Pix 501 Port Redirection with outside Dyn IP for DVR
Hi,
I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
my ISP outside is dynamic.
The following is my config, please let me know what is wrong with it.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bJT00RrZ7Q9S5J1B
encrypted
passwd bJT00RrZ7Q9S5J1B encrypted
hostname Haiyai
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any
interface outside eq 1042
access-list outside deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1
255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface
1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
access-group outside in interface
outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed
0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip
0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00
sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts
3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57847b305111572396f1ae0410e54f7e
: end
Thanks
Morgan
Morgan,
Your config is perfectly fin. You have your PAT static and opened the ACL for that port
access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
I hope it helps.
PK
Similar Messages
-
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN? -
PIX 501 - Configure Alternative Route Outside on PIX's ATM2
Hello to all
i am trying to add a line to allow the PIX to use an alternative ADSL Line when the first goes down
Is it enought that i put a new line like this?
currentt route outside: route outside 0.0.0.0 0.0.0.0 89.xxx.xxx.33
new line i'll add: route outside 0.0.0.0 0.0.0.0 2.yyy.yyy.102
Obviously i'll plug the new router an the ATM 2 port of the PIX.
Consider that i have ths NAT inside rule
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
As usual thanks in advance for your answers.
StefanoHello Stefano,
You are looking for Sla Monitor on the PIX/ASA:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Let me know if you have any question.
Regards,
Felipe. -
Reverse Port Redirection with ASA5505
Hello Community.
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.
And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25
212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
Thanks PatrickHi,
Glad to help
We do need a NAT configuration usually for both VPN Client and Site to Site VPN to function correctly. I guess the only exception is when a single ASA is ONLY used for VPN. Then you can actually have the ASA without ANY NAT configurations at all. But this doesnt apply to your situation.
You basically already listed the type of NAT configurations you need already.
Lets say we have a site with ASA firewall and that ASA has one Site to Site VPN and one VPN client connection configured.
The local site is 10.10.10.0/24
The remote site is 10.10.20.0/24
The VPN Pool is 10.10.100.0/24
With the above information if we wanted to make it so that both the local site and remote site and the local site and vpn pool could communicate using their original IP address, then we would configure the NAT in the following way
object network LAN
subnet 10.10.10.0 255.255.255.0
object network REMOTE-LAN
subnet 10.10.20.0 255.255.255.0
object network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The same logic would apply if you were to configure more Site to Site VPNs or VPN Client connections on the local firewall.
Hope this helps
Rememember to mark correct replys as the correct answer or rate helpfull answers
Ask more if needed.
- Jouni -
Problem with VPN by ASA 5505 and PIX 501
Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq] -
I currently have shh available to the outside interface of my PIX 501(using dhcp from cable provider). Now is it possile to also redirect ssh to an internal host using the "static" command? Can these two commands work together? thanks
Try to configure the following steps, it should work
1.Create static translation using port redirection with the outside ip address of the pix (command
reference)
2.Allow the inbound connection with the access-list.
3.Try the connection using port TCP/22 -
IPSec LAN-to-LAN from PIX 501(6.3.5) to VPNC 3000 rejects tunnel.
I will post more data once back in the office but this is the error my VPNC3000 is showing when the IPSec tunnel tries to establish:
I've replaced the PIX 501 outside IP with 10.0.0.1, and the concentrator subnet with 10.1.0.0
18890 04/04/2007 15:09:33.190 SEV=6 IKE/201 RPT=2 10.0.0.2
Group [10.0.0.2]
Duplicate Phase 1 packet detected. Retransmitting last packet.
18892 04/04/2007 15:09:33.190 SEV=6 IKE/0 RPT=820 10.0.0.2
Group [10.0.0.2]
Responder resending last msg
18893 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45723 10.0.0.2
RECEIVED Message (msgid=b57613b7) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 76
18895 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45724 10.0.0.2
Group [10.0.0.2]
processing hash
18896 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45725 10.0.0.2
Group [10.0.0.2]
Processing Notify payload
18897 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=821
Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE
18898 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45726 10.0.0.2
RECEIVED Message (msgid=83ab1615) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164
18901 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45727 10.0.0.2
Group [10.0.0.2]
processing hash
18902 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45728 10.0.0.2
Group [10.0.0.2]
processing SA payload
18903 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5364 10.0.0.2
Group [10.0.0.2]
processing nonce payload
18904 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5365 10.0.0.2
Group [10.0.0.2]
Processing ID
18905 04/04/2007 15:09:33.310 SEV=5 IKE/35 RPT=133 10.0.0.2
Group [10.0.0.2]
Received remote IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
18908 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5366 10.0.0.2
Group [10.0.0.2]
Processing ID
18909 04/04/2007 15:09:33.310 SEV=5 IKE/34 RPT=233 10.0.0.2
Group [10.0.0.2]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.0.0, Mask 255.255.255.0, Protocol 0, Port 0
18912 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45729
QM IsRekeyed old sa not found by addr
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
18915 04/04/2007 15:09:33.310 SEV=4 IKEDBG/0 RPT=45730
QM FSM error (P2 struct &0x1e75390, mess id 0x83ab1615)!
18916 04/04/2007 15:09:33.310 SEV=7 IKEDBG/65 RPT=730 10.0.0.2
Group [10.0.0.2]
IKE QM Responder FSM error history (struct &0x1e75390)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA
18921 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45731
sending delete/delete with reason message
18922 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=822 10.0.0.2
Group [10.0.0.2]
Removing peer from correlator table failed, no match!
18923 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45732 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb rcv'd Terminate: state MM_ACTIVE
flags 0x0001c042, refcnt 1, tuncnt 0
18926 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45733 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb terminating:
flags 0x0101c002, refcnt 0, tuncnt 0
18928 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45734
sending delete/delete with reason message
18929 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45735 10.0.0.2
Group [10.0.0.2]
constructing blank hash
18930 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45736
constructing IKE delete payload
18931 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45737 10.0.0.2
Group [10.0.0.2]
constructing qm hash
18932 04/04/2007 15:09:33.320 SEV=8 IKEDBG/0 RPT=45738 10.0.0.2
SENDING Message (msgid=1d5c1587) with payloads :
HDR + HASH (8) + DELETE (12)
total length : 76
18934 04/04/2007 15:09:33.320 SEV=4 AUTH/23 RPT=176 10.0.0.2
User [10.0.0.2], Group [10.0.0.2] disconnected: duration: 0:00:00The error that sticks out to me is:
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
I do not know if this means policy on the Concentrator or the PIX, but I believe this is the cause. Below is my PIX 501 config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix3
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol h323 1718-1719
names
access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit icmp 192.168.15.0 255.255.255.0 192.168.15.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 10.1.0.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key myPSK address 10.1.0.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ssh 172.16.0.0 255.255.255.224 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
dhcpd address 192.168.15.10-192.168.15.20 inside
dhcpd dns 172.16.1.27 172.16.1.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80 -
I have recently configured pix 501 to work with 3 server. two server is on windows and one is on redhat el 4.
The firewall policy is very simple.
Only 3 static ip apply with this three server. No nat or pat for group of ips.
All this three server have some services allowed for external internet users.
The problem is both windows server is working fine, only redhat el 4 is not working. RH4 server cannot ping or goto internet any ware. Both windows server can ping or can go to internet. External users can get both windows server except RH4. my access policy is same for all this three server. Also for troubleshooting i enable full access in and out to all. Same result happens, both windows server can go out, external users can access everything on this two windows server except linux. is there any particular problem with Linux RH4 with pix?can you post your config, it will help in troubleshooting
-
I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!
Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
I hope it helps ... please rate it if it does !!! -
Help with opening port 10000 on a pix 501
I am attempting to open port 10000 so that I can remotely VPN using tcp port 10000. This is a pix 501 running version 6.3.5.
What commands do I need to enter for this to happen?Remote vpn access can be configured on a pix 501 by using the configuration guide present in the links given below:
Site-to-Site VPN Configuration Examples is present in the url below:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
Managing VPN Remote Access giude is present in the following url:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html -
Cisco pix 501 open port problem
Hi,
I'm running a Pix 501 for Home office and I want to open first ports for my mail client for an outside located server.
But i get following error in the log:
106023: Deny tcp src outside:<ipmailserver>/993 dst inside:<ipoutsideinterface>/1729 by access-group "outside-mail"
here's my basic config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YYYYYY encrypted
passwd YYYYYY encrypted
hostname sunny
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
pager lines 24
logging on
logging monitor emergencies
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
access-group outside-mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.10.10-192.168.10.39 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username stefan password YYYYY encrypted privilege 2
terminal width 80
Cryptochecksum:
: end
[OK]
What's the problem?
Any recommondations for the config anyway?
ThanksThanks Gerhard for the answer, but i don't want to redirect the port to an inside mail server.
I try to connect to an outside mail server with a mail client from an inside pc (who is in the dhcp ip pool, i.e. 192.168.10.22).
to open the ports i added:
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
access-group outside-mail in interface outside
but why is there a deny because of the access-group in the log?
106023: Deny tcp src outside:/993 dst inside:/1729 by access-group "outside-mail"
Regards S. -
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
PIX 501 passthrough with to a Win VPN Server
Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?
pix 6.3(5)
Outside staic IP - whatever 111.111.111.111
Inside 192.168.1.1
Win VPN server 192.168.1.10
Thanks to anybody that can help.
Note - I wnat to know if thi can be accomplished using PDM 3.0.4
This pix has to have a use other than a glorified 4 port switchYes you can enable PIX501 with version 6.3.5 for PPTP pass through.
Command line:
static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255
fixup protocol pptp 1723
access-list permit tcp any host 111.111.111.111 eq 1723
If you don't already have an access-list applied to outside interface, then you also need the following:
access-group in interface outside
Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:
static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.
Hope that helps a little. -
Q about DNS with PIX 501 as PPPoE client
Hi!
I've got PIX 501 (PixOS 6.3.5) acting as PPPoE client. Outside interface gets IP and DNS addresses from access concentrator.
There is an example in config guide how to set DNS address (got from concentrator) for DHCH daemon in PIX, so clients in LAN can get that DNS address so.
But I don't use DHCP in LAN. Is there a way to set PIX inside address as DNS on LAN clients and make PIX somehow redirect DNS request to PPPoE DNS server by itself? (same as on simplest linux-build SOHO box by Linksys etc)
Thanks!In this example, the intent is for the machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external You do not want the PIX to do DNS Doctoring of the DNS replies. Instead, you want the PIX to dnat the external (global) IP address of the web server to its "real" DMZ address (192.168.100.10).
Use the alias command to perform dnat:
alias(inside) 10.99.99.99 192.168.100.10 255.255.255.224 -
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS
Maybe you are looking for
-
2.1 Upgrade causes Pandora app to crash and then iTunes
After listening to Pandora for about 30 minutes, it started to switch back and forth to unrelated songs on iTunes. Finally, iTunes seemed to take over, and then it shuttles through all my songs, playing a few seconds of each, no matter what I do with
-
Need to add flipping catalog to site
I am a newbie and have been tasked to add a clients catalog on their site as a flipping catalog. The client wants to have a image of their catalog added to a page. They also want the catalog to open up as a flipping catalog. I have found several sour
-
Coordinate System of template form
Hi there, we are currently using Headstart 3.4.2 that was adjusted to our clients requirements. One of the requirements was not to work with a real MDI look and feel, that means every Forms-Module is sized to fit exactly into the MDI Window and then
-
Azure Tools and Templates Not Installed to VS2012 with VS2013 Side by Side Installation
I have VS 2012 and VS 2013 Ultimate editions installed side by side and have installed Azure SDK 2.2 followed by 2.3. Until I started using BizTalk Services all my Azure work has been in VS2013. Going back to VS2012 for BizTalk Services stuff I soon
-
HT4623 i am unable to restore my iPhone
I am using my phone in india with airtel network connection but suddenlly the signal of my phone went into searching mode and keep on searching for the signal but its not getting so i connected it to itunes and clicked on restore but it went into res