PIX 501 PDM with IE7

Similar Messages

• PIX 501 passthrough with to a Win VPN Server

                     Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?
  pix  6.3(5)
  Outside staic IP - whatever 111.111.111.111
  Inside 192.168.1.1
  Win VPN server 192.168.1.10
  Thanks to anybody that can help.
  Note - I wnat to know if thi can be accomplished using PDM 3.0.4
  This pix has to have a use other than a glorified 4 port switch

  Yes you can enable PIX501 with version 6.3.5 for PPTP pass through.
  Command line:
  static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255
  fixup protocol pptp 1723
  access-list permit tcp any host 111.111.111.111 eq 1723
  If you don't already have an access-list applied to outside interface, then you also need the following:
  access-group in interface outside
  Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:
  static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
  Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.
  Hope that helps a little.

• Pix 501 PDM 30 - can't get web browser access

  I just got two used Pix 501 units, and cannot get the web browser working. OK to first login box with blank username and password per manual, click Yes to certificate popup, "Loading Startup Wizard" prompts for username and password - blank is NOT accpeted here.
  Get java.security.AccessControlException: access denied in lower border of browser window.
  How do I get past this?

  Phil, this is a known issue with certain old versions of PDM.
  Refer to this link for work around.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a008046c805.shtml
  also try java update
  Java runtime environment version 6 update 2 is available , try this and see if it resolves the issue
  http://www.java.com/en/download/index.jsp
  Jorge

• Pix 501 PDM "No Data Available Yet."

  I have a Pix501 running 6.3(5) software and PDM 3.0(4). I am using the graphing function of the PDM interface to graph interface bit rates. When I select a new history range, it seems that the data collection only begins when I select that range. I can't see any history unless I keep the graph window open. I could swear that it was stored last time I used this function so that you could log into PDM and see the last 12 hours for example. Maybe I am wrong. Is this not the case? Is there a function to enable the data to be collected while not actively graphing?
  Thanks!

  The graph history can only be seen for the time the graph window is open, once the window is closed the data is removed so you cannot see the history for the earlier time range.

• Amazon S3 Backup with Cisco PIX 501 Router - slowww

  We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
  I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
  Thanks!

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
  - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
    This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  THANKS

• Problems with ipsec on pix 501

  I have been running a 501 for a few years with several site to site vpns with no problems. At first there was 1 vpn and it has slowly grown to 4. They are all the same 501's with the latest software.
  The first few years were problem free but as more sits have been added the problems are getting worse.
  When i added the third site, i restored factory defaults to remove the remernace of old configerations. form that point onward i have had problems. The second site would not maintain a tunnel after 2 minutes. I have checked the configs, replaced the modem, replaced all cables, replaced the pix and still cannot solve the problem. At the moment i cannot get any of the vpns to connect.
  Using the monitor facility within the pdm, the ipsec tunnel does not connect and the ike tunnel connects for about 40 secs then drops, it keeps repeating the same cycle. I am using a pre shared key on the IKE, the pre shared key is definatly correct as i have copied and pasted it into both 501's with the same computer.
  During the  time of the first errors i was getting an error code of 402101 using the debug level log.
  I have employed a local cisco engineer to help me with the problem, he adivsed that the configeration be changed as i was putting the pix behind a netgear router and forwarding the correct ports, this config worked several years, i have now changed all sites so the pix is configuered to be directly to the internet. The engineer was happy all the configerations were correct and he could not solve the problem, after spending six hours on our sites, he only charged me for 1 hour and was never to be seen again. The problem is getting worse.
  I am able to connect the remote sites using a vpn client, all other functions of the firewall seem good. I have been throught the wizards many times on all units and am certain the configerations are correct.
  What am i doing wrong??, they used to work but know they don't.
  I have attached the two configerations but removed all the inportant info of ip's, usernames and passwords. again, the ip's were correct.
  Have i missed out a step after resoting factory defaults?
  I would greatly appreciate any help anybody has to offer.

  Jason,
  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  However, just looking at your configuration, I did see that your hashing algorithm on the YMCA side is using SHA and group 1 for isakmp policy 20 while on the Server side you are using 3des and group2 for policy 20.
  Good Luck,
  Bill

• Cisco Pix 501 - Need help with VPN passthrough

  Greetings!
  Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
  Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
  I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
  I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
  : Saved
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password RysZD25GpRAOMhF. encrypted
  passwd 0I6TSwviLDtVwaTr encrypted
  hostname Lorway-PIX
  domain-name lorwayco.com
  fixup protocol ftp 21
  fixup protocol ftp 22
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_access_in permit icmp any any
  access-list outside_access_in permit tcp any any eq 50000
  access-list outside_access_in permit udp any any eq 50000
  access-list outside_access_in permit tcp any any eq smtp
  access-list outside_access_in permit tcp any any eq www
  access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
  access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
  access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
  access-list outside_access_in permit tcp any any eq pop3
  access-list outside_access_in permit tcp any any eq https
  access-list outside_access_in permit tcp any any eq ftp
  access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
  access-list outside_access_in permit tcp any any eq ftp-data
  access-list outside_access_in permit tcp any any eq 1009
  access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
  access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
  access-list outside_access_in permit tcp any any eq 7000
  access-list outside_access_in permit tcp any any eq pptp
  access-list outside_access_in permit gre any any
  access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 74.221.188.249 255.255.255.0
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 80
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.118
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  sysopt connection permit-l2tp
  crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
  crypto map lorwayvpn 30 ipsec-isakmp
  crypto map lorwayvpn 30 match address 30
  crypto map lorwayvpn 30 set peer 66.18.55.250
  crypto map lorwayvpn 30 set transform-set lorway1
  crypto map lorwayvpn interface outside
  isakmp enable outside
  isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
  isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 9 authentication pre-share
  isakmp policy 9 encryption 3des
  isakmp policy 9 hash sha
  isakmp policy 9 group 2
  isakmp policy 9 lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  terminal width 80
  Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
  : end

  Config looks good to me.
  I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
  If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?

• Pix 501 Port Redirection with outside Dyn IP for DVR

  Hi,
  I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
  my ISP outside  is dynamic.
  The following is my config, please let me know what is wrong with it.
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password bJT00RrZ7Q9S5J1B
  encrypted
  passwd bJT00RrZ7Q9S5J1B encrypted
  hostname Haiyai
  domain-name ciscopix.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside permit tcp any
  interface outside eq 1042
  access-list outside deny ip any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside dhcp setroute
  ip address inside 192.168.1.1
  255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface
  1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
  access-group outside in interface
  outside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed
  0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip
  0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00
  sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts
  3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.33
  inside
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  terminal width 80
  Cryptochecksum:57847b305111572396f1ae0410e54f7e
  : end         
  Thanks
  Morgan

  Morgan,
  Your config is perfectly fin. You have your PAT static and opened the ACL for that port
  access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
  The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
  I hope it helps.
  PK

• Problem with VPN by ASA 5505 and PIX 501

  Hi
  I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
  I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
  When i configure the ASA i have this problem, when i configure nat for easy vpn.
  This is my nat configuration:
  nat (inside) 0 access-list 100
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (inside) 0 0.0.0.0 0.0.0.0 outside
  when i put this command:
  nat (inside) 0 access-list no-nat
  this command is necessary for configuration of easy vpn, but the previous nat:
  nat (inside) 0 access-list 100
  is replace with the latest command.

  To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
  For regular dynamic NAT:
  nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
  no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
  For policy dynamic NAT and NAT exemption:
  nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
  no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

• DMZ zone with PIX 501

  - How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
  - If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
  (We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
  thanks,
  oleg

  When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

• Manual key negotiation with pix 501

  how to use manual key negotiation with pix 501 6.3 to solve VPN tunnel negotiation problem

  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1045493
  "Manual configuration of SAs is not supported on the PIX 501 because of the restriction in the number of ISAKMP peers allowed on that platform."
  However I'm sure a proper solution can be found to your original problem (establishing VPN with huawei)
  Please rate helpful posts.
  Regards
  Farrukh

• Cannot connect to PDM on PIX 501

  just cant figure this out. I have a PIX 501 that I used to be able to connect to just fine. Now I cannot get the PDM to come up Inside, Outside, Nothing.  I am using the same(old) version of JAVA 1.4 that I have always used. I can Telnet etc.. just fine. The HTTP server is enabled and have granted access to from my IP's. Any help would be greatly appreciated. See my config below.
  pixfirewall# show run
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd XXXXXXXX encrypted
  hostname pixfirewall
  domain-name ciscopix.com
  clock timezone EST -5
  clock summer-time EDT recurring
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 X0
  fixup protocol h323 ras X18-X19
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name X.X.X.X admin_subnet
  access-list inside_outbound_nat0_acl permit ip X.X.X.X 255.255.255.0 admin_
  subnet 255.255.0.0
  access-list inside_outbound_nat0_acl permit ip X.X.X.X 255.255.255.0 X.X
  .X.X 255.255.255.0
  access-list outside_cryptomap_20 permit ip X.X.X.X 255.255.255.0 admin_subn
  et 255.255.0.0
  access-list outside_cryptomap_20 permit ip X.X.X.X 255.255.255.0 X.X.X
  .X 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside X.X.X.X 255.255.255.128
  ip address inside X.X.X.X 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm location admin_subnet 255.255.0.0 outside
  pdm location X.X.X.X 255.255.255.0 inside
  pdm location x.x.x.x 255.255.255.255 outside
  pdm location X.X.X.X 255.255.255.0 outside
  pdm location X.X.X.X 255.255.255.255 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http X.X.X.X 255.255.255.0 inside
  http admin_subnet 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set pfs group2
  crypto map outside_map 20 set peer X.X.X.X
  crypto map outside_map 20 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-co
  nfig-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption aes-256
  isakmp policy 20 hash sha
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 8X00
  telnet X.X.X.X 255.255.255.0 outside
  telnet X.X.X.X 255.255.255.0 inside
  telnet admin_subnet 255.255.0.0 inside
  telnet timeout 30
  ssh X.X.X.X 255.255.255.255 outside
  ssh X.X.X.X 255.255.255.0 inside
  ssh timeout 30
  management-access inside
  console timeout 30
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  username XXXXXX password XXXXXXXXXXX encrypted privilege 15
  terminal width 80
  Cryptochecksum:
  : end

  Hello Mark,
  lol   Nice to know that everything is working fine now
  Remember to mark the question as answered and to rate all of the helpful posts ( If you do not know how to rate a post just go to the bottom of each reply and mark the stars 1 being a bad answer, 5 being a great answer)
  Regards,
  Julio
  PD: Some kudos for you ( because of the answer)

• Q about DNS with PIX 501 as PPPoE client

  Hi!
  I've got PIX 501 (PixOS 6.3.5) acting as PPPoE client. Outside interface gets IP and DNS addresses from access concentrator.
  There is an example in config guide how to set DNS address (got from concentrator) for DHCH daemon in PIX, so clients in LAN can get that DNS address so.
  But I don't use DHCP in LAN. Is there a way to set PIX inside address as DNS on LAN clients and make PIX somehow redirect DNS request to PPPoE DNS server by itself? (same as on simplest linux-build SOHO box by Linksys etc)
  Thanks!

  In this example, the intent is for the machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external You do not want the PIX to do DNS Doctoring of the DNS replies. Instead, you want the PIX to dnat the external (global) IP address of the web server to its "real" DMZ address (192.168.100.10).
  Use the alias command to perform dnat:
  alias(inside) 10.99.99.99 192.168.100.10 255.255.255.224

• Trouble with PIX 501 user limit?

  I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.
  I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.
  The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.
  I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?
  Thanks very much for any advice you can offer.
  Best regards,
  Zac

  Any chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?
  pixfirewall# show local-host
  Interface inside: 10 active, 10 maximum active, 3493 denied
  local host: <192.168.1.2>,
  TCP connection count/limit = 12/unlimited
  TCP embryonic count = 2
  TCP intercept watermark = unlimited
  UDP connection count/limit = 0/unlimited
  AAA:
  Xlate(s):
  PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)
  PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)
  PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)
  PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)
  PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)
  PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)
  PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)
  etc, etc.

• Span port with Pix 501?

  I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!

  Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
  I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
  I hope it helps ... please rate it if it does !!!