PIX 501 PPPoE problems.

I have a Zoom adsl modem setup to accept PPPoE connections. We have verified this with two other, non-cisco devices, and it works.
I have configured the outside interface to connect via PPPoE to the router from within the PDM.
I have set this up with the known correct username and password, and with PAP authentication.
I have captured a debug with the following commands "debug pppoe packet", "debug pppoe error" and "debug pppoe event" and have attached it as file pppoedebug.txt.
"show ip address outside pppoe" gives:
PPPoE session has not been established yet.
I have also attached a running config of the PIX.
If anyone could take a quick look and see if my PIX config appears fine i'd much appreciate it.
I am very new to working with PIX, i'm used to working with IOS.
Thanks for your help.
David

I've upgraded to version 6.3(5) as opposed to 6.3(3) but i still get the same error. You say there might be a bug in 6.3 so me going to 6.3(5) wouldnt have made a difference anyways?
Due to the PIX 501 having Total Memory (16mb) and flash (8mb) I cant upgrade to 7.x. And i really wouldnt want to downgrade to 6.2, but i guess that's worth a try, to see if it really is an firmware fault.
Is there anything else you fine people could suggest?
Thanks for your help.
David.

Similar Messages

Pix 501 vpn problem

I can connect but don't see any network resources.
The Vpn Client, ver:5.0.01, is running on an xp machine.
The network it is connecting to is behind a pix501- Ver. 6.3(5).
When the connection is made the remote client gets an assigned address from the vpn pool 192.168.2.10- 192.168.2.25:
The vpn client log shows:
Line:45 18:07:27.898 08/12/09 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.10/255.255.255.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=
This is followed by these lines:
46 18:07:27.968 08/12/09 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.10
47 18:07:27.968 08/12/09 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a8020a, Gateway: c0a80201.
48 18:07:28.178 08/12/09 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
49 18:07:28.198 08/12/09 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
50 18:07:29.760 08/12/09 Sev=Info/4 CM/0x6310001A
One secure connection established
I can ping, from the remote client, to an inside ip behind the pix even
when I get the "add route failure" shown above, but i can't ping the computer name.
I enabled NAT traversal using the PDM, But when I connect with this option I get the error that the "Remote end is NOT behind a NAT device This end IS behind a NAT device" and ping fails.
Behind the pix are a few computers with no central server so I'm not passing a WINS server to the remote client.
I set up the vpn with the wizard.
Attached is the config file.
Any suggestions would be appreciated.
Regards,
Hugh

Hugh, sure you can rate based on the overall of the conversation but you are not obligated to do so but certainly would be nice to provide ratings.
To summarized the overall narrowing down possible issues, the main goal was to ensure RA VPN configuration on the PIX501 was corrected.
1- We enabled NAT-T on the firewall - even though this was not the issue but it is required to have it there should you RA VPN from other locations - NAT travseral makes the firewall aware of NAT devices from other ends - here is some good information on NAT-T for reference in future
http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx
2-We corrected the VPN POOL network /28 as well as the nonat access list and crypto acl to be consistant.
Here is a link for future reference with numerous PIX configuration scenarios
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
lastly - your only remaining issue we can say is purely isolated with MAC machine and vpn client software.
You could perhaps try different version of the client in the MAC, or also look into release notes open caveats to rule out cisco cleint versioning and MAC versioning if there is any issues.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_notes_list.html
Regards

Problem with VPN by ASA 5505 and PIX 501

Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

Q about DNS with PIX 501 as PPPoE client

Hi!
I've got PIX 501 (PixOS 6.3.5) acting as PPPoE client. Outside interface gets IP and DNS addresses from access concentrator.
There is an example in config guide how to set DNS address (got from concentrator) for DHCH daemon in PIX, so clients in LAN can get that DNS address so.
But I don't use DHCP in LAN. Is there a way to set PIX inside address as DNS on LAN clients and make PIX somehow redirect DNS request to PPPoE DNS server by itself? (same as on simplest linux-build SOHO box by Linksys etc)
Thanks!

In this example, the intent is for the machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external You do not want the PIX to do DNS Doctoring of the DNS replies. Instead, you want the PIX to dnat the external (global) IP address of the web server to its "real" DMZ address (192.168.100.10).
Use the alias command to perform dnat:
alias(inside) 10.99.99.99 192.168.100.10 255.255.255.224

Cisco pix 501 open port problem

Hi,
I'm running a Pix 501 for Home office and I want to open first ports for my mail client for an outside located server.
But i get following error in the log:
106023: Deny tcp src outside:<ipmailserver>/993 dst inside:<ipoutsideinterface>/1729 by access-group "outside-mail"
here's my basic config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YYYYYY encrypted
passwd YYYYYY encrypted
hostname sunny
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
pager lines 24
logging on
logging monitor emergencies
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
access-group outside-mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.10.10-192.168.10.39 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username stefan password YYYYY encrypted privilege 2
terminal width 80
Cryptochecksum:
: end
[OK]
What's the problem?
Any recommondations for the config anyway?
Thanks

Thanks Gerhard for the answer, but i don't want to redirect the port to an inside mail server.
I try to connect to an outside mail server with a mail client from an inside pc (who is in the dhcp ip pool, i.e. 192.168.10.22).
to open the ports i added:
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
access-group outside-mail in interface outside
but why is there a deny because of the access-group in the log?
106023: Deny tcp src outside:/993 dst inside:/1729 by access-group "outside-mail"
Regards S.

PIX 501 Problem

Hello All,
I have a PIX 501. I configured it with Public IP add outside and private IP inside. I am able to connect to the device fron inside via telnet but NOT from outside. I configured the telnet access on both Interfaces with telnet command. I am able to connect to the device from outside but only via HTTPS://. Can you help me guys? Do I have to use static command with port 23??
Regards
Rumen

Pix doesn't allow telnet on the outside interface, you must use ssh.

Persistent VPN between PIX 501 and ASA 5505

I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

Use PIX 501 to access internet, how to?

I have this PIX501 box and this is what I want to do:
Outside: connect it to a DSL modem (yahoo/ATT SpeedStream 5100). Use DHCP
Inside: connect to one or two PCs. Use static IP. The PIX box's inside IP: 192.168.1.1
The Yahoo's DNS server IP: 192.168.0.1
Could anybody provide a script to make this happen, so that I can run it on the pix.
Long story, short, when first bought it, the Cisco provided some tech support, somehow, they make it working. Now I am out of the support. I made all the reasonable efforts, but still can not make it working (access to the internet), even after I reset it to the factory's default setting.
Thanks for any help.
Scott

I have exactly that setup, including a PIX 501.
First, reset the PIX to factory default.
Your path of least resistance would be to connect everything to where it's supposed to be connected.
From one of the inside PCs, aim a web browser at the PIX (You should have gotten a DHCP address from the PIX, the inside is a DHCP server by default). If you do an "IPCONFIG / ALL" on the PC from a DOS box, the address listed as "Default Gateway" is the address of the inside interface of the PIX.
Using your browser should bring up "PDM" (PIX device Manager). The default username and password is cisco/Cisco (note the capital "C")
Once you get PDM up, all you really need to do is configure the outside interface as PPPoE, and provide the Yahoo username & password (usually the same as your Yahoo email password). If you don't recall your username & password, go to the http://help.sbcglobal.com website and do an automated password reset
*** NOTE *** THIS WILL CHANGE THE PASSWORD OF EVERY SERVICE YOU ACCESS - EMAIL, ACCOUNT ACCESS, EVERYTHING!!!!!!!!!
Don't forget to save the config once you get it working.
By default, the PIX 501 is set up to be a DHCP client on the WAN interface, a DHCP server on the inside, and to pass the WAN parameters for DNS, Default Gateway, etc to the inside clients.
Once you've got the Outside interface correctly config'd for PPPoE, it should come up & be working.
Good Luck
Scott

Manual key negotiation with pix 501

how to use manual key negotiation with pix 501 6.3 to solve VPN tunnel negotiation problem

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1045493
"Manual configuration of SAs is not supported on the PIX 501 because of the restriction in the number of ISAKMP peers allowed on that platform."
However I'm sure a proper solution can be found to your original problem (establishing VPN with huawei)
Please rate helpful posts.
Regards
Farrukh

Can't Access Pix 501 in the remote site.

Good Day...We're having a problem managing cisco pix501 from our remote site. I try to connect using telnet and PDM (https://ip address of cisco pix) from our head office but it can't open the cisco manager. please send me some input's to resolve this problem...

Do you have the PIX 501 configured to allow the connection from the IP address of the system you are trying to connect from? If not, you will need to add a line to the configuration something like:
http x.x.x.x
telnet x.x.x.x
The x.x.x.x address will be the IP address of the machine you are trying to connect from and the interface will be that which is configured with the IP address you are trying to connect to.
If you are trying to connect to the inside interface of the 501 through a VPN tunnel, you will also need the command:
management-access inside
HTH,
Steve

Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access

Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the replies

This sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

Pix 501 IPSec VPN no LAN access and no ping

Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,

Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni

PIX 501 Not working, why??

Hi,
I have just purchased a nex Cisco pix 501 firewall and i have installed these certificates it asks for. Now the situation is that the certificates have been installed but this stupid thing won't even goto the PDM window.it just tell me that a new window will open but nothing happens and i am just tired of this thing. I have even installed java latest version but same issue then i read on the forums to use java 1.5x version, tried that too and it won't go to the. Now can anyone tell me how can i make this thing to work and move on to the PDM window. i also used tried it on mozilla, IE, chrome but same issue.
Please help me out here ppl. Its getting really annoying
Regards,
Ali

Hi Julio,
Thank you so much for taking the time to assist me with this issue. I'm not sure it's an ISP issue though (at least I hope not!) Please consider:
- When I first attempted to implement this change, I didn't even think to install a router between the cable modem, and switch. I figured I would simply install a switch (or hub) between the cable modem and firewall, and that I would be able to plug my IDS into that switch (or hub), But it wouldn't work. The PIX couldn't pull an IP. I found out the problem was that the ISP was seeing the switch as the primary device, and grabbing it's MAC address. The PIX was ignored, and therefore never able to connect. I called the ISP and they confirmed this is how they control how many devices are connected, And since I only want to pay for 1 IP address from them, that's how it is.
- Then I decided to try the router approach. And it seems to work. The 1st router interface is getting the IP address from the ISP. I have communications between the pix and router, and also between the router and internal hosts. I don't think the ISP cares what's on the other side of the router (do they?)
- Each time I go home to try your recommendations I unplug the PIX from the cable modem, and connect the router inline. That's when I lose internet connectivity. But once I revert back to that configuration, it works again. So the internet connection works fine. It's only when I add the router to the mix that I lose it.
Please let me know if you think there's anything else I can try here. I can't help thinking it is my configuration and not an ISP issue - hoping you are able to find something else I may have done incorrectly.
Thank you!
-Bk

IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

Dear Mr.
The same problem has occured with me.

Redhat EL 4 and pix 501

I have recently configured pix 501 to work with 3 server. two server is on windows and one is on redhat el 4.
The firewall policy is very simple.
Only 3 static ip apply with this three server. No nat or pat for group of ips.
All this three server have some services allowed for external internet users.
The problem is both windows server is working fine, only redhat el 4 is not working. RH4 server cannot ping or goto internet any ware. Both windows server can ping or can go to internet. External users can get both windows server except RH4. my access policy is same for all this three server. Also for troubleshooting i enable full access in and out to all. Same result happens, both windows server can go out, external users can access everything on this two windows server except linux. is there any particular problem with Linux RH4 with pix?

can you post your config, it will help in troubleshooting

PIX 501 PPPoE problems.

Similar Messages

Maybe you are looking for