Dmz on pix

Hi all, how do these work, do they still allow all access from internal, but you have to open ports up to it inbound ?

Hello carl
Yeah of course... thats how the algorithm works... higher security to lower security - packets are allowed
traffic from lower security to higher security - you need to allow it through ACLs...
hope this helps.. all the best .. rate replies if found useful..
Raj

Similar Messages

  • DMZ zone with PIX 501

    - How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
    - If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
    (We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
    thanks,
    oleg

    When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

  • By design or sheer dumb luck? Is configuration necessary in this case?

    Hey all, I saw something that stumped me for a moment today and then got me thinking.
    A colleague of mine had set up a test lab at work. This was to evaluate a PIX environment, but was nothing too fancy: a couple of host pc's emulating internet-based servers, a pc emulating an internal lan machine, a machine pretending to be a host in a dmz, the pix itself, and a router pointing where necessary between them all.
    Now normally, to keep this all segregated for testing purposes, I would vlan everything up, with a separate vlan for all the networks involved. Or use separate, dumb switches.
    But my partner here takes an unconfigured switch with all ports up and...just plugs everything in. I am aghast, but his reasoning is that, when devices arp for the mac of the device they want to speak to, the switch will know whats on each port anyway and will forward it via the appropriate port. Which sort of makes sense... but I cant help but feel that this is too straightforward, and that the law of unintended consequences will take over.
    (Oddly enough, I've discovered that this has happened in production, and I'm currently trying to debug some odd traffic thats appearing in a dmz interface on a PIX. I'm starting to wonder...)
    Anyone have any thoughts? Timesaving good idea or lazy shortcut?
    Cheers all,
    Gar

    Gar
    I think that it is a lazy shortcut. When your colleague connected the devices this way things did work as expected. And you probably did not check to see if unexpected things would work - and they would have. If you configure a PC in a certain subnet with a default gateway and you configure other devices in other networks you expect that the PC will forward to its default gateway to get to the other devices. But the way the switch was installed the PC COULD communicate directly with any other device without needing the gateway. Since all devices were effectively in the same VLAN on the switch they were all in the same broadcast domain. In this situation every device would hear the ARP request from every other device. So the PC could have done an ARP directly for some other device, received an ARP response and begun to communicate directly.
    There are reasons why we generally put things into VLANs in our network: reducing the broadcast domain being one of them, increasing security is another, and there are a number of other reasons. When you install a switch in the way that you describe you undo those things.
    It was a test environment and it worked. But I certainly would not want to see you do it that way in a production environment.
    HTH
    Rick

  • WLC+Anchor+Guest NAC

    Hello all
    I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
    1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
    2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
    3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
    4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
    Sorry for the long post..
    Raj

    Greg
    Thanks again.. that was useful too. One last query.. and this was grilling my head:
    1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
    2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
    3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
    Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
    Raj

  • Choose a firewall

    My case is like this: an (web)applcation server hosts multiple web apps for the public to access. Moderate traffic. The server is located in a Commercial Hosting Company's server room. So the server can directly plug into the LAN (which is connected to the internet).
    1) Among the PIX 50x series, which firewall fits this situation better? (I'll need the firewall to support the NAT, DMZ and VPN). Or I may even need other firewalls (budget sensitive).
    2) Is the double firewall necessary to build the DMZ? (i.e. PIX --DMZ-- PIX)
    3) Any opinion or comment on the Microsoft ISA Server 2004 (which claims to be a better firewall).
    Many thanks.
    Scott

    hi
    AFAIK if you have a PIX firewall like either 501 which has 2 Fastethernet port or 515E which can have max 6 fastethernet port can serve your purpose.
    If you want to configure DMZ with PIX itself then you would require on more fastethernet port additional to one input and one output interface.
    output interface is the one which gets you connected to the outside public world (LAN here) and the inside port connects to your local lan or server farm.
    you can alwasys isolate the local lan and server farm to 2 different zones if its present or else you can connect you server up to the inside port itself.
    But do remember that you are configuring it to allow all the reqd ports which ius accessed by the public.
    Also you have the advantage of configuring normal VPNs and also configuring the pix as easy vpn server too to cater your mobile users .
    regds

  • Dual-homed servers connected directly to redundant CSSs

    Hi.
    I have no experience with Cisco content switches and I need help with this implementation:
    I have DMZ on PIX cluster, where are 3 couples of servers and I need to load balance traffic to them.
    I want to connect PIX cluster to L2 switches then connect L2 switches to redundant CSSs and servers directly connect to CSSs with dual-home (primary NIC to primary CSS and secondary NIC to backup CSS). I'm not sure whether this dual home connection will work correctly. What kind of CSS redundancy ssould I use?

    dual NIC does not work with server directly connected to CSS.
    You should connect your servers to a pair of L2 switch and then connect the L2 switch to the CSS.
    Regards,
    Gilles.

  • Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

    Hello,
    I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
    Thanks,
    Jeff Mateo
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password GFO9OSBnaXE.n8af encrypted
    passwd GFO9OSBnaXE.n8af encrypted
    hostname morrow-pix-ct
    domain-name morrowco.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 12.42.47.27 LI-PIX
    name 172.20.0.0 CT-NET
    name 172.23.0.0 LI-NET
    name 172.22.0.0 TX-NET
    name 172.25.0.0 NY-NET
    name 192.168.10.0 CT-DMZ-NET
    name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
    name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
    name 199.191.128.105 web-dns-1
    name 12.127.16.69 web-dns-2
    name 12.3.125.178 NY-PIX
    name 64.208.123.130 TX-PIX
    name 24.38.31.80 CT-PIX
    object-group network morrow-net
    network-object 12.42.47.24 255.255.255.248
    network-object NY-PIX 255.255.255.255
    network-object 64.208.123.128 255.255.255.224
    network-object 24.38.31.64 255.255.255.224
    network-object 24.38.35.192 255.255.255.248
    object-group service morrow-mgmt tcp
    port-object eq 3389
    port-object eq telnet
    port-object eq ssh
    object-group network web-dns
    network-object web-dns-1 255.255.255.255
    network-object web-dns-2 255.255.255.255
    access-list out1 permit icmp any any echo-reply
    access-list out1 permit icmp object-group morrow-net any
    access-list out1 permit tcp any host 12.193.192.132 eq ssh
    access-list out1 permit tcp any host CT-PIX eq ssh
    access-list out1 permit tcp any host 24.38.31.72 eq smtp
    access-list out1 permit tcp any host 24.38.31.72 eq https
    access-list out1 permit tcp any host 24.38.31.72 eq www
    access-list out1 permit tcp any host 24.38.31.70 eq www
    access-list out1 permit tcp any host 24.38.31.93 eq www
    access-list out1 permit tcp any host 24.38.31.93 eq https
    access-list out1 permit tcp any host 24.38.31.93 eq smtp
    access-list out1 permit tcp any host 24.38.31.93 eq ftp
    access-list out1 permit tcp any host 24.38.31.93 eq domain
    access-list out1 permit tcp any host 24.38.31.94 eq www
    access-list out1 permit tcp any host 24.38.31.94 eq https
    access-list out1 permit tcp any host 24.38.31.71 eq www
    access-list out1 permit tcp any host 24.38.31.71 eq 8080
    access-list out1 permit tcp any host 24.38.31.71 eq 8081
    access-list out1 permit tcp any host 24.38.31.71 eq 8090
    access-list out1 permit tcp any host 24.38.31.69 eq ssh
    access-list out1 permit tcp any host 24.38.31.94 eq ftp
    access-list out1 permit tcp any host 24.38.31.92 eq 8080
    access-list out1 permit tcp any host 24.38.31.92 eq www
    access-list out1 permit tcp any host 24.38.31.92 eq 8081
    access-list out1 permit tcp any host 24.38.31.92 eq 8090
    access-list out1 permit tcp any host 24.38.31.93 eq 3389
    access-list out1 permit tcp any host 24.38.31.92 eq https
    access-list out1 permit tcp any host 24.38.31.70 eq https
    access-list out1 permit tcp any host 24.38.31.74 eq www
    access-list out1 permit tcp any host 24.38.31.74 eq https
    access-list out1 permit tcp any host 24.38.31.74 eq smtp
    access-list out1 permit tcp any host 24.38.31.75 eq https
    access-list out1 permit tcp any host 24.38.31.75 eq www
    access-list out1 permit tcp any host 24.38.31.75 eq smtp
    access-list out1 permit tcp any host 24.38.31.70 eq smtp
    access-list out1 permit tcp any host 24.38.31.94 eq smtp
    access-list dmz1 permit icmp any any echo-reply
    access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
    access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
    access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
    access-list dmz1 permit ip any any
    access-list dmz1 deny ip any any
    access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
    access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
    access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
    access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
    access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
    access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
    .0
    access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
    55.255.0
    access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
    access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
    access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
    access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
    access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
    access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
    access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
    0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
    5.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
    access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
    0
    access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
    .248.0
    access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
    access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
    access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
    access-list in1 permit tcp host 172.20.1.21 any eq smtp
    access-list in1 permit tcp host 172.20.1.20 any eq smtp
    access-list in1 deny tcp any any eq smtp
    access-list in1 permit ip any any
    access-list in1 permit tcp any any eq smtp
    access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
    access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
    access-list in2 deny ip host 172.20.1.82 any
    access-list in2 deny ip host 172.20.1.83 any
    access-list in2 permit ip any any
    pager lines 43
    logging on
    logging timestamp
    logging buffered notifications
    logging trap notifications
    logging device-id hostname
    logging host inside 172.20.1.22
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside CT-PIX 255.255.255.224
    ip address inside 172.20.8.1 255.255.255.0
    ip address DMZ 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ctpool 192.168.220.100-192.168.220.200
    ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
    pdm history enable
    arp timeout 14400
    global (outside) 1 24.38.31.81
    nat (inside) 0 access-list nat0
    nat (inside) 1 CT-NET 255.255.0.0 2000 10
    nat (DMZ) 0 access-list nat0-dmz
    static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
    static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
    static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
    static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
    static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
    access-group out1 in interface outside
    access-group dmz1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
    route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
    route inside CT-NET 255.255.248.0 172.20.8.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server ct-rad protocol radius
    aaa-server ct-rad max-failed-attempts 2
    aaa-server ct-rad deadtime 10
    aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 173.220.252.56 255.255.255.248 outside
    http 65.51.181.80 255.255.255.248 outside
    http 208.65.108.176 255.255.255.240 outside
    http CT-NET 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community m0rroW(0
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
    crypto dynamic-map dyn_map 20 match address vpn-dyn-match
    crypto dynamic-map dyn_map 20 set transform-set 3des-sha
    crypto map ct-crypto 10 ipsec-isakmp
    crypto map ct-crypto 10 match address vpn-ct-li-gre
    crypto map ct-crypto 10 set peer LI-PIX
    crypto map ct-crypto 10 set transform-set 3des-sha
    crypto map ct-crypto 15 ipsec-isakmp
    crypto map ct-crypto 15 match address vpn-ct-li
    crypto map ct-crypto 15 set peer LI-PIX
    crypto map ct-crypto 15 set transform-set 3des-sha
    crypto map ct-crypto 20 ipsec-isakmp
    crypto map ct-crypto 20 match address vpn-ct-ny
    crypto map ct-crypto 20 set peer NY-PIX
    crypto map ct-crypto 20 set transform-set 3des-sha
    crypto map ct-crypto 30 ipsec-isakmp
    crypto map ct-crypto 30 match address vpn-ct-tx
    crypto map ct-crypto 30 set peer TX-PIX
    crypto map ct-crypto 30 set transform-set 3des-sha
    crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
    crypto map ct-crypto client authentication ct-rad
    crypto map ct-crypto interface outside
    isakmp enable outside
    isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
    onfig-mode
    isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash md5
    isakmp policy 30 group 1
    isakmp policy 30 lifetime 86400
    vpngroup remotectusers address-pool ctpool
    vpngroup remotectusers dns-server 172.20.1.5
    vpngroup remotectusers wins-server 172.20.1.5
    vpngroup remotectusers default-domain morrowny.com

    Amit,
    I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
    I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
    Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

  • Load balancing of PIX firewalls with multiple DMZs

    I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
    In all the documentation related to the subject, I see always the firewalls with only two interfaces:
    http://www.cisco.com/warp/customer/117/fw_load_balancing.html
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
    What if I need to balance on more than 2 interfaces?
    Do I have to add more content switches, one for each interface ?
    Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
    Thank you in advance for any help.

    We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
    Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

  • What syntax would I use to take off a DMZ, Outside static route from a Pix

    I am having a problem with mail coming in and currently have all smtp traffic going to a mail filtering server. I want to point the traffic directly to the exchange server instead, but, before I do I want to make sure that I can take that static route off after the test.
    This is the syntax that I have and would like to change.
    static (DMZ,outside) tcp xxx.xxx.xxx.xxx smtp 172.16.xxx.xxx smtp netmask 255.255.255.255 0 0
    I would like to point it to another IPA and then take it off.

    Hello,
    not sure if this is what you are asking, but check this link to the PIX command reference:
    static
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
    HTH,
    GP

  • Content Engine on PIX DMZ

    Can we place content engine outside interface on PIX DMZ interface. At this moment both the WCCP router and content Engine are on outside. I want to place Content Engine Outside interface on PIX DMZ and then to run WCCP between Content Engine and Outside router.
    Thank you.

    Yes. You can place the content engine towards the outside interface on PIX. This should work.

  • PIX/ASA not able to reach DMZ

    Hi everyone ,
    I am able to ping from outside to inside all ips , but there is no communication from inside and outside to DMZ .
    I did debug icmp trace 255 and it gives below debug , anyone can guide me if i am doing any mistake here in config .
    pixfirewall(config)# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=0 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=1 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=2 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=3 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=4 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    DMZ>sh ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                192.168.0.1     YES manual up                    up 
    Ethernet0/1                unassigned      YES unset  administratively down down
    Ethernet0/2                unassigned      YES unset  administratively down down
    Ethernet0/3                unassigned      YES unset  administratively down down
    FastEthernet1/0            20.1.1.2        YES NVRAM  administratively down down
    Loopback0                  192.168.10.10   YES manual up                    up 
    Loopback1                  4.4.4.4         YES NVRAM  up                    up 
    DMZ>
    INSIDE-RTR>sh ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                10.10.254.2     YES NVRAM  up                    up 
    Ethernet0/1                unassigned      YES NVRAM  administratively down down
    Ethernet0/2                unassigned      YES NVRAM  administratively down down
    Ethernet0/3                unassigned      YES NVRAM  administratively down down
    Loopback0                  10.14.8.50      YES NVRAM  up                    up 
    Loopback1                  10.10.10.10     YES manual up                    up 
    INSIDE-RTR>
    OUTSIDE>sh ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                unassigned      YES TFTP   administratively down down
    Ethernet0/1                131.1.23.1      YES NVRAM  up                    up 
    Ethernet0/2                unassigned      YES NVRAM  administratively down down
    Ethernet0/3                unassigned      YES NVRAM  administratively down down
    Loopback0                  5.5.5.5         YES manual up                    up 
    Loopback1                  1.1.1.1         YES NVRAM  up                    up 
    OUTSIDE>
    pixfirewall# sh run
    : Saved
    PIX Version 7.2(4)
    hostname pixfirewall
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0
    speed 100
    duplex full
    nameif INSIDE
    security-level 100
    ip address 10.10.254.1 255.255.255.0
    interface Ethernet1
    speed 100
    duplex full
    nameif OUTSIDE
    security-level 0
    ip address 131.1.23.2 255.255.255.0
    interface Ethernet2
    speed 100
    duplex full
    shutdown
    no nameif
    security-level 50
    no ip address
    interface Ethernet3
    speed 100
    duplex full
    nameif DMZ
    security-level 50
    ip address 192.168.0.2 255.255.255.0
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list 101 extended permit ip any any log
    access-list ACL-BW extended permit ip any any
    access-list DMZtoINSIDE extended permit ip any any log
    pager lines 24
    logging buffered debugging
    mtu INSIDE 1500
    mtu OUTSIDE 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (OUTSIDE) 1 131.1.23.12-131.1.23.254
    nat (INSIDE) 1 10.0.0.0 255.0.0.0
    static (INSIDE,OUTSIDE) 131.1.23.11 10.14.8.50 netmask 255.255.255.255
    static (INSIDE,DMZ) 192.168.11.11 10.10.10.10 netmask 255.255.255.255
    static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
    access-group 101 in interface OUTSIDE
    access-group DMZtoINSIDE in interface DMZ
    route INSIDE 10.14.8.0 255.255.255.0 10.10.254.2 1
    route INSIDE 10.10.10.0 255.255.255.0 10.10.254.2 1
    route OUTSIDE 0.0.0.0 0.0.0.0 131.1.23.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    priority-queue OUTSIDE
    class-map CLASS-BW
    match access-list ACL-BW
    class-map bw-limit1
    policy-map POLICY-BW
    class CLASS-BW
      police output 8000 1000 conform-action drop
    service-policy POLICY-BW interface OUTSIDE
    prompt hostname context
    Cryptochecksum:2544d2c2a04267b55ac2ae90ba42d40f
    : end
    =====================
    thanks 4 reply

    Hi Julio ,
    Thanks 4 your reply .
    Here are the outputs u asked me -
    1-Can you ping 131.1.23.1 from the ASA ----yes pinging
    pixfirewall# ping 131.1.23.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
    ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
    !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=36579 len=72
    ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
    2-Can you ping 192.168.10.10 from the ASA. ---not reachable
    pixfirewall# ping 192.168.10.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
    ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
    Success rate is 0 percent (0/5)
    pixfirewall#
    I have applied all below captures ----->>
    access-list capout permit icmp 131.1.23.1 255.255.255.255  host 131.1.23.10
    access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255
    access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10
    access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1
    capture capdmz access-list capdmz interface dmz
    capture capout access-list capout interface outside
    pixfirewall# clear access-list capout counters
    pixfirewall#
    pixfirewall# clear access-list capdmz counters
    pixfirewall#
    pixfirewall# clear access-list 101 counters
    pixfirewall#
    pixfirewall# clear access-list DMZtoINSIDE counters
    pixfirewall#
    ---then ---->
    OUTSIDE#ping 131.1.23.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    OUTSIDE#
    pixfirewall# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=0 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=1 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=2 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=3 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=4 len=72
    ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
    pixfirewall#
    pixfirewall# ping 192.168.10.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
    ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
    ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
    Success rate is 0 percent (0/5)
    pixfirewall#
    pixfirewall#
    pixfirewall# ping 131.1.23.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
    ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
    !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
    !ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
    ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
    ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
    ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
    !ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
    !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
    ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/50/90 ms
    pixfirewall# ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
    pixfirewall#
    pixfirewall#
    pixfirewall# sh access-list
    access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list 101; 1 elements
    access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa
    access-list ACL-BW; 1 elements
    access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad
    access-list DMZtoINSIDE; 1 elements
    access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b
    access-list capout; 2 elements
    access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61
    access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d
    access-list capdmz; 2 elements
    access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b
    access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706
    pixfirewall#
    ==================
    Thanks 4 your reply again

  • Routing Issue in PIX 515E

    Hi all,
    I have a routing problem here with routing in PIX515E version 6.35. I have some Client PCs located in the DMZ interface of the PIX515E, they connect to PIX using Cisco VPN Client (IPSEC VPN), after that these PCs can be routed to access Servers (static route) located behind Internal interfaces of PIX. I have some Servers located remotely having Internet Access, the gateway router remotely connect to PIX Outside Interface (Internet) using IPSEC VPN then routed to inside Interface (static route).
    After establishing IPSEC VPN, the Client PCs behind the DMZ interfaces can access Servers located behind Internal Interface of PIX. So do the remote servers. However, the Client PCs cannot access the remote servers.
    Just wondering if there is any restriction for the routing in PIX?
    Thanks for the answer.

    Hi Jorge,
    Please see the config below;
    Servers behind inside interface 172.16.0.0/16
    Remote Server 172.16.0.199/32
    RA_Client:172.16.45.129-172.16.45.254
    dmz: 192.168.0.0/16
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    access-list from-outside remark
    access-list from-outside permit icmp any any echo-reply
    access-list from-outside remark
    access-list nonat permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
    access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.45.128 255.255.255.128
    access-list Remote_Server permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
    ip address outside x.x.x.70 255.255.255.248
    ip address inside 172.16.58.20 255.255.255.0
    ip address dmz 192.168.68.20 255.255.255.0
    ip verify reverse-path interface outside
    ip local pool RA_Client_pool 172.16.45.129-172.16.45.254
    global (outside) 1 x.x.x.67 netmask 255.255.255.248
    global (dmz) 1 192.168.68.129-192.168.68.254 netmask 255.255.255.128
    nat (inside) 0 access-list nonat
    nat (inside) 1 172.16.0.0 255.255.0.0 0 0
    access-group from-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
    route outside 172.16.0.199 255.255.255.255 x.x.x.65 1
    route inside 172.16.0.0 255.255.0.0 172.16.58.1 1
    route dmz 172.16.45.128 255.255.255.128 192.168.68.1 1
    route dmz 192.168.0.0 255.255.0.0 192.168.68.1 1
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto dynamic-map map2 40 set transform-set 3des-sha
    crypto map IPSEC 40 ipsec-isakmp dynamic map2
    crypto map IPSEC 50 ipsec-isakmp
    crypto map IPSEC 50 match address Remote_Server
    crypto map IPSEC 50 set peer y.y.y.y
    crypto map IPSEC 50 set transform-set 3des-sha
    crypto map IPSEC 50 set security-association lifetime seconds 900 kilobytes 4608000
    crypto map IPSEC client authentication AuthInbound
    crypto map IPSEC interface outside
    crypto map IPSEC interface dmz
    isakmp enable outside
    isakmp enable dmz
    vpngroup RA_Client address-pool RA_Client_pool
    vpngroup RA_Client dns-server 172.16.9.5
    vpngroup RA_Client wins-server 172.16.9.5
    vpngroup RA_Client split-tunnel 101
    vpngroup RA_Client idle-time 1800
    vpngroup RA_Client password ********

  • Pix vpn tunnel using certificates problem

    hi
    I have set up a small network at home to practice a branch office
    pix 501 obtaining a digital certificate from a windows 2000 server
    which is located on a dmz on a pix 515 over an encrypted tunnel
    the tunnel is initually set up using pre-shared keys and once the
    branch pix has its certificate altering the configs on both pix's
    to use certificates for authentication,but have run into a problem
    i have included an attachment to explain how i went about it and
    the problem i have encounterd
    would appreciate it if someone could take a look and tell me where
    the problem lies
    regards
    melvyn brown

    I am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
    The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple.

  • Help needed to connect to remote PPTP VPN via PIX 515e

    Hello,
    A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
    The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
    "A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
    I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:
    fixup protocol pptp 1723.
    Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?
    I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?
    I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.
    Ros

    Hi Eugene,
    Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.
    Thanks again for your help,
    Ros
    PIX(config)# en
    Not enough arguments.
    Usage:  enable password [] [level ] [encrypted]
            no enable password level
            show enable
    PIX(config)# show config
    : Saved
    : Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10
    enable password XXX encrypted
    passwd XXX encrypted
    hostname PIX
    domain-name XXX.com
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name XX.XX.XX.XX Secondary
    access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl deny udp any any eq 135
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
    access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
    pager lines 24
    logging on
    logging host inside XX.XX.XX.XX
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside XX.XX.XX.XX 255.255.255.248
    ip address inside XX.XX.XX.XX 255.255.255.0
    no ip address DMZ
    ip audit info action alarm
    ip audit attack action alarm
    pdm location XX.XX.XX.XX 255.255.255.255 inside
    pdm location XX.XX.XX.XX 255.255.0.0 outside
    pdm location XX.XX.XX.XX 255.255.255.0 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
    route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
    timeout xlate 3:00:00
    timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp authenticate
    ntp server XX.XX.XX.XX source outside prefer
    http server enable
    http XX.XX.XX.XX 255.255.0.0 outside
    http XX.XX.XX.XX 255.255.255.0 outside
    http XX.XX.XX.XX 255.255.255.255 inside
    snmp-server host inside XX.XX.XX.XX
    no snmp-server location
    no snmp-server contact
    snmp-server community XXX
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
    crypto map outside_map 10 ipsec-isakmp dynamic cola
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer XX.XX.XX.XX
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 25 ipsec-isakmp
    crypto map outside_map 25 match address USER1
    crypto map outside_map 25 set peer XX.XX.XX.XX
    crypto map outside_map 25 set transform-set ESP-3DES-MD5
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set peer XX.XX.XX.XX
    crypto map outside_map 30 set transform-set ESP-3DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer XX.XX.XX.XX
    crypto map outside_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 50 ipsec-isakmp
    crypto map outside_map 50 match address outside_cryptomap_50
    crypto map outside_map 50 set peer XX.XX.XX.XX
    crypto map outside_map 50 set transform-set ESP-3DES-MD5
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer XX.XX.XX.XX
    crypto map outside_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 70 ipsec-isakmp
    crypto map outside_map 70 match address outside_cryptomap_70
    crypto map outside_map 70 set peer XX.XX.XX.XX
    crypto map outside_map 70 set transform-set ESP-3DES-MD5
    crypto map outside_map 75 ipsec-isakmp
    crypto map outside_map 75 match address USER4
    crypto map outside_map 75 set peer XX.XX.XX.XX
    crypto map outside_map 75 set transform-set ESP-3DES-MD5
    crypto map outside_map 80 ipsec-isakmp
    crypto map outside_map 80 match address USER2
    crypto map outside_map 80 set peer XX.XX.XX.XX
    crypto map outside_map 80 set transform-set ESP-3DES-MD5
    crypto map outside_map 90 ipsec-isakmp
    crypto map outside_map 90 match address USER3
    crypto map outside_map 90 set peer XX.XX.XX.XX
    crypto map outside_map 90 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet XX.XX.XX.XX 255.255.0.0 outside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet timeout 30
    ssh XX.XX.XX.XX 255.255.255.248 outside
    ssh XX.XX.XX.XX 255.255.255.248 outside
    ssh timeout 30
    management-access inside
    console timeout 0
    terminal width 80
    Cryptochecksum:XXX
    PIX(config)#

  • Link to configuration convertor tool from PIX to ASA

                       Hi,
    I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
    Regards,
    Masood

    hello again,
    this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
    Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
    here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut
    and the STANDBY:
    failover
    failover lan unit secondary
    failover lan interface failover Ethernet0/3
    failover key *****
    failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
    Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
    so how does it works with the failover configuration?
    can you please advise on how I go about the followings:
    1- configure failover before I past the PIX config onto the ASA?
    2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
    Please advise.
    Regards,
    Masood

Maybe you are looking for

  • IPC:The calculation type   is not permitted

    Hi Guy's   We are using ECC5.0, CRM4.0, IPC4.0 and ISA4.0 for the B2C implementation.   We are getting error below in CRM Order screen and not getting price also   "IPC: The calculation type   is not permitted".   Scenario: The transferred sales orde

  • Reset clear items

    when im resetting the cleared items im getting error (Tr.code FBRA) like "CLEARING DOCUMENT FROM ALTERNATIVE FISCAL YEAR" So plzz help this Thanks in advance VENKAT REDDY Edited by: venkat_momula on Aug 18, 2010 9:54 AM Moderator: Read and respect th

  • Silent Installation Of Oracle 10g Expression Edition

    Plz i need information about how to install Oracle 10g Expression Edition silently on multiple computer.....i get this script from Oracle site: ** Response file to perform silent install of Oracle Database 10g Express Edition ** ** Values for the fol

  • No values in drop down when creating new parameter.

    Hi Everyone, I'm new to BOBJ and Crystal Reports and I'm just exploring these tools. I've installed BOBJ and Data Services and I've used those tools to pull the data into my SQL Server 2008 and create a Universe. Now I'm creating a report and I have

  • Dealing with distortion but keeping enough volume on export

    I'm trying to export a song out of logic pro and I'm getting a lot of distortion. Weird thing is there's no audio peaking/noise in the "red zone," I think it more has to do with the fact that I'm using piano with a lot of sustain (creating a lot of b