Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

Hi:
I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
a) Use the 506E as a firewall and use the 600 as a wireless access point, or
b) Use the 600 as a firewall and wireless access point.
Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
(Edited subject to keep threads from stretching. Thanks!)
Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

Similar Messages

Pix 506e firewall configring for mail( Exhange), Web, FTP server

Hi
I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.
I have fix static live ip 59.181.103.220 which i have got ISP (MTNL), and the same ip is given in fqdn in www.net4india.com (a company from where we have registered domaim name and taken space)
My problem is i am not able to send mail through my mail server (loyalindia.co.in)but i am receiving mails from any server.
My network design is as fallows:-
ADSL (WAN)59.181.103.220, ADSL (LAN)59.181.103.221. Pix 506e (out) 59.181.103.222, Pix 506e (in) 192.168.1.1. My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2
I am tryied with (ADSL)natting and without natting but the problem is same.
If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly.
can anybody who can support me?.

Hello
I think there won't be one QUCK START to get all of this up and running, there are multiple examples on the following page, a few that might help would be:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX/ASA : Connecting Three Internal Networks with Internet Configuration Example
PIX/ASA : Connecting Two Internal Networks with Internet Configuration Example
ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example
PIX/ASA 7.x: Enable VoIP (SIP, MGCP, H323, SCCP) Services Configuration Example
PIX/ASA 7.x and FWSM: NAT and PAT Statements
PIX/ASA 7.x and later : Port Redirection(Forwarding) with nat, global, static and access-list Commands
Configuring PIX Firewall with Mail Server Access on the DMZ
Configuring the PIX Firewall with Mail Server Access on Inside Network
Please rate if you find the post helpful.
Regards
Farrukh

Cisco PIX 501 Firewall Config

Hi,
I know this is an old firewall but its just a simple firewall I need, my question is this.
I am not getting any internet with my current config, see below:
show conf
: Saved
: Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 101 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group allow_ping in interface inside
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.52.10.0 255.255.255.0 inside
http 10.52.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
bmi-501-fw-1#
What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?

Hi, Thanks for the reply, I've managed to sort it now with the following config below:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list PERMIT_IN deny tcp any any
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN deny udp any any
access-list PERMIT_OUT permit tcp any any
access-list PERMIT_OUT permit ip any any
access-list PERMIT_OUT permit udp any any
access-list PERMIT_OUT permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
global (outside) 1 interface
outside interface address added to PAT pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group PERMIT_IN in interface outside
access-group PERMIT_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
wr mem
Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear!

Pix 506e

Hi,
We have planning to Purchase Cisco Pix 506E Firewall. We are having 50
Computers & Users.If we purchase Pix 506E Firewall,its require to purchase
any aditional license.
with regds
prem

For the PIX 506E there is only one license that can be purchased which is the 3DES/AES and DES Encryption Licenses. Right now I think you can download that license for free. The following link will provide you with details on that license and the data sheet on that PIX (scroll down about half way for the license information).
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b13.html
The following link will give you the data sheet and describe the three different licenses available with upper models of the PIX as it relates to the 515E (restricted, unrestricted, and failover).
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

Hey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA.

Is there any alternative to console cable for pix 501 firewall?

I need help on CISCO PIX 501 Firewall, it comes with console cable having serial port, but systems now a days & the one i am having are not having serial port so i am not able to access command-in-line , is there any alternative way, can it be accessed using ethernet or lan wire, if so please provide steps, waiting for your valueable responses, ...

Hi,
Have you considered getting an USB adapter for the Console cable?
I had to get that for my first work laptop since they happened to order a model without the serial port. For the most part it worked just fine.
I guess depending on your PIX configurations you might be able to boot it up and attach a PC directly to it and manage it.
- Jouni

Replace fan in Pix 506e

A customer has a Cisco Pix 506e in which the fan is making some serious noise. What is the part number to replace this fan?

It is not a FRU, you'll have to open a TAC case to have the device replaced.
Hope that helps.

Oracle 8i through CISCO PIX Firewall

HI all,
I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
=============================
oracle error con 440
unable to make connection oracle - 12514 tns.couldn't resolve service name
the menu was not connectable with oracle. a menu is ended
==============================
Many thanks for PIX and Oracle config.
HATO

Varun,
Thank you for your help.
I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
Memory Requirements:
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
What is the difference between the restricted Licenses and the Unrestricted Licenses?
Thanks!

PIX 506E routes died

Hello experts...
I've had a set of PIX 506E boxes holding an IPSEC tunnel for a good year or so without a hitch. Today, the tunnel dropped and I lost access to the remote site. The local PIX can only ping devices on the local [inside] subnet and all nodes on all my other subnets can't find a route to the PIX. On the local gateway, I can ping the PIX, but can't traceroute to it. I also ran an ICMP debug and could see when remote nodes ping, but the reply doesn't leave the box.
Nothing has changed, routes all look good, i've reset everything -- no luck at all. Any idea what may be happening? I have a feeling it's a basic issue that looks more complex that it is, but i'm stumped at this point.
Any help would be greatly appreciated!
Thanks,
Jad

Use this Cisco PIX 500 Series Security Appliances Troubleshoot and Alerts
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_troubleshoot_and_alerts.html

Amazon S3 Backup with Cisco PIX 501 Router - slowww

We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!

Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS

I am behind a Cisco PIX Firewall. What addresses and ports do I need to permit through to allow Firefox updates?

I want to be able to upgrade my Firefox installations that are located behind a Cisco PIX Firewall. What are the TCP/IP addresses and ports required to be opened for updating to occur?

This is less likely to be a firefox problem, as it appears something bad has happened to your network. Can you access the internet with other programs? Try email/ IRC/ Skype or even updating your computer.
What operating system are you using?
Ian.

4965AGN / Linksys WRT600N - No 802.11n ***Resolved***

******************* Problem Resolved **************************
Given the response from others that they have been able to get the 802.11n working on the WRT600N, I reset the router and started again. I am now able to connect at 270Mbps using 5.0 GHz and at 130Mbps at 2.4 GHz. I am having problems getting the WRT600N to save setting changes (even though the web ui shows the setting, the router does not apply them) and that may have been the problem with the "n" support. I use this router only as an Access Point, so all NAT, Routing DHCP and Firewall support is disabled and there is no connection to the WAN interface. Even though I disabled the DHCP Server setting and removed power multiple times, it took a factory reset and re-configuration to actually get the router to disable the DHCP Server. Perhaps this behavior is what caused to "n" support to show it was enabled, but not to work. Who knows... I do like being able to have both frequency channels available from a single WAP.
I purchased the Linksys WRT600N wireless router this weekend. I am unable to get the 4965AGN card to connect to the 5 GHz or 2.4 GHz modes at 802.11n. The fastest speed I achieved was 54Mbps at both 5 (802.11a) and 2.4 (802.11g). WPA-2 / AES was being used on both. I went out and bought the D-Link DGL-4500 tonight and I was able to connect using 802.11n with no problems.
The problem is a compatibility issue between the 4965AGN and the WRT600N.
Has anybody been able to get the WRT600N working at 802.11n? I notice the Lenovo drivers are much older than the drivers on the Intel site, but I do not know if it is the WRT600N that is at fault. I would like to keep the WRT600N since it transits at both 2.4 and 5.0. The D-Link only supports a single frequency (5.0 or 2.4).
Experience from anybody else with this combination would be appreciated.
Regards,
Brian
Message Edited by sevenrider860 on 04-22-2008 09:27 AM
Solved!
Go to Solution.

sevenrider860 wrote:
******************* Problem Resolved **************************
Given the response from others that they have been able to get the 802.11n working on the WRT600N, I reset the router and started again. I am now able to connect at 270Mbps using 5.0 GHz and at 130Mbps at 2.4 GHz. I am having problems getting the WRT600N to save setting changes (even though the web ui shows the setting, the router does not apply them) and that may have been the problem with the "n" support. I use this router only as an Access Point, so all NAT, Routing DHCP and Firewall support is disabled and there is no connection to the WAN interface. Even though I disabled the DHCP Server setting and removed power multiple times, it took a factory reset and re-configuration to actually get the router to disable the DHCP Server. Perhaps this behavior is what caused to "n" support to show it was enabled, but not to work. Who knows... I do like being able to have both frequency channels available from a single WAP.
English Community Deutsche Community Comunidad en Español Русскоязычное Сообщество
Jane
2015 X1 Carbon, ThinkPad Slate, T410s, X301, X200 Tablet, T60p, HP TouchPad, iPad Air 2, iPhone 5S, IdeaTab A2107A, Yoga Tablet, Yoga 3 Pro
I am not a Lenovo Employee.
I AM one of those crazy ThinkPad zealots!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!

Cisco Pix 501 - Need help with VPN passthrough

Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: end

Config looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?

Screen Sharing vs Linksys WRT600N

Hi all. I hope someone here can help me out.
I'm trying to connect to a Mac Mini via a Linksys WRT600N. I can log on and transfer files properly, and screen sharing via VNC works perfectly. But Screen Sharing via Apple's app does not.
All firewalls are off. I have a wired gigabit switch in front of the router, and when I plug directly into the switch screen sharing works perfectly. But when I try and use it via the Linksys wirelessly it does not.
This implies that the computers are all set up properly, but that the LinkSys is not forwarding the screen sharing requests properly. Does anyone know how this might be fixed?
In case it matters, the Mini is running 10.5.8, and my MBP is running 10.6.2.
Thanks,
Jeremy

I guess its worth mentioning that although you can indeed screen share from Leopard to Tiger, it only works when you are on the same network. But Remote Desktop works across the internet...
Of course the trick to using Remote Desktop from a truly "remote" location elsewhere on the internet is that you have to be able to reach the IP of the computer you want to control, which can be tricky if its behind a NAT and the person your trying to reach is my Mom who has no idea how to configure her NAT, or firewall, or even find her IP address without my help.
Screen sharing Leopard to Leopard via iChat should be much more straight forward... translation: this will make my life much easier the next time my mom needs help.

Cisco PIX SIP Issue

Hello All,
I am having an issue with running SIP through my Cisco Pix. A VOIP solution has just been installed, and softphones from the outside are trying to call in using SIP and are failing. The configuration is below. and the code is 6.3 (5). You'll see below that I have the no fixup protocol for sip, as the fixup wasn't working either. Is there something that needs to be configured that I'm missing or could this be a bug in the code? Any other show commands or debug commands I can provide if needed. The call manager server in the below config is 1.2.3.4. Thanks in advance for all your help, you guys are always so helpful.
XXXt# show ver
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
XXX up 1 hour 45 mins
Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 001c.582b.3c65, irq 10
1: ethernet1: address is 001c.582b.3c66, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          4
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited
This PIX has a Restricted (R) license.
XXXt# show run
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vQ0/erypfvYyzFoc encrypted
passwd vQ0/erypfvYyzFoc encrypted
hostname DTPIX35thst
domain-name digitaltransitions.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out_in permit udp any host 1.2.3.4 eq 5060
access-list out_in permit tcp any host 1.2.3.43 eq 5060
pager lines 24
logging on
logging buffered informational
logging trap informational
logging queue 2048
mtu outside 1500
mtu inside 1500
ip address outside 4.34.119.130 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.100.50-192.168.100.75
pdm location 192.168.1.250 255.255.255.255 inside
pdm location 192.168.1.252 255.255.255.255 inside
pdm location 65.215.8.100 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.4 172.20.1.2 netmask 255.255.255.255 0 0
access-group out_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:00:00 sip_media 0:00:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 199.96.104.108 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

Hi Jumora,
No need to troubleshoot this direct issue anymore. The client will be upgrading to an ASA 5505. Is there anything you may know of before I configure the ASA that I need to do to allow SIP through with no issues? Thanks again Jumora

Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

Similar Messages

Maybe you are looking for