Multiple Internal IP in PIX 525 v7.2 unable to access from HQ

Similar Messages

• Cisco Pix 525 VPN - iPhone/iPad won't connect

  hi,
  i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
  i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
  im starting to think that this really is in the configuration. could it be the transform set specification?
  can some one shed some light on this subject?
  below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
  thcvpn01(config)# show config
  : Saved
  : Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
  PIX Version 8.0(4)
  hostname thcvpn01
  domain-name somewhere.net
  enable password* encrypted
  passwd * encrypted
  names
  interface Ethernet0
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 208.67.222.222
  name-server 208.67.222.220
  domain-name somewhere.net
  same-security-traffic permit intra-interface
  object-group icmp-type ICMPObject
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object time-exceeded
  icmp-object unreachable
  access-list outside_access_in extended permit icmp any any object-group ICMPObje
  ct
  access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
  55.255.0
  access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 101 interface
  nat (outside) 101 10.1.2.0 255.255.255.0 outside
  nat (inside) 0 access-list inside-nat0
  nat (inside) 101 10.0.0.0 255.0.0.0
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.1.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
  crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
  00
  crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
  608000
  crypto dynamic-map THCDynamicMap 1 set reverse-route
  crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
  crypto map THCCryptoMap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 30
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd address 10.1.1.50-10.1.1.254 inside
  dhcpd dns 208.67.222.222 208.67.222.220 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy THCVpnGroup internal
  group-policy THCVpnGroup attributes
  dns-server value 208.67.222.222 208.67.222.220
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  username [username] password [password] encrypted
  tunnel-group THCVpnGroup type remote-access
  tunnel-group THCVpnGroup general-attributes
  address-pool ThcIPPool
  default-group-policy THCVpnGroup
  tunnel-group THCVpnGroup ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
  thcvpn01(config)#
  thcvpn01(config)#
  thcvpn01(config)#
  jeff

  hi,
  as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
  the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
  in all of the frustration, do not, as i did, forget that your username is case sensitive.
  jeff

• Collect data from a dynamic XML file into multiple internal tables

  I need to convert the XML file into multiple internal tables. I tried many links and posts in SDN but still was facing difficulty in achieving this. Can some one tell me where I am going wrong.
  My XML file is of the following type.It is very complex and the dynamice.
  The following tags occur more than once in the XML file. The "I" and "L" tags and its child tags can occur ones or more than once for each XML file and it is not constant. i.e in one file they can occur 1 time and in another they can occur 100 times.
  "I" and "L" are child tags of <C>
  <I>
         <J>10</J>
           <K>EN</K>
    </I>
  <L>
           <J>20</J>
            <N>BB</N>
    </L>
  Tags <C> and <F> occur only ones for each XML file. <C> is the child tag of "A" and "F" is the child tag of <C>.
  I need to collect <D>, <E> in one internal table ITAB.
  I need to collect <G>, <H> in one internal table JTAB.
  I need to collect <J>, <K> in one internal table KTAB.
  I need to collect <J>, <N> in one internal table PTAB.
  Below is the complete XML file.
  ?xml version="1.0" encoding="iso-8859-1" ?>
  <A>
      <B/>
      <C>
         <D>RED</D>
         <E>999</E>
      <F>
         <G>TRACK</G>
         <H>PACK</H>
      </F>
      <I>
         <J>10</J>
         <K>EN</K>
      </I>
      <I>
         <J>20</J>
         <K>TN</K>
      </I>
      <I>
         <J>30</J>
         <K>KN</K>
      </I>
      <L>
         <J>10</J>
         <N>AA</N>
      </L>
      <L>
         <J>20</J>
         <N>BB</N>
      </L>
      <L>
         <J>30</J>
         <N>CC</N>
      </L>
      </C>
    </A>
  With the help of SDN I am able to gather the values of <D> <E> in one internal table.
  Now if I need to gather
  <G>, <H> in one internal table JTAB.
  <J>, <K> in one internal table KTAB.
  <J>, <N> in one internal table PTAB.
  I am unable to do. I am following  XSLT transformation method. If some one has some suggestions. Please help.
  Here is my ABAP program
  TYPE-POOLS abap.
  CONSTANTS gs_file TYPE string VALUE 'C:\TEMP\ABCD.xml'.
  * This is the structure for the data from the XML file
  TYPES: BEGIN OF ITAB,
           D(10) TYPE C,
           E(10) TYPE C,
         END OF ITAB.
  * Table for the XML content
  DATA: gt_itab       TYPE STANDARD TABLE OF char2048.
  * Table and work ares for the data from the XML file
  DATA: gt_ITAB     TYPE STANDARD TABLE OF ts_ITAB,
        gs_ITAB     TYPE ts_ITAB.
  * Result table that contains references
  * of the internal tables to be filled
  DATA: gt_result_xml TYPE abap_trans_resbind_tab,
        gs_result_xml TYPE abap_trans_resbind.
  * For error handling
  DATA: gs_rif_ex     TYPE REF TO cx_root,
        gs_var_text   TYPE string.
  * Get the XML file from your client
  CALL METHOD cl_gui_frontend_services=>gui_upload
    EXPORTING
      filename                = gs_file
    CHANGING
      data_tab                = gt_itab1
    EXCEPTIONS
      file_open_error         = 1
      file_read_error         = 2
      no_batch                = 3
      gui_refuse_filetransfer = 4
      invalid_type            = 5
      no_authority            = 6
      unknown_error           = 7
      bad_data_format         = 8
      header_not_allowed      = 9
      separator_not_allowed   = 10
      header_too_long         = 11
      unknown_dp_error        = 12
      access_denied           = 13
      dp_out_of_memory        = 14
      disk_full               = 15
      dp_timeout              = 16
      not_supported_by_gui    = 17
      error_no_gui            = 18
      OTHERS                  = 19.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
            WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.
  * Fill the result table with a reference to the data table.
  * Within the XSLT stylesheet, the data table can be accessed with
  * "IITAB".
  GET REFERENCE OF gt_shipment INTO gs_result_xml-value.
  gs_result_xml-name = 'IITAB'.
  APPEND gs_result_xml TO gt_result_xml.
  * Perform the XSLT stylesheet
  TRY.
      CALL TRANSFORMATION zxslt
      SOURCE XML gt_itab1
      RESULT (gt_result_xml).
    CATCH cx_root INTO gs_rif_ex.
      gs_var_text = gs_rif_ex->get_text( ).
      MESSAGE gs_var_text TYPE 'E'.
  ENDTRY.
  * Now let's see what we got from the file
  LOOP AT gt_ITAB INTO gs_ITAB.
    WRITE: / 'D:', gs_ITAB-D.
    WRITE: / 'E :', gs_ITAB-E.
  ENDLOOP.
  Transformation
  <xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
    <xsl:output encoding="iso-8859-1" indent="yes" method="xml" version="1.0"/>
    <xsl:strip-space elements="*"/>
    <xsl:template match="/">
      <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
        <asx:values>
          <IITAB>
            <xsl:apply-templates select="//C"/>
          </IITAB>
        </asx:values>
      </asx:abap>
    </xsl:template>
    <item>
        <D>
          <xsl:value-of select="D"/>
        </D>
        <E>
          <xsl:value-of select="E"/>
        </E>
      </item>
    </xsl:template>
  </xsl:transform>
  Now the above pgm and transformation work well and I am able to extract data into the ITAB. Now what changes should I make in transformation and in pgm to collect
  <G>, <H> in one internal table JTAB.
  <J>, <K> in one internal table KTAB.
  <J>, <N> in one internal table PTAB.
  Please help..i am really tring hard to figure this out. I am found lot of threads addressing this issue but not my problem.
  Kindly help.
  Regards,
  VS

  Hi Rammohan,
  Thanks for the effort!
  But I don't need to use GUI upload because my functionality does not require to fetch data from presentation server.
  Moreover, the split command advised by you contains separate fields...f1, f2, f3... and I cannot use it because I have 164 fields.  I will have to split into 164 fields and assign the values back to 164 fields in the work area/header line.
  Moreover I have about 10 such work areas.  so the effort would be ten times the above effort! I want to avoid this! Please help!
  I would be very grateful if you could provide an alternative solution.
  Thanks once again,
  Best Regards,
  Vinod.V

• Can PING/ASDM/SSH to External IP but not to Internal IP on PIX itself

  We have two networks HQ and Site1 and for some reason we can’t ping the inside IP for Site1 PIX device. We have site-site-VPN set up between the two and everything works fine except we can’t ping the Site1 PIX from internal IP. However, I can ASDM/SSH in from HQ to the external IP of the Site1 PIX.
  HQ is using an ASA 5550 (172.1.0.1)
  PC from HQ (172.1.64.x)
  Site1 is using a PIX-515E (172.2.0.1)
  PC from Site1 (172.2.64.x)
  Ping from HQ PC to Site1 PC (172.1.64.x to 172.2.64.x) works fine
  Ping from Site1 PC to HQ PC (172.2.64.x to 172.1.64.x) works fine
  Ping from HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
  Ping from HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
  ASDM/SSH from any HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
  ASDM/SSH from any HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
  Everything was working fine until we recently changed the outside IP address for Site1 because we switch to a different ISP. Nothing changed on the HQ ASA or Site1 PIX other than the outside IP address on Site1 PIX. I did rebuild the site-to-site VPN tunnel between Site1 and HQ.
  Thanks first in advance for any ideas/suggestions.

  Thanks Julio for your reply. We are currently running PIX Version 8.0 (3) and yes we do have management-access inside configured.
  Cisco PIX Security Appliance Software Version 8.0(3)
  Device Manager Version 6.0(3)
  Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list

• Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1

  Hi,
  we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
  Any help would be greatly appriciated.
  Thanks in advance
  Samir

  Hi,
  Here is the output.
  *** Device Details for  ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> TFTP,SSH,HTTPS
  Execution Result:
  RUNNING
  CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
  Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
  But when I do mangement station to Device  it gives me following results:
  Interface Found:  10.192.18.10
  Status:  UP
  Test Results
  UDP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
  TCP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
  HTTP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
  TFTP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
  SNMPRv2c(Read)     Okay
       sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
  SNMPWv2c(Write)     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
  SSHv2     Failed
  TELNET     Okay
  Waiting for your reply.
  Samir

• Send Notification to Multiple Internal Users

  Hi everybody,
  how can i send an email to Multiple Internal Users in BPM which are not known at design time?
  I know i can use an expression, but i have a collection of type string (EmployeeID's). I can use the method getPrincipalByUniqueName(EmployeeID,"user") but employeeID is a collection and this method expected a single string.
  regards,
  Sid

  Hi Anil,
  my BPM-WebService will be called with a Request parameter:
  users (1..*)
  userID (string)
  So at Run Time i get a collection or array with userID's like: SD4711, AN4712....
  If i use getPrincipalByUniqueName("SP4711","user") i get the right user but i have a collection, so what could i do?
  I can determine the interface by my self, so it is not a problem to change the interface if it is necessary.
  How can i use getPrincipals(Sting(1..*) principalID)?
  regards,
  Sid
  Edited by: Sid on Dec 13, 2010 3:21 PM

• PIX 525 UR With 1 4-Port FE, 1 VPN Accel Card

  Good day;
  I have a PIX 525 Unrestricted with failover.
  802.bin IOS
  There is 1 4-port FE and a VPN Accelerator card installed in each unit.
  I tried to install a second 4-port FE in both prime and secondary units and the following is the result.
  Once I power up both units the second 4-port FE mimics the first one. Although there are no physical connections to the second 4-port FE's, the port lights on the second FE's light up as the ones on the first 4-port FE.
  Example:
  1st 4-port FE
  Fa0/2 - physical connection - Light on
  Fa0/3 - no physical connection - Light off
  Fa0/4 - physical connection - Light on
  Fa0/5 - no physical connection - Light off
  2nd 4-port FE
  Fa0/6 - no physical connection - Light on
  Fa0/7 - no physical connection - Light off
  Fa0/8 - no physical connection - Light on
  Fa0/9 - no physical connection - Light off
  Also, when the second card is installed the first card will not function and this sets both PIX's as active.
  I'm somewhat baffled.

  Hi;
  Here's the show version.
  As you will see, it allows for 10 physical interfaces.
  I'm scratching my head over this one.
  Cisco PIX Security Appliance Software Version 8.0(2)
  Device Manager Version 6.0(2)
  Compiled on Fri 15-Jun-07 18:25 by builders
  System image file is "flash:/pix802.bin"
  Config file at boot was "startup-config"
  MHCPPIX1 up 27 days 22 hours
  failover cluster up 93 days 1 hour
  Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
  Flash E28F128J3 @ 0xfff00000, 16MB
  BIOS Flash AM29F400B @ 0xfffd8000, 32KB
  Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
  0: Ext: Ethernet0 : address is 0011.924b.dd31, irq 10
  1: Ext: Ethernet1 : address is 0011.924b.dd32, irq 11
  2: Ext: Ethernet2 : address is 000d.88ee.5d70, irq 11
  3: Ext: Ethernet3 : address is 000d.88ee.5d71, irq 10
  4: Ext: Ethernet4 : address is 000d.88ee.5d72, irq 9
  5: Ext: Ethernet5 : address is 000d.88ee.5d73, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces : 10
  Maximum VLANs : 100
  Inside Hosts : Unlimited
  Failover : Active/Active
  VPN-DES : Enabled
  VPN-3DES-AES : Enabled
  Cut-through Proxy : Enabled
  Guards : Enabled
  URL Filtering : Enabled
  Security Contexts : 2
  GTP/GPRS : Disabled
  VPN Peers : Unlimited
  This platform has an Unrestricted (UR) license.

• Multiple MX records with PIX and ASA5510

  I need some help with a setup for email.
  Setup
  I have a PIX525 and an ASA5510VPN and an internal 2950 router. The PIX does firewalling and the ASA does VPN. Currently all outbound Internet traffic goes through the PIX via the router with this command:
  ip route 0.0.0.0 0.0.0.0 10.1.1.2 1
  The ASA5510 with its dedicated external IP is used to allow VPN traffic in.
  The problem:
  I have two separate domain names and two MX records. One (mail.PIX.com)is pointed at the external IP of the PIX the other (mail.ASAVPN.com) is pointed at the ASA5510. I can receive inbound mail through both of the devices. I'd like to mail go out using both domains one through PIX and the other thru ASA. The problem is the router says all unknown traffic go to PIX.
  How do I route mail from a host (10.1.1.5) to the ASA5510(10.1.1.4), while sending the mail from host (10.1.1.3) to PIX(10.1.1.2)

  I am not folliwing something here. If your gateway for 10.1.1.5 is truly set to the ASA and the ASA has the nat rule on the outside for the 10.1.1.5 address there should be no issue. It sounds like you are sending your traffic back out the pix interface. If your gateway is the 10.1.1.254 address the router will send the traffic to the PIX or redirect you to do so with an ICMP redirect.
  Just the simple fact that it's coming out with the wrong external address leads me to beleive that that is the issue.
  Any configs/route tables on the servers and firewalls would help.

• Assign multiple internal parts (materials of different plants) to one MPN

  HI
  I have a requirement to assign multiple internal parts (materials of different plants) to one manufacture part number.
  but in HERS material type it allows to assign to only one .
  can  any body suggest how can I do this.
  Sreeram

  You can do that.
  1:Assign the new plant to the sales org / distribution channel - Enterprise structure
  2:DO the shipping point determination for the new plant.
  3:Extend the materials to the new plant.
  4:If there is intercompnay process, please check "Assignmnet of organizational units to plants" in navigation SD - Billing - Intercompany billing.
  5: Check if there are any pricing records, output records....et cwhich has Plant as parameters. if yes maintain the entries for the new plant.
  These are the things I could think of.
  Before deleting the existing plants, make sure there are no open documents existing for these plants, else system will not allow to delete.
  Regards
  Sai
  Edited by: Sai on Jun 1, 2010 4:19 PM

• Split a string into multiple internal tables

  Hi all,
  I need to split a string based internal table into multiple internal tables based on some sub strings in that string based internal table...
  High priority help me out...
  eg...
  a | jhkhjk | kljdskj |lkjdlj |
  b | kjhdkjh | kldjkj |
  c | jndojkok |
  d |
  this data which is in the application server file is brought into a internal table as a text. Now i need to send 'a' to one internal table, 'b' to one internal table, so on... help me
  <Priority downgraded>
  Edited by: Suhas Saha on Oct 12, 2011 12:24 PM

  Hi pradeep,
  eg...
  a | jhkhjk | kljdskj |lkjdlj |
  b | kjhdkjh | kldjkj |
  c | jndojkok |
  d |
  As per your statement "Now i need to send 'a' to one internal table, 'b' to one internal table"
  Do you want only a to one internal table and b to one internal table
  OR
  Do you want the whole row of the internal table i mean
  a | jhkhjk | kljdskj |lkjdlj | to 1 internal table
  Having the case of an internal table which is of type string,
  1) Loop through the internal table.    LOOP AT lt_tab INTO lwa_tab.
  2) Ge the work area contents and get the first char wa_tab-string+0(1)
  3)   FIELD-SYMBOLS: <t_itab> TYPE ANY TABLE.
    w_tabname = p_table.
    CREATE DATA w_dref TYPE TABLE OF (w_tabname).
    ASSIGN w_dref->* TO <t_itab>.
  Follow the link
  http://www.sap-img.com/ab030.htm
  http://www.sapdev.co.uk/tips/dynamic-structure.htm
  and then based on the sy-tabix values you will get that many number of internal table
         <FS> = wa_tab-string+0(1)
        append  <FS>
  OR
  USE SPLIT statement at the relevant seperator
  revert for further clarification
  Thanks
  Sri
  Edited by: SRIKANTH P on Oct 12, 2011 12:36 PM

• PIX 525 Cluster

  We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb. Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput. Any insight as to what else could be causing the errors would be appreciated.
  Sent from Cisco Technical Support iPhone App

  Hello,
  First, double check the speed/duplex configuration and make sure they match on both ends of each cable. Also, CRC errors are usually caused by the transmitter, but they show up as errors on the receiver side. Therefore, if you're only seeing CRC errors on the PIX and the switch ports look clean, I would focus on why the switch is corrupting the packets. You might try moving the cables to a different unused switch port and see if that helps.
  -Mike

• Pix 525 Boot rom?

  I was wondering if someone can tell me how to upgrade a Cisco Pix 525 boot rom from 4.0 to 4.3. Is it a physical chip or software upgrade? Is it needed to upgrade to latest IOS on Cisco Pix 525 to 8.0. Where can I find more information on it?  Thanks in advance

  This link should help you
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
  Reards,
  Sachin

• Pix 525 6.2 Mac control

  Hello, I'm trying to configure a pix 525 with 6.2 firmware version, usually I would try this:
  mac access-list extended (name)
  permit host (mac) any
  int f0/0
  mac access-group (name) in
  but this pix doesn't have mac commands. Can someone help me?
  Thanks
  Mario Silva

  Hello;
  That does not work unless u are running in transparent mode.
  Hope it helps.
  Mike
  Sent from Cisco Technical Support Android App

• Pix 525 I need erasedisk.bin

  hey ,
  i have PIX 525 can any one provide me with  erasedisk.bin  to erase my flash memory
  thnx in advance ,

  From the cisco.com terms and conditions:
  "You may not post, modify, distribute, or reproduce in any way copyrighted or other proprietary materials without obtaining the prior written consent of the copyright owner of such materials. We may terminate an account, deny access to a site or service, or terminate any user who is alleged to have infringed the copyright or proprietary rights of another."
  This is further reinforced in the CSC-specific Acceptable Use Agreement.
  You need to ask the TAC (or your reseller) for binaries.

• Two aaa-server TACACS+ in PIX 525

  I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
  I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
  Once it happens, how long does the aaa requests are send to the secundary aaa-server?
  Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
  Thanks a lot.

  The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.