the information below is still sufficient for you.
Thanks again for your help,
Ros
PIX(config)# en
Not enough arguments.
Usage: enable password [] [level ] [encrypted]
no enable password level
show enable
PIX(config)# show config
: Saved
: Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password XXX encrypted
passwd XXX encrypted
hostname PIX
domain-name XXX.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name XX.XX.XX.XX Secondary
access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl deny udp any any eq 135
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
pager lines 24
logging on
logging host inside XX.XX.XX.XX
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside XX.XX.XX.XX 255.255.255.248
ip address inside XX.XX.XX.XX 255.255.255.0
no ip address DMZ
ip audit info action alarm
ip audit attack action alarm
pdm location XX.XX.XX.XX 255.255.255.255 inside
pdm location XX.XX.XX.XX 255.255.0.0 outside
pdm location XX.XX.XX.XX 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server XX.XX.XX.XX source outside prefer
http server enable
http XX.XX.XX.XX 255.255.0.0 outside
http XX.XX.XX.XX 255.255.255.0 outside
http XX.XX.XX.XX 255.255.255.255 inside
snmp-server host inside XX.XX.XX.XX
no snmp-server location
no snmp-server contact
snmp-server community XXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp dynamic cola
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XX.XX.XX.XX
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 25 ipsec-isakmp
crypto map outside_map 25 match address USER1
crypto map outside_map 25 set peer XX.XX.XX.XX
crypto map outside_map 25 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer XX.XX.XX.XX
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer XX.XX.XX.XX
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set peer XX.XX.XX.XX
crypto map outside_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer XX.XX.XX.XX
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 70 ipsec-isakmp
crypto map outside_map 70 match address outside_cryptomap_70
crypto map outside_map 70 set peer XX.XX.XX.XX
crypto map outside_map 70 set transform-set ESP-3DES-MD5
crypto map outside_map 75 ipsec-isakmp
crypto map outside_map 75 match address USER4
crypto map outside_map 75 set peer XX.XX.XX.XX
crypto map outside_map 75 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address USER2
crypto map outside_map 80 set peer XX.XX.XX.XX
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 90 ipsec-isakmp
crypto map outside_map 90 match address USER3
crypto map outside_map 90 set peer XX.XX.XX.XX
crypto map outside_map 90 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet XX.XX.XX.XX 255.255.0.0 outside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet timeout 30
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:XXX
PIX(config)# -
Link to configuration convertor tool from PIX to ASA
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masoodhello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood
Maybe you are looking for
-
IPC:The calculation type is not permitted
Hi Guy's We are using ECC5.0, CRM4.0, IPC4.0 and ISA4.0 for the B2C implementation. We are getting error below in CRM Order screen and not getting price also "IPC: The calculation type is not permitted". Scenario: The transferred sales orde
-
when im resetting the cleared items im getting error (Tr.code FBRA) like "CLEARING DOCUMENT FROM ALTERNATIVE FISCAL YEAR" So plzz help this Thanks in advance VENKAT REDDY Edited by: venkat_momula on Aug 18, 2010 9:54 AM Moderator: Read and respect th
-
Silent Installation Of Oracle 10g Expression Edition
Plz i need information about how to install Oracle 10g Expression Edition silently on multiple computer.....i get this script from Oracle site: ** Response file to perform silent install of Oracle Database 10g Express Edition ** ** Values for the fol
-
No values in drop down when creating new parameter.
Hi Everyone, I'm new to BOBJ and Crystal Reports and I'm just exploring these tools. I've installed BOBJ and Data Services and I've used those tools to pull the data into my SQL Server 2008 and create a Universe. Now I'm creating a report and I have
-
Dealing with distortion but keeping enough volume on export
I'm trying to export a song out of logic pro and I'm getting a lot of distortion. Weird thing is there's no audio peaking/noise in the "red zone," I think it more has to do with the fact that I'm using piano with a lot of sustain (creating a lot of b