PIX 501 - prefix-list causes PDM to fail
Hi
I am configuring a redundant link via ADSL between 2 501 routers
I cant get the link to activate when the system is connected to the local network because it picks up a OSPF route to the remote site via the main internal network.
I tried to ad a filter to prevent the the route being recieved. And here is my problem
Either using PDM or the command line, the creation of a filter
prefix-list mel-backup seq 9 deny melbackup/30 causes the PDM to lock on startup or save.
And the area filter command seems to have no effect
I even tried a random internal route.
The commands I am adding are
prefix-list backup_melb seq 3 deny Level9/24
router ospf 22
network 10.150.102.22 255.255.255.255 area 0
area 0 filter-list prefix backup_melb in
Does anyone know of a problem with this ?
Thanks in Advance
Mark Casey
Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni
Similar Messages
-
Hi,
We have a customer with a Pix 501(v6.3.4)(PDM v3.02) Firewall.
We can succesfully setup a VPN connection, but the client loses the Internet connection when the VPN connection is up. I found some articles on the Internet about split tunneling, but I cant figure out how to do this.
Can someone please help me out?I suppose 501 is Easy VPN server
Split tunnel says what traffic goes to VPN tunnel if you dont have split tunnel enabled all traffic iis encrypted you need specify with ACL what traffic should be encrypted
check following example whe is ACL 80 used for split tunnel
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1062497
M.
Hope that helps rate if it does -
Cannot connect to PDM on PIX 501
just cant figure this out. I have a PIX 501 that I used to be able to connect to just fine. Now I cannot get the PDM to come up Inside, Outside, Nothing. I am using the same(old) version of JAVA 1.4 that I have always used. I can Telnet etc.. just fine. The HTTP server is enabled and have granted access to from my IP's. Any help would be greatly appreciated. See my config below.
pixfirewall# show run
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd XXXXXXXX encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 X0
fixup protocol h323 ras X18-X19
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name X.X.X.X admin_subnet
access-list inside_outbound_nat0_acl permit ip X.X.X.X 255.255.255.0 admin_
subnet 255.255.0.0
access-list inside_outbound_nat0_acl permit ip X.X.X.X 255.255.255.0 X.X
.X.X 255.255.255.0
access-list outside_cryptomap_20 permit ip X.X.X.X 255.255.255.0 admin_subn
et 255.255.0.0
access-list outside_cryptomap_20 permit ip X.X.X.X 255.255.255.0 X.X.X
.X 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.128
ip address inside X.X.X.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location admin_subnet 255.255.0.0 outside
pdm location X.X.X.X 255.255.255.0 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.0 outside
pdm location X.X.X.X 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http X.X.X.X 255.255.255.0 inside
http admin_subnet 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 8X00
telnet X.X.X.X 255.255.255.0 outside
telnet X.X.X.X 255.255.255.0 inside
telnet admin_subnet 255.255.0.0 inside
telnet timeout 30
ssh X.X.X.X 255.255.255.255 outside
ssh X.X.X.X 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 30
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
username XXXXXX password XXXXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:
: endHello Mark,
lol Nice to know that everything is working fine now
Remember to mark the question as answered and to rate all of the helpful posts ( If you do not know how to rate a post just go to the bottom of each reply and mark the stars 1 being a bad answer, 5 being a great answer)
Regards,
Julio
PD: Some kudos for you ( because of the answer) -
Pix 501 PDM 30 - can't get web browser access
I just got two used Pix 501 units, and cannot get the web browser working. OK to first login box with blank username and password per manual, click Yes to certificate popup, "Loading Startup Wizard" prompts for username and password - blank is NOT accpeted here.
Get java.security.AccessControlException: access denied in lower border of browser window.
How do I get past this?Phil, this is a known issue with certain old versions of PDM.
Refer to this link for work around.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a008046c805.shtml
also try java update
Java runtime environment version 6 update 2 is available , try this and see if it resolves the issue
http://www.java.com/en/download/index.jsp
Jorge -
Since updating to Internet Explorer version 7 I am no longer able to access the PIX 501 using the PDM software.
Can anyone help with this situation.
MikeDisable the IE popup blocker to see if it works.Disable the popup blocker of yahoo toolbar.Even if this doesnt work download JRE from the following link http://java.sun.com/products/archive/j2se/1.4.2_03/index.html.
-
Cisco Pix 501 / DNS - DNS resolution stops working over time
Hello,
I currently have a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.
When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What’s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)
The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.
Then network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.
Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?
One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.
Cisco Pix Config
PIX# show config
: Saved
: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password chiuzjKkSD33lwEw encrypted
passwd chiuzjKkSD33lwEw encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
access-list ping_acl permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging buffered debugging
logging history debugging
logging queue 0
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 512
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ACS protocol tacacs+
aaa-server ACS max-failed-attempts 3
aaa-server ACS deadtime 10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map MYMAP client authentication LOCAL
crypto map MYMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPNGRP idle-time 1800
vpngroup VPNGROUP address-pool VPN
vpngroup VPNGROUP dns-server 167.206.254.2
vpngroup VPNGROUP wins-server 192.168.2.50
vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 167.206.254.2 167.206.254.2
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd enable inside
username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
username andrew password A340D92MQ0zV0hGs encrypted privilege 15
terminal width 80
Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbecWow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine. -
IPSec LAN-to-LAN from PIX 501(6.3.5) to VPNC 3000 rejects tunnel.
I will post more data once back in the office but this is the error my VPNC3000 is showing when the IPSec tunnel tries to establish:
I've replaced the PIX 501 outside IP with 10.0.0.1, and the concentrator subnet with 10.1.0.0
18890 04/04/2007 15:09:33.190 SEV=6 IKE/201 RPT=2 10.0.0.2
Group [10.0.0.2]
Duplicate Phase 1 packet detected. Retransmitting last packet.
18892 04/04/2007 15:09:33.190 SEV=6 IKE/0 RPT=820 10.0.0.2
Group [10.0.0.2]
Responder resending last msg
18893 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45723 10.0.0.2
RECEIVED Message (msgid=b57613b7) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 76
18895 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45724 10.0.0.2
Group [10.0.0.2]
processing hash
18896 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45725 10.0.0.2
Group [10.0.0.2]
Processing Notify payload
18897 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=821
Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE
18898 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45726 10.0.0.2
RECEIVED Message (msgid=83ab1615) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164
18901 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45727 10.0.0.2
Group [10.0.0.2]
processing hash
18902 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45728 10.0.0.2
Group [10.0.0.2]
processing SA payload
18903 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5364 10.0.0.2
Group [10.0.0.2]
processing nonce payload
18904 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5365 10.0.0.2
Group [10.0.0.2]
Processing ID
18905 04/04/2007 15:09:33.310 SEV=5 IKE/35 RPT=133 10.0.0.2
Group [10.0.0.2]
Received remote IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
18908 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5366 10.0.0.2
Group [10.0.0.2]
Processing ID
18909 04/04/2007 15:09:33.310 SEV=5 IKE/34 RPT=233 10.0.0.2
Group [10.0.0.2]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.0.0, Mask 255.255.255.0, Protocol 0, Port 0
18912 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45729
QM IsRekeyed old sa not found by addr
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
18915 04/04/2007 15:09:33.310 SEV=4 IKEDBG/0 RPT=45730
QM FSM error (P2 struct &0x1e75390, mess id 0x83ab1615)!
18916 04/04/2007 15:09:33.310 SEV=7 IKEDBG/65 RPT=730 10.0.0.2
Group [10.0.0.2]
IKE QM Responder FSM error history (struct &0x1e75390)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA
18921 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45731
sending delete/delete with reason message
18922 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=822 10.0.0.2
Group [10.0.0.2]
Removing peer from correlator table failed, no match!
18923 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45732 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb rcv'd Terminate: state MM_ACTIVE
flags 0x0001c042, refcnt 1, tuncnt 0
18926 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45733 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb terminating:
flags 0x0101c002, refcnt 0, tuncnt 0
18928 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45734
sending delete/delete with reason message
18929 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45735 10.0.0.2
Group [10.0.0.2]
constructing blank hash
18930 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45736
constructing IKE delete payload
18931 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45737 10.0.0.2
Group [10.0.0.2]
constructing qm hash
18932 04/04/2007 15:09:33.320 SEV=8 IKEDBG/0 RPT=45738 10.0.0.2
SENDING Message (msgid=1d5c1587) with payloads :
HDR + HASH (8) + DELETE (12)
total length : 76
18934 04/04/2007 15:09:33.320 SEV=4 AUTH/23 RPT=176 10.0.0.2
User [10.0.0.2], Group [10.0.0.2] disconnected: duration: 0:00:00The error that sticks out to me is:
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
I do not know if this means policy on the Concentrator or the PIX, but I believe this is the cause. Below is my PIX 501 config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix3
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol h323 1718-1719
names
access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit icmp 192.168.15.0 255.255.255.0 192.168.15.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 10.1.0.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key myPSK address 10.1.0.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ssh 172.16.0.0 255.255.255.224 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
dhcpd address 192.168.15.10-192.168.15.20 inside
dhcpd dns 172.16.1.27 172.16.1.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80 -
Can't Connect to Pix 501 VPN on Network
Hi All,
I have a software VPN client that connects just fine to the PIX 501 VPN, but I cannot ping or telnet to any services on the LAN. Below is my config and results of show cry ipsec sa. I would appreciate any suggestions to fix this.
It's been a while since I have done this. When I check the DHCP address received from the VPN, the default gateway is missing. IIRC, that is normal. What is strange is that when I ping, Windows does not show any sent packets.
Thanks,
--Drichards38
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bgVy005CZTsaMOwR encrypted
passwd bgVy005CZTsaMOwR encrypted
hostname cisco
domain-name xxxxxx.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1024-2048
fixup protocol ftp 49152-65534
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any interface outside eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq telnet
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 60990
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq echo
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any interface inside eq www
access-list acl_out permit tcp any interface inside eq ftp
access-list acl_out permit tcp any interface inside eq 3389
access-list acl_out permit tcp any interface inside eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 902
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.0.0.0
access-list split_tunnel_acl permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.dd 255.255.255.240
ip address inside 192.168.93.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool low_vpn_pool 10.0.1.205-10.0.1.210
pdm location 172.16.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.93.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.67 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.68 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.69 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.70 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.71 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.72 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.73 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.74 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.75 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.76 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.77 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.78 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.dd 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MY_VPN address-pool low_vpn_pool
vpngroup MY_VPN dns-server 4.2.2.1
vpngroup MY_VPN default-domain xxxxx.biz
vpngroup MY_VPN split-tunnel split_tunnel_acl
vpngroup MY_VPN idle-time 1800
vpngroup MY_VPN password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.93.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.93.230-192.168.93.240 inside
dhcpd dns ff.gg.hh.ii ff.gg.hh.ii
dhcpd lease 65536
dhcpd ping_timeout 750
dhcpd domain xxxxxx.biz
dhcpd auto_config outside
dhcpd enable inside
username xxxx password xxxxxxx encrypted privilege 15
cisco(config)# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. aa.bb.cc.dd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.205/255.255.255.255/0/0)
current_peer: jj.kk.ll.mm:1265
dynamic allocated peer ip: 10.0.1.205
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: aa.bb.cc.dd, remote crypto endpt.: 97.93.95.133
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 3a898e67
inbound esp sas:
spi: 0xeeb64931(4004923697)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28610)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3a898e67(982093415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:I just set the logging to high on all areas of the Cisco VPN client. Below is the resulting log. Everything looks ok from here:
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
29 09:57:02.887 09/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
30 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
31 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "a.b.c.d"
32 09:57:02.907 09/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with a.b.c.d.
33 09:57:02.917 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to a.b.c.d
34 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
35 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
36 09:57:03.228 09/03/12 Sev=Info/6 IPSEC/0x6370002C
Sent 47 packets, 0 were fragmented.
37 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
38 09:57:03.979 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from a.b.c.d
39 09:57:04.039 09/03/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
40 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
41 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
42 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
43 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
44 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
45 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
46 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to a.b.c.d
47 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0421, Remote Port = 0x1194
49 09:57:03.999 09/03/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
50 09:57:03.999 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
51 09:57:04.029 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
52 09:57:04.029 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) from a.b.c.d
53 09:57:04.029 09/03/12 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
54 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
55 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
56 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
57 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
58 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
59 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
60 09:57:04.039 09/03/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
61 09:57:09.327 09/03/12 Sev=Info/4 CM/0x63100017
xAuth application returned
62 09:57:09.327 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
63 09:57:09.367 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
64 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
65 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
66 09:57:09.367 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
67 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
68 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
69 09:57:09.387 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
70 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
71 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
72 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.205
73 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.1
74 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.biz
75 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
76 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
77 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
78 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
79 09:57:09.427 09/03/12 Sev=Info/4 CM/0x63100019
Mode Config data received
80 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.1.205, GW IP = a.b.c.d, Remote IP = 0.0.0.0
81 09:57:09.437 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to a.b.c.d
82 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
83 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
84 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
85 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
86 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to a.b.c.d
87 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D70550E6 OUTBOUND SPI = 0xB335C6DA INBOUND SPI = 0xE99E1A59)
88 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xB335C6DA
89 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE99E1A59
90 09:57:09.527 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 172.16.0.11 0.0.0.0 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
91 09:57:10.448 09/03/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.0.1.205/255.0.0.0
DNS=4.2.2.1,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=xxxx.biz
Split DNS Names=
92 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 25
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
93 09:57:10.458 09/03/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
94 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 1
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
a.b.c.d 255.255.255.255 172.16.0.1 172.16.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.1 255.255.255.255 172.16.0.11 172.16.0.11 1
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
95 09:57:10.458 09/03/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
96 09:57:10.508 09/03/12 Sev=Info/4 CM/0x6310001A
One secure connection established
97 09:57:10.618 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 172.16.0.11. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
98 09:57:10.638 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.1.205. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
99 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
101 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xdac635b3 into key list
102 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
103 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x591a9ee9 into key list
104 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.0.1.205
105 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 172.16.0.11. SG: a.b.c.d
106 09:57:10.638 09/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
107 09:57:19.741 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
108 09:57:19.741 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445672
109 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
110 09:57:19.772 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
111 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445672, seq# expected = 3951445672
112 09:57:30.257 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
113 09:57:30.257 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445673
114 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
115 09:57:30.297 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
116 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445673, seq# expected = 3951445673
117 09:57:40.772 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
118 09:57:40.772 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445674
119 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
120 09:57:40.802 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
121 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445674, seq# expected = 3951445674
122 09:57:54.291 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
123 09:58:04.306 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
124 09:58:14.320 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
125 09:58:24.334 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
126 09:58:34.349 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
127 09:58:41.359 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
128 09:58:41.359 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445675
129 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
130 09:58:41.389 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
131 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445675, seq# expected = 3951445675
132 09:58:54.378 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 09:59:04.392 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
134 09:59:14.406 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
135 09:59:24.421 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
136 09:59:34.435 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
137 09:59:41.946 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
138 09:59:41.946 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445676
139 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
140 09:59:41.976 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
141 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445676, seq# expected = 3951445676
142 09:59:54.464 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
PIX 501 VPN HELP NO NETWORK ACCESS!
I need some help please..
I am trying to connect Windows 7 VPN to L2TP access on the PIX 501. I know that PIX 501 doesn't allow MSCHAP v2. The VPN connects fine but when trying to access the local network and shared drives remote desktop I am not able to connect. I already I have the IPV4 / IPV6 IP Settings on the VPN for use default gateway on remote network unchecked. Can you please help me configure this correctly if I am configuring incorrectly.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ANRIhDDsTteQmCkO encrypted
hostname pixfirewall
domain-name controller.hopto.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out2in permit tcp any interface outside eq www
access-list out2in permit tcp any interface outside eq https
access-list out2in permit tcp any interface outside eq 3074
access-list out2in permit udp any interface outside eq 88
access-list out2in permit udp any interface outside eq 3074
access-list out2in permit udp any interface outside eq domain
access-list out2in permit tcp any interface outside eq domain
access-list out2in permit udp any interface outside eq 1701
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.17.130.0 255.255.255.192
access-list vpn-cryptomap permit ip any 172.17.130.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging standby
logging buffered informational
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool l2tp-pool 172.17.130.1-172.17.130.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.33 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.1.30 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.1.30 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3074 192.168.1.30 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3074 192.168.1.30 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 88 192.168.1.30 88 netmask 255.255.255.255 0 0
access-group out2in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set cisco-l2tp esp-3des esp-sha-hmac
crypto ipsec transform-set cisco-l2tp mode transport
crypto dynamic-map l2tp 30 set transform-set cisco-l2tp
crypto map dmu 30 ipsec-isakmp dynamic l2tp
crypto map dmu interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication pap
vpdn group 2 client configuration address local l2tp-pool
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 60
vpdn username Brandon password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.2.2.1 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username Brandon password PX78ZeD.LCbQntqy encrypted privilege 15
terminal width 80
Cryptochecksum:6e43dff6ef4837997276c092f9204707
: end
Thanks,
BrandonYes, you can modify it.
By the way, here is a good link about MS:
Troubleshooting Microsoft Network Neighborhood After Establishing a VPN Tunnel With the Cisco VPN Client
HTH.
Portu. -
Can any one please advise me I am trying to set up a VPN on my PIX 501 and for some reason it is not working. I have posted the scrips below. If someone can advise me what I need to change that would be great.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password P@55w0rd! encrypted
passwd P@55w0rd! encrypted
hostname CFSLXAKALAZ
domain-name akademic.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 VPN
object-group service RemoteDesktop tcp
port-object range 3389 3389
access-list inside_access_in remark Allow all outbound UDP port 53 for DNS
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in remark Allow ping to any external IP
access-list inside_access_in permit icmp any any
access-list inside_access_in remark Allow all outbound TCP connections
access-list inside_access_in permit tcp any any
access-list outside_access_in remark Allow external DNS via UDP
access-list outside_access_in permit udp any eq domain any
access-list outside_access_in remark Allow ping from outside to inside
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Remote Desktop to any internal IP
access-list outside_access_in permit tcp any any object-group RemoteDesktop
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.20.58.30 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool donkpool 192.168.2.50-192.168.2.60
pdm location 10.20.58.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.20.58.1 1
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.20.58.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
vpngroup donk address-pool donkpool
vpngroup donk idle-time 1800
vpngroup donk password P@55w0rd!
telnet 10.20.58.30 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 10.20.58.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.128-192.168.2.252 inside
dhcpd dns 158.152.1.58
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
terminal width 80You are missing a lot of config, depending on what type of vpn you are trying to setup please follow the links below to complete it:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html -
Pix 501 Port Redirection with outside Dyn IP for DVR
Hi,
I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
my ISP outside is dynamic.
The following is my config, please let me know what is wrong with it.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bJT00RrZ7Q9S5J1B
encrypted
passwd bJT00RrZ7Q9S5J1B encrypted
hostname Haiyai
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any
interface outside eq 1042
access-list outside deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1
255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface
1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
access-group outside in interface
outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed
0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip
0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00
sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts
3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57847b305111572396f1ae0410e54f7e
: end
Thanks
MorganMorgan,
Your config is perfectly fin. You have your PAT static and opened the ACL for that port
access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
I hope it helps.
PK -
Use PIX 501 to access internet, how to?
I have this PIX501 box and this is what I want to do:
Outside: connect it to a DSL modem (yahoo/ATT SpeedStream 5100). Use DHCP
Inside: connect to one or two PCs. Use static IP. The PIX box's inside IP: 192.168.1.1
The Yahoo's DNS server IP: 192.168.0.1
Could anybody provide a script to make this happen, so that I can run it on the pix.
Long story, short, when first bought it, the Cisco provided some tech support, somehow, they make it working. Now I am out of the support. I made all the reasonable efforts, but still can not make it working (access to the internet), even after I reset it to the factory's default setting.
Thanks for any help.
ScottI have exactly that setup, including a PIX 501.
First, reset the PIX to factory default.
Your path of least resistance would be to connect everything to where it's supposed to be connected.
From one of the inside PCs, aim a web browser at the PIX (You should have gotten a DHCP address from the PIX, the inside is a DHCP server by default). If you do an "IPCONFIG / ALL" on the PC from a DOS box, the address listed as "Default Gateway" is the address of the inside interface of the PIX.
Using your browser should bring up "PDM" (PIX device Manager). The default username and password is cisco/Cisco (note the capital "C")
Once you get PDM up, all you really need to do is configure the outside interface as PPPoE, and provide the Yahoo username & password (usually the same as your Yahoo email password). If you don't recall your username & password, go to the http://help.sbcglobal.com website and do an automated password reset
*** NOTE *** THIS WILL CHANGE THE PASSWORD OF EVERY SERVICE YOU ACCESS - EMAIL, ACCOUNT ACCESS, EVERYTHING!!!!!!!!!
Don't forget to save the config once you get it working.
By default, the PIX 501 is set up to be a DHCP client on the WAN interface, a DHCP server on the inside, and to pass the WAN parameters for DNS, Default Gateway, etc to the inside clients.
Once you've got the Outside interface correctly config'd for PPPoE, it should come up & be working.
Good Luck
Scott -
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
Able to ping PIX 501 but not SNMP
i'm able to ping the outside interface of our PIX 501 but i'm not able to get any SNMP stats. i'm sure the PIX is config-ed alittle too tightly.
i'm not the one who set it up so i'm don't know which command will loosen it up.
Thanks
here is the config for reference:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password yRWxZrM.WqHNW5QV encrypted
passwd 6xrNSBzsamLXqLkj encrypted
hostname KWCH-statefair
domain-name themeganet.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 10.30.6.0 255.255.255.0 10.200.0.0 255.255.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.40.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.16.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.24.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.31.40.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1400
mtu inside 1500
ip address outside 68.99.115.199 255.255.255.224
ip address inside 10.30.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 10.30.6.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 68.99.115.193 1
route outside 207.243.40.7 255.255.255.255 70.165.98.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.30.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community hiway
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto map toRichmond 5 ipsec-isakmp
crypto map toRichmond 5 match address 101
crypto map toRichmond 5 set peer 64.148.165.242
crypto map toRichmond 5 set transform-set strong
crypto map toRichmond 10 ipsec-isakmp
crypto map toRichmond 10 match address 102
crypto map toRichmond 10 set peer 12.5.1.200
crypto map toRichmond 10 set transform-set strong
crypto map toRichmond interface outside
isakmp enable outside
isakmp key ******** address 12.5.1.200 netmask 255.255.255.255
isakmp key ******** address 64.148.165.242 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 500 60
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 64.148.165.242 255.255.255.255 outside
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.30.6.0 255.255.255.0 inside
telnet 10.30.40.0 255.255.248.0 inside
telnet timeout 5
ssh 207.243.40.7 255.255.255.255 outside
ssh 66.136.242.129 255.255.255.255 outside
ssh 10.30.6.0 255.255.255.0 inside
ssh 10.200.24.0 255.255.248.0 inside
ssh 10.30.40.0 255.255.248.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.30.6.1-10.30.6.32 inside
dhcpd dns 10.30.47.4 10.30.47.7
dhcpd wins 10.30.47.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain kbsad.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f0cc1b0a4205617b2b0bdb70b2a84c5aYou need to configure a location that is allowed to query SNMP. Here's an example-
snmp-server host inside 172.16.210.252 poll
This will allow the host 172.16.210.252 to access SNMP on the PIX.
Hope that helps.
Maybe you are looking for
-
Vendor line item display -effective exchange rate showing inverse
Dear All, We are using direct quote. In vendor line item display FBL1N . effective exchange rate field showing inverse for all currencies except USD. Issue: Rates are maintained in Direct quote then why in FBL1N its showing Indirect quote, but in hea
-
Problem in Many-to-Many Associations (JBO-27014 error)
I am facing a problem during insertion in an Intersection table. I have 3 tables Customer, Accounts and Customer_Account. In order to implement the Many to Many relationship between Customer and Accounts, I created an intersection table Customer_Acco
-
Hi all, I did a client copy in ECC IDES with client 800 as source client.As per the logs , copy is successful.The profile usedf is SAP_ALL.After the copy we logged into the new client which was created and it looked good. Checked the Logs in SCC3 an
-
PS CC: new features unavailable
Hi there. A pretty weird thing: I have managed after some unsuccessful update attempts to update from PS CS6 to PS CC. I checked that I now have PS Extended (did not have that version before) and that the version number is 13.1.2. I cannot find the n
-
can anyone help me with this. as a result I can't load any apps..