Pix 501 and H323

Thank you in advanced.
Is video teleconference supported on the PIX 501?
I am trying to configure a static router from the inside to the outside using static routers and I can not do it.
Please can some one send me config examples if Pix 501 supports VIdeo COnferencing using H323.
Cristian

Have a look here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378
If connectivity still fails, a look at the pix log might help ('sh log').

Similar Messages

Persistent VPN between PIX 501 and ASA 5505

I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

PIX 501 and UPnP

Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
If the above is not of a concern at all, then what Andrew sugested would work.
Rgds
-Jorge

PIX 501 and Java

Hello,
Trying to move some servers today and lo and behold this.... not good news...
Does anyone have an easy workaround for the Java issue for a Cisco Pix 501? Is there an easy way to revert to older versions of Java without affecting everything else? Does QuickTime use Java? This is very frustrating.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/productsfieldnotice09186a008046c805.shtml
"Customers running these versions of PDM or IDM should either uninstall the newer Java Plug-Ins and re-install previous versions of the Java Plug-In, or upgrade their PDM and IDM images to the versions indicated in the following table."
Thanks,
Rich

Rich,
Welcome to the forums.
This notice doesn't apply to using Java programs or applets.
It specifically applies to computers that will need to access the PDM or IDM to make changes.
"Impacted PDM and IDM versions will not load when launched from a browser"
As long as you don't need to access the PDM or IDM from the browser, you don't need to worry about this advisory.
If you do, my advice would be to upgrade the PIX, as that seems the most logical thing to do (especially as it's a fix that Cisco has already released).

PIX 501 and Linksys VPN Router (WRV200)

I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
Key Exchange Method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre-Shared Key: xxx
PFS: Enabled/Disabled
ISAKMP Key Lifetime: 28800
IPSec Key Lifetime: 3600
On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
I chose the following settings when doing the VPN Wizard:
Type of VPN: Remote Access VPN
Interface: Outside
Type of VPN Client Device used: Cisco VPN Client
(can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
VPN Client Group
Group Name: RabyEstates
Pre Shared Key: rabytest
Extended Client Authentication: Disabled
Address Pool
Pool Name: VPN-LAN
Range Start: 192.168.2.200
Range End: 192.168.2.250
DNS/WINS/Default Domain: None
IKE Policy
Encryption: 3DES
Authentication: MD5
DH Group: Group 2 (1024-bit)
Transform Set
Encryption: 3DES
Authentication: MD5
I have attached the VPN log from the Linksys VPN Router.
This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
Thanks for your help!

Hi again,
I believe the pix has a 3des license because of the following parts of the "show version"
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
This PIX has a Restricted (R) license.
I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
As for the other show commands they give:
pixfirewall# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall#
Thanks again Daniel, i really appreciate your help on this matter.

Pix 501 and Client VPN's

Hi, I've had this 501 for several months now and really stuggled to get the client VPN side working.
I can get site to site working with no problems using the wizard but the Client VPN never works.
Latest i've set it up for pptp which I can get the client to connect with no problems but fails to get any traffic from the pix - I can however ping the remote PC from a PC behind the PIX.
I'm setting these up by the PDM buy i've attached a copy of the config anyway.
Best,
Chris

Hi Kamal.
It didnt like the command
nat (inside) 0 access0list nonat
I can attach via Cisco VPN Client but the same occurs - I can ping the remote from the network - but not the other way round.
Config attached. - Best, Chris
: Written by enable_15 at 02:14:05.990 UTC Mon Feb 12 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
access-list split permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.x.146.72 255.255.x.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.10.10.1-10.10.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.x.249.x.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map cisco 1 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool vpnpool
vpngroup vpn dns-server 192.168.1.1
vpngroup vpn idle-time 1800
vpngroup vpn password 634083
vpngroup VPNclient split-tunnel split
vpngroup VPNclient idle-time 1800
vpngroup VPNclient password ******
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 89.238.129.211
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end

PIX 501 and AAA Radius Server

I am trying to change the radius server using PDM and I can not do it it give me an error sgtating that I need to change the server on the ACL.
PLease tell me whereelse do I have to go and remove the old radius server and add a new radius server.
Thank you
Cristian

Try this configuration guide,
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/index.htm may be you wll find it.

PIX 501 VPN setup

Can any one please advise me I am trying to set up a VPN on my PIX 501 and for some reason it is not working. I have posted the scrips below. If someone can advise me what I need to change that would be great.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password P@55w0rd! encrypted
passwd P@55w0rd! encrypted
hostname CFSLXAKALAZ
domain-name akademic.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 VPN
object-group service RemoteDesktop tcp
port-object range 3389 3389
access-list inside_access_in remark Allow all outbound UDP port 53 for DNS
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in remark Allow ping to any external IP
access-list inside_access_in permit icmp any any
access-list inside_access_in remark Allow all outbound TCP connections
access-list inside_access_in permit tcp any any
access-list outside_access_in remark Allow external DNS via UDP
access-list outside_access_in permit udp any eq domain any
access-list outside_access_in remark Allow ping from outside to inside
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Remote Desktop to any internal IP
access-list outside_access_in permit tcp any any object-group RemoteDesktop
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.20.58.30 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool donkpool 192.168.2.50-192.168.2.60
pdm location 10.20.58.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.20.58.1 1
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.20.58.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
vpngroup donk address-pool donkpool
vpngroup donk idle-time 1800
vpngroup donk password P@55w0rd!
telnet 10.20.58.30 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 10.20.58.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.128-192.168.2.252 inside
dhcpd dns 158.152.1.58
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
terminal width 80

You are missing a lot of config, depending on what type of vpn you are trying to setup please follow the links below to complete it:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html

Span port with Pix 501?

I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!

Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
I hope it helps ... please rate it if it does !!!

PIX 501 Flash Image Download

Hoping someone can help.
I have a PIX 501 and I am looking to download an OS as my current image is corrupt and the PIX will not boot.
Would anyone know where I can download the O/S from so I can tftp it across to the router.
The router is a few years old so it is not under maintenance.
Thanks in advance

Hi David,
You should be able to download PIX 6.3.5 which is the latest version supported by your model from the following link:
http://www.cisco.com/cisco/software/release.html?mdfid=275993766&softwareid=280786991&release=6.3.5&rellifecycle=GD&relind=AVAILABLE&reltype=all
The file you'll be looking for is pix635.bin
Regards,
Nicolas

Reseting ipsec on PIX 501

Hi all. Just one quick question. I can't seem to find how to reset ipsec on PIX 501 and force sa to be negotiated again and I also want to reset the statistics for the ipsec sa. I know I saw the commands somewhere but now can't seem to find the commands anywhere.
Thanks in advance for any help.

Hi...
In config mode...
clear crypto isakmp sa
-and-
clear crypto ipsec sa
PS. You can find the commands on the PIX by going into config mode and typing...
PIX01(config)# clear cry ?
Hope the above helps and please rate posts!

Need help, VPN between 1841 router & PIX 501

Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!

Sorry.
interface: outside
Crypto map tag: IPSEC, local addr. 12.206.137.5
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
#pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 124, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 793ff99e
inbound esp sas:
spi: 0xcbd5b096(3419779222)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: IPSEC
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x793ff99e(2034235806)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607996/1929)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c6d3ea5c
inbound esp sas:
spi: 0x55d659c5(1440111045)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607097/1917)
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc6d3ea5c(3335776860)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607743/1890)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:

Pix 501 IPSec VPN no LAN access and no ping

Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,

Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni

Problem with VPN by ASA 5505 and PIX 501

Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

Vonage VoIP and PIX 501

I have a SOHO currently using cable modem connected to the outside interface of a PIX 501. The inside interface of the PIX connects to a hub with 8 ports.I have 2 PC's and a LinkSys AP plugged into the hub. I have been looking at using Vonage VoIP. My questions are:
1) Is it possible?
2) Do I need to use a special fixup protocol or config?
3) Has anyone used Vonage VoIP and how is it working?
Thanks,
Paul Lane

Paul,
I have been using Vonage succesfully with a very similar configuration. You don't neet any fixups or special configurations to make this work.
My only suggestion is to connect your ATA to a switch port behind the PIX, as opposed to the hub.
Have fun!
Fernando Macias

Pix 501 and H323

Similar Messages

Maybe you are looking for