Pix 501 and Client VPN's

Similar Messages

• PIX 501 and Linksys VPN Router (WRV200)

  I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
  sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
  I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
  Key Exchange Method: Auto (IKE)
  Encryption: Auto, 3DES, AES128, AES192, AES256
  Authentication: MD5
  Pre-Shared Key: xxx
  PFS: Enabled/Disabled
  ISAKMP Key Lifetime: 28800
  IPSec Key Lifetime: 3600
  On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
  I chose the following settings when doing the VPN Wizard:
  Type of VPN: Remote Access VPN
  Interface: Outside
  Type of VPN Client Device used: Cisco VPN Client
  (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
  VPN Client Group
  Group Name: RabyEstates
  Pre Shared Key: rabytest
  Extended Client Authentication: Disabled
  Address Pool
  Pool Name: VPN-LAN
  Range Start: 192.168.2.200
  Range End: 192.168.2.250
  DNS/WINS/Default Domain: None
  IKE Policy
  Encryption: 3DES
  Authentication: MD5
  DH Group: Group 2 (1024-bit)
  Transform Set
  Encryption: 3DES
  Authentication: MD5
  I have attached the VPN log from the Linksys VPN Router.
  This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
  Thanks for your help!

  Hi again,
  I believe the pix has a 3des license because of the following parts of the "show version"
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Enabled
  This PIX has a Restricted (R) license.
  I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
  As for the other show commands they give:
  pixfirewall# show crypto isakmp sa
  Total : 0
  Embryonic : 0
  dst src state pending created
  pixfirewall# show crypto ipsec sa
  interface: outside
  Crypto map tag: transam, local addr. 10.0.0.1
  local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
  current_peer: 10.0.0.2:0
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
  path mtu 1500, ipsec overhead 0, media mtu 1500
  current outbound spi: 0
  inbound esp sas:
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  outbound ah sas:
  outbound pcp sas:
  pixfirewall#
  Thanks again Daniel, i really appreciate your help on this matter.

• Persistent VPN between PIX 501 and ASA 5505

  I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

  No problems whatsoever :-)
  There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

• PIX 501 and UPnP

  Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

  Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
  Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
  If the above is not of a concern at all, then what Andrew sugested would work.
  Rgds
  -Jorge

• Upgrading PIX 501 across L2L VPN

  I have a PIX 501 running 6.3(5) and just need to upgrade PDM. The PIX is at a remote site and the TFTP server is across the tunnel at our corporate site. I'm not sure what to put in the tftp-server command since the TFTP server is actually out the outside interface but across the tunnel. I'm not sure what the PIX will use to source the TFTP packets. If it is the outside interface address then the PIX won't properly protect it in the tunnel. If it is the inside interface address then it should but how can that be specified. How do I copy files via TFTP across a VPN tunnel established on the outside interface?
  Tyler

  The PIX will use the same address as for other management methods (Telnet/Web/SSH).
  Just modify the current ACL with a new Entry(ACE) that specifies to tunnel tftp traffic (UDP port69) between the PIX and the TFTP server(at corporate). That ACL gets assigned to a CRYPTO MAP (should already exist) and then Crypto MAP is the assigned to an interface (should already exist).
  Reference: http://www.cisco.com/warp/public/110/38.html
  Regards,
  Ray

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• Pix 501 and H323

  Thank you in advanced.
  Is video teleconference supported on the PIX 501?
  I am trying to configure a static router from the inside to the outside using static routers and I can not do it.
  Please can some one send me config examples if Pix 501 supports VIdeo COnferencing using H323.
  Cristian

  Have a look here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378
  If connectivity still fails, a look at the pix log might help ('sh log').

• PIX 501 and Java

  Hello,
  Trying to move some servers today and lo and behold this.... not good news...
  Does anyone have an easy workaround for the Java issue for a Cisco Pix 501? Is there an easy way to revert to older versions of Java without affecting everything else? Does QuickTime use Java? This is very frustrating.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/productsfieldnotice09186a008046c805.shtml
  "Customers running these versions of PDM or IDM should either uninstall the newer Java Plug-Ins and re-install previous versions of the Java Plug-In, or upgrade their PDM and IDM images to the versions indicated in the following table."
  Thanks,
  Rich

  Rich,
  Welcome to the forums.
  This notice doesn't apply to using Java programs or applets.
  It specifically applies to computers that will need to access the PDM or IDM to make changes.
  "Impacted PDM and IDM versions will not load when launched from a browser"
  As long as you don't need to access the PDM or IDM from the browser, you don't need to worry about this advisory.
  If you do, my advice would be to upgrade the PIX, as that seems the most logical thing to do (especially as it's a fix that Cisco has already released).

• 1841 ISR Router and Client VPN

  Hi,
  CAn I terminate VPN clients on a 1841 ISR Router? What are the requirement for that e.g IOS version DRAM or Flash?
  Plz Help
  Regards

  sanjay
  You should certainly be able to terminate VPN client sessions on an 1841 router. For 1841 you need either 12.3T or 12.4 code. For feature set you need something like Advanced Security or Advanced IP Services. these require 128 MB memory and 32 MB flash which is the default amount of memory and flash that ship with the router.
  HTH
  Rick

• PIX 501 and AAA Radius Server

  I am trying to change the radius server using PDM and I can not do it it give me an error sgtating that I need to change the server on the ACL.
  PLease tell me whereelse do I have to go and remove the old radius server and add a new radius server.
  Thank you
  Cristian

  Try this configuration guide,
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/index.htm may be you wll find it.

• Pix 501 IPSec VPN no LAN access and no ping

  Hello,
  I am attempting to setup an IPSec VPN in a basic small business  scenario. I am able to connect to my pix 501 via IPSec VPN and browse  the internet but I am unable to ping or connect to any devices in the  remote LAN. Here is my config
  show config:
  nterface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxxxx encrypted
  passwd xxxxxx encrypted
  hostname pixfirewall
  domain-name domain.local
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 195.7.x.x BLR-Quadria
  name 176.76.1.0 LAN-CEPIC
  name 176.76.1.40 ADMIN
  name 176.76.1.253 SRV-Linux
  name 212.234.98.224 ADSL-Quadria
  name 81.80.252.129 sylob
  name 176.76.1.33 poste-pcanywhere
  name 176.76.1.179 TEST
  name 10.1.1.0 VPN_CLIENT
  name 176.76.1.100 SRVSVG01
  name 176.76.1.116 SRV-ERP01
  name 176.76.1.50 SRV-ERP00
  object-group network WAN-Quadria
    network-object BLR-Quadria 255.255.255.248
    network-object ADSL-Quadria 255.255.255.248
  object-group network SRV-CEPIC
    network-object SRV-Linux 255.255.255.255
    network-object ADMIN 255.255.255.255
    network-object SRVSVG01 255.255.255.255
    network-object SRV-ERP00 255.255.255.255
    network-object SRV-ERP01 255.255.255.255
  object-group service TCP-Linux-Quadria tcp
    port-object eq 1812
    port-object eq 222
    port-object eq 10000
  object-group service TCP-TSE-Quadria tcp
    port-object eq 3389
  object-group service PCAnywhereUDP udp
    port-object range pcanywhere-status pcanywhere-status
  access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
  access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
  access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
  access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
  access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
  access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
  access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
  access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
  access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
  access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
  pager lines 24
  logging on
  logging console debugging
  logging buffered debugging
  logging trap debugging
  mtu outside 1500
  mtu inside 1500
  ip address outside pppoe setroute
  ip address inside 176.76.1.254 255.255.255.0
  ip verify reverse-path interface outside
  ip verify reverse-path interface inside
  ip audit name attaque attack action alarm drop reset
  ip audit name info info action alarm drop reset
  ip audit interface outside info
  ip audit interface outside attaque
  ip audit interface inside info
  ip audit interface inside attaque
  ip audit info action alarm
  ip audit attack action alarm
  ip audit signature 2000 disable
  ip audit signature 2003 disable
  ip local pool VPN_POOL 10.1.1.10-10.1.1.20
  pdm location ADMIN 255.255.255.255 inside
  pdm location SRV-Linux 255.255.255.255 inside
  pdm location BLR-Quadria 255.255.255.248 outside
  pdm location ADSL-Quadria 255.255.255.248 outside
  pdm location LAN-CEPIC 255.255.255.0 inside
  pdm location poste-pcanywhere 255.255.255.255 inside
  pdm location sylob 255.255.255.255 outside
  pdm location TEST 255.255.255.255 inside
  pdm location 10.10.10.0 255.255.255.224 outside
  pdm location VPN_CLIENT 255.255.255.0 inside
  pdm location VPN_CLIENT 255.255.255.224 outside
  pdm location SRVSVG01 255.255.255.255 inside
  pdm location SRV-ERP00 255.255.255.255 inside
  pdm location SRV-ERP01 255.255.255.255 inside
  pdm group WAN-Quadria outside
  pdm group SRV-CEPIC inside
  pdm logging debugging 100
  pdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
  static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  ntp server 193.55.130.2 source inside
  ntp server 80.67.179.98 source outside
  ntp server 194.2.0.28 source outside prefer
  http server enable
  http BLR-Quadria 255.255.255.248 outside
  http ADSL-Quadria 255.255.255.248 outside
  http ADMIN 255.255.255.255 inside
  http LAN-CEPIC 255.255.255.0 inside
  snmp-server host inside SRV-Linux
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt noproxyarp outside
  sysopt noproxyarp inside
  service resetinbound
  service resetoutside
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
  vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
  vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
  vpngroup CEPIC_VPN_CLIENT default-domain domain.local
  vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
  vpngroup CEPIC_VPN_CLIENT idle-time 1800
  vpngroup CEPIC_VPN_CLIENT password ********
  telnet timeout 5
  ssh BLR-Quadria 255.255.255.248 outside
  ssh ADSL-Quadria 255.255.255.248 outside
  ssh LAN-CEPIC 255.255.255.0 inside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname xxxxx
  vpdn group pppoe_group ppp authentication chap
  vpdn username xxxx password xxxxx store-local
  username vg_vpn password xxxxx encrypted privilege 3
  username test password xxxxxx encrypted privilege 3
  username quadria password xxxxx encrypted privilege 15
  username jml_vpn password xxxxx encrypted privilege 3
  username jr_vpn password xxxxx encrypted privilege 3
  username js_vpn password xxxxx encrypted privilege 3
  privilege show level 0 command version
  privilege show level 0 command curpriv
  privilege show level 3 command pdm
  privilege show level 3 command blocks
  privilege show level 3 command ssh
  privilege configure level 3 command who
  privilege show level 3 command isakmp
  privilege show level 3 command ipsec
  privilege show level 3 command vpdn
  privilege show level 3 command local-host
  privilege show level 3 command interface
  privilege show level 3 command ip
  privilege configure level 3 command ping
  privilege show level 3 command uauth
  privilege configure level 5 mode enable command configure
  privilege show level 5 command running-config
  privilege show level 5 command privilege
  privilege show level 5 command clock
  privilege show level 5 command ntp
  privilege show level 5 mode configure command logging
  privilege show level 5 command fragment
  terminal width 80
  Cryptochecksum:
  I know this is a basic question but I would really appreaciate the help!
  Thanks so much,

  Hi,
  You could try to change the Split Tunnel ACL to Standard ACL
  First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
  Current
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
  New
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
  You could also try adding
  fixup protocol icmp
  fixup protocol icmp error
  Have you monitored the logs while you are attempting to connect to the LAN network?
  - Jouni

• PIX 501 VPN setup

  Can any one please advise me I am trying to set up a VPN on my PIX 501 and for some reason it is not working. I have posted the scrips below. If someone can advise me what I need to change that would be great.
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password P@55w0rd! encrypted
  passwd P@55w0rd! encrypted
  hostname CFSLXAKALAZ
  domain-name akademic.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 192.168.2.0 VPN
  object-group service RemoteDesktop tcp
  port-object range 3389 3389
  access-list inside_access_in remark Allow all outbound UDP port 53 for DNS
  access-list inside_access_in permit udp any any eq domain
  access-list inside_access_in remark Allow ping to any external IP
  access-list inside_access_in permit icmp any any
  access-list inside_access_in remark Allow all outbound TCP connections
  access-list inside_access_in permit tcp any any
  access-list outside_access_in remark Allow external DNS via UDP
  access-list outside_access_in permit udp any eq domain any
  access-list outside_access_in remark Allow ping from outside to inside
  access-list outside_access_in permit icmp any any
  access-list outside_access_in remark Remote Desktop to any internal IP
  access-list outside_access_in permit tcp any any object-group RemoteDesktop
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 10.20.58.30 255.255.255.0
  ip address inside 192.168.2.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool donkpool 192.168.2.50-192.168.2.60
  pdm location 10.20.58.0 255.255.255.0 outside
  pdm location 192.168.2.0 255.255.255.0 inside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0.0.0.0 0.0.0.0 10.20.58.1 1
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 10.20.58.0 255.255.255.0 outside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  vpngroup donk address-pool donkpool
  vpngroup donk idle-time 1800
  vpngroup donk password P@55w0rd!
  telnet 10.20.58.30 255.255.255.0 outside
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh 10.20.58.0 255.255.255.0 outside
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.128-192.168.2.252 inside
  dhcpd dns 158.152.1.58
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  terminal width 80
  terminal width 80

  You are missing a lot of config, depending on what type of vpn you are trying to setup please follow the links below to complete it:
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html

• Need help, VPN between 1841 router & PIX 501

  Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
  See attached configs.
  THANK YOU!

  Sorry.
  interface: outside
  Crypto map tag: IPSEC, local addr. 12.206.137.5
  local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
  current_peer: 216.203.117.82:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
  #pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 124, #recv errors 0
  local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
  path mtu 1500, ipsec overhead 56, media mtu 1500
  current outbound spi: 793ff99e
  inbound esp sas:
  spi: 0xcbd5b096(3419779222)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 4, crypto map: IPSEC
  IV size: 8 bytes
  replay detection support: Y
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  spi: 0x793ff99e(2034235806)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 3, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607996/1929)
  IV size: 8 bytes
  replay detection support: Y
  outbound ah sas:
  local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
  current_peer: 216.203.117.82:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
  #pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
  path mtu 1500, ipsec overhead 56, media mtu 1500
  current outbound spi: c6d3ea5c
  inbound esp sas:
  spi: 0x55d659c5(1440111045)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 1, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607097/1917)
  replay detection support: Y
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  spi: 0xc6d3ea5c(3335776860)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 2, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607743/1890)
  IV size: 8 bytes
  replay detection support: Y
  outbound ah sas:
  outbound pcp sas:

• Span port with Pix 501?

  I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!

  Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
  I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
  I hope it helps ... please rate it if it does !!!

• PIX 501 Flash Image Download

  Hoping someone can help.
  I have a PIX 501 and I am looking to download an OS as my current image is corrupt and the PIX will not boot.
  Would anyone know where I can download the O/S from so I can tftp it across to the router.
  The router is a few years old so it is not under maintenance.
  Thanks in advance

  Hi David,
  You should be able to download PIX 6.3.5 which is the latest version supported by your model from the following link:
  http://www.cisco.com/cisco/software/release.html?mdfid=275993766&softwareid=280786991&release=6.3.5&rellifecycle=GD&relind=AVAILABLE&reltype=all
  The file you'll be looking for is pix635.bin
  Regards,
  Nicolas