HTTP Inspection Cisco PIX 525
I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
My regex is: regex HACKBLOCK "*/admin/.*\.jsp*"
My class-maps are:
class-map type regex match-any HACKBLOCK_METHOD
match regex GET
class-map XXXXTWBLOCK
match access-list HACKBLOCK_HOSTS
class-map type regex match-any HACKBLOCK_URL
match regex HACKBLOCK
class-map type inspect http match-all HACKBLOCK_FILTER
match request uri regex class HACKBLOCK_URL
class-map inspection_default
match default-inspection-traffic
My policy-maps are:
policy-map type inspect http HACKBLOCK_HTTP
parameters
class HACKBLOCK_FILTER
log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns
inspect h323 ras
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
policy-map OUTSIDE
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
class class-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1200
As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK. This matches traffic based on destination of our class C. I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
#sh service-pol inspec http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: XXXXTWBLOCK
Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
protocol violations
packet 34206
class HACKBLOCK_FILTER
log, packet 0
enp-amer-clt-pix525-a#
I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
Any idea whats going on here and why I am not macthing the HTTP uri's ????
Thanks,
Matthias CCIE# 28445
I get hits on the ACL. The issue is that the HTTP inspection does not seem to function. Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20
Similar Messages
-
Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
SamirHi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read) Okay
sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write) Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2 Failed
TELNET Okay
Waiting for your reply.
Samir -
Cisco Pix 525 VPN - iPhone/iPad won't connect
hi,
i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
im starting to think that this really is in the configuration. could it be the transform set specification?
can some one shed some light on this subject?
below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
thcvpn01(config)# show config
: Saved
: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
PIX Version 8.0(4)
hostname thcvpn01
domain-name somewhere.net
enable password* encrypted
passwd * encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (outside) 101 10.1.2.0 255.255.255.0 outside
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
jeffhi,
as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
in all of the frustration, do not, as i did, forget that your username is case sensitive.
jeff -
Goodmorning,
I have a message on my pix 525 someone is spoofing on a server from my dmz. How can i prevent spoofing attacks? It goes something like that : Deny IP due to Land Attack from 10.10.8.1 to 10.10.8.1The thing is that i have exhaustion of resources. How can i stop that?
-
I was wondering if someone can tell me how to upgrade a Cisco Pix 525 boot rom from 4.0 to 4.3. Is it a physical chip or software upgrade? Is it needed to upgrade to latest IOS on Cisco Pix 525 to 8.0. Where can I find more information on it? Thanks in advance
This link should help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
Reards,
Sachin -
Cisco WSA https inspection capability?
Hello,
does a Cisco WSA has the capability of inspecting HTTPs traffic like Internet-Proxy servers doyes.
Here's a doc on how to set up the WSA, it has a section on doing HTTPS:
https://supportforums.cisco.com/sites/default/files/attachments/discussion/sba_mid_bn_websecuritydeploymentguide-h1cy11_1.pdf -
I'm new to this forum so send me along if this sounds like nonsense. I have a SecurePIX 525 (s/w v6.3(4) in my production environment. Is there a GUI management tool for the PIX and if so, how do I go about setting it up? Thanks.
Hi Sean
You can ask any question in these forums whether or not it's nonsense :)
Yes there is a GUI management tool, it's called Pix Device Manager and for your version of software you need v3 of PDM. You may well find the actuall software is on your pix already.
Attached is a link to a doc on installing and configuring PDM
http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html
HTH
Jon -
Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)
Hello,
I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4
https://supportforums.cisco.com/docs/DOC-1230
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos
The tunnel is being defined by the following commands:
crypto map prdmay 20 match address vpn_1
crypto map prdmay 20 set peer 61.172.142.222
crypto map prdmay 20 set transform-set TS
access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any
access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any
tunnel-group 61.172.142.222 type ipsec-l2l
tunnel-group 61.172.142.222 ipsec-attributes
pre-shared-key *
Is the following what I need to do in order to accomplish what I want:
priority-queue outside
class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000
service-policy police-priority-policy interface outside
Thank you for your help.I don't think the ASA will let you match on ACL and tunnel group at the same time.
Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).
Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK -
Hi all,
In our head office we have a pix506e and we have numerous remote offices with 877s. Each remote office has a site-site VPN connection to the PIX.
The problem I'm having we recently added 8 new sites, only half of which work. They will all form IPsec tunnels, but you cannot ping through them.
Chatting to a colleague he seems to think that each VPN uses 2 "peer" licenses and hence we will only get a max of 12 concurrent VPN connections.
Can anyone confirm that this is the case?max number L2L tunnels on PIX506 is 25
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf -
PIX 525 UR With 1 4-Port FE, 1 VPN Accel Card
Good day;
I have a PIX 525 Unrestricted with failover.
802.bin IOS
There is 1 4-port FE and a VPN Accelerator card installed in each unit.
I tried to install a second 4-port FE in both prime and secondary units and the following is the result.
Once I power up both units the second 4-port FE mimics the first one. Although there are no physical connections to the second 4-port FE's, the port lights on the second FE's light up as the ones on the first 4-port FE.
Example:
1st 4-port FE
Fa0/2 - physical connection - Light on
Fa0/3 - no physical connection - Light off
Fa0/4 - physical connection - Light on
Fa0/5 - no physical connection - Light off
2nd 4-port FE
Fa0/6 - no physical connection - Light on
Fa0/7 - no physical connection - Light off
Fa0/8 - no physical connection - Light on
Fa0/9 - no physical connection - Light off
Also, when the second card is installed the first card will not function and this sets both PIX's as active.
I'm somewhat baffled.Hi;
Here's the show version.
As you will see, it allows for 10 physical interfaces.
I'm scratching my head over this one.
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"
MHCPPIX1 up 27 days 22 hours
failover cluster up 93 days 1 hour
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0011.924b.dd31, irq 10
1: Ext: Ethernet1 : address is 0011.924b.dd32, irq 11
2: Ext: Ethernet2 : address is 000d.88ee.5d70, irq 11
3: Ext: Ethernet3 : address is 000d.88ee.5d71, irq 10
4: Ext: Ethernet4 : address is 000d.88ee.5d72, irq 9
5: Ext: Ethernet5 : address is 000d.88ee.5d73, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license. -
Cisco 871W eZVPN is unable to connect Cisco PIX vpn server
crypto ipsec client ezvpn TEST
connect auto
group Cisco key cisco123
mode client
peer 172.1.1.1
xauth userid mode interfactive
interface FastEthernet4
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
ip nat outside
crypto ipsec client ezvpn TEST
Internet Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn TEST inside
ip route 0.0.0.0. 0.0.0.0 192.168.1.254
ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
route-map EzVPN1 permit 1
match ip address 103
These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
Cisco IOS on 871W is 12.3(8)Y121) Isn't your default route supposed to be pointing towards the external interface?
ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
Have a look at the following (I'm assuming you already have as your config seems to be similar):
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
For old 6.x code on PIX, have a look at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
Regards
Farrukh -
Cisco PIX to Cisco ASA Migration Tool
Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco AlmeidaAs a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download: -
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?
Maybe you are looking for
-
How to restore ipod Touch 4g after failed Jailbreak!?
I was using Redsn0w to Jailbreak my iPod today, everything was going well, until the running codes appeared. it was stuck there for 2 minutes then, my iTouch went completely off, redsn0w detected my ipod even though it would not turn on. so I pressed
-
Error in Electronic Signatures: CSigDict-1938
In Acrobat Pro 9, about 80% of the time when attempting to add an electronic signature to a .pdf document I get the following error: CSigDict-1938. I have no idea why it mostly doesn't work but sometimes does. Any ideas?
-
Is it possible to create own soap envolpe and body ?
Hi, I developed a web service and deployed it on Web Logic server and Glassfish server. But its soap envelope and soap body is different. Glassfish Request : <?xml version="1.0" encoding="UTF-8"?> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/
-
Does anyone now, a txn in ECC 6.0 that does the same as ome0 in 4.6? Thanx in advance
-
Can I have variable widths of columns in a table in pages for ipad?
I would like to make a table in Pages that has a larger column for the first column than the others so I can put labels in this column. Is that possible on the ipad? I know I can do this in Pages on a computer.