PIX 501 route outside command
All,
I have a friend trying to configure an existing PIX. They needed to change IP addresses due to ISP switch. Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config. Does anyone have any ideas what this could be? He only changed outside IP address, a static translation
All replies rated. Thanks in advance!
Hi Angel,
My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
You have statically set the outside interface "interface ethernet0 10baset"
Please post :
show int e0
PS : nice software version 6.2
Regards
Dan
Similar Messages
-
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
PIX 501 - Configure Alternative Route Outside on PIX's ATM2
Hello to all
i am trying to add a line to allow the PIX to use an alternative ADSL Line when the first goes down
Is it enought that i put a new line like this?
currentt route outside: route outside 0.0.0.0 0.0.0.0 89.xxx.xxx.33
new line i'll add: route outside 0.0.0.0 0.0.0.0 2.yyy.yyy.102
Obviously i'll plug the new router an the ATM 2 port of the PIX.
Consider that i have ths NAT inside rule
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
As usual thanks in advance for your answers.
StefanoHello Stefano,
You are looking for Sla Monitor on the PIX/ASA:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Let me know if you have any question.
Regards,
Felipe. -
PIX 501 and Linksys VPN Router (WRV200)
I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
Key Exchange Method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre-Shared Key: xxx
PFS: Enabled/Disabled
ISAKMP Key Lifetime: 28800
IPSec Key Lifetime: 3600
On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
I chose the following settings when doing the VPN Wizard:
Type of VPN: Remote Access VPN
Interface: Outside
Type of VPN Client Device used: Cisco VPN Client
(can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
VPN Client Group
Group Name: RabyEstates
Pre Shared Key: rabytest
Extended Client Authentication: Disabled
Address Pool
Pool Name: VPN-LAN
Range Start: 192.168.2.200
Range End: 192.168.2.250
DNS/WINS/Default Domain: None
IKE Policy
Encryption: 3DES
Authentication: MD5
DH Group: Group 2 (1024-bit)
Transform Set
Encryption: 3DES
Authentication: MD5
I have attached the VPN log from the Linksys VPN Router.
This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
Thanks for your help!Hi again,
I believe the pix has a 3des license because of the following parts of the "show version"
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
This PIX has a Restricted (R) license.
I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
As for the other show commands they give:
pixfirewall# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall#
Thanks again Daniel, i really appreciate your help on this matter. -
Need help, VPN between 1841 router & PIX 501
Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!Sorry.
interface: outside
Crypto map tag: IPSEC, local addr. 12.206.137.5
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
#pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 124, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 793ff99e
inbound esp sas:
spi: 0xcbd5b096(3419779222)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: IPSEC
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x793ff99e(2034235806)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607996/1929)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c6d3ea5c
inbound esp sas:
spi: 0x55d659c5(1440111045)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607097/1917)
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc6d3ea5c(3335776860)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607743/1890)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas: -
Pix 501 Port Redirection with outside Dyn IP for DVR
Hi,
I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
my ISP outside is dynamic.
The following is my config, please let me know what is wrong with it.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bJT00RrZ7Q9S5J1B
encrypted
passwd bJT00RrZ7Q9S5J1B encrypted
hostname Haiyai
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any
interface outside eq 1042
access-list outside deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1
255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface
1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
access-group outside in interface
outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed
0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip
0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00
sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts
3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57847b305111572396f1ae0410e54f7e
: end
Thanks
MorganMorgan,
Your config is perfectly fin. You have your PAT static and opened the ACL for that port
access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
I hope it helps.
PK -
Can't Connect to Pix 501 VPN on Network
Hi All,
I have a software VPN client that connects just fine to the PIX 501 VPN, but I cannot ping or telnet to any services on the LAN. Below is my config and results of show cry ipsec sa. I would appreciate any suggestions to fix this.
It's been a while since I have done this. When I check the DHCP address received from the VPN, the default gateway is missing. IIRC, that is normal. What is strange is that when I ping, Windows does not show any sent packets.
Thanks,
--Drichards38
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bgVy005CZTsaMOwR encrypted
passwd bgVy005CZTsaMOwR encrypted
hostname cisco
domain-name xxxxxx.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1024-2048
fixup protocol ftp 49152-65534
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any interface outside eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq telnet
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 60990
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq echo
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any interface inside eq www
access-list acl_out permit tcp any interface inside eq ftp
access-list acl_out permit tcp any interface inside eq 3389
access-list acl_out permit tcp any interface inside eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 902
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.0.0.0
access-list split_tunnel_acl permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.dd 255.255.255.240
ip address inside 192.168.93.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool low_vpn_pool 10.0.1.205-10.0.1.210
pdm location 172.16.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.93.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.67 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.68 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.69 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.70 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.71 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.72 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.73 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.74 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.75 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.76 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.77 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.78 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.dd 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MY_VPN address-pool low_vpn_pool
vpngroup MY_VPN dns-server 4.2.2.1
vpngroup MY_VPN default-domain xxxxx.biz
vpngroup MY_VPN split-tunnel split_tunnel_acl
vpngroup MY_VPN idle-time 1800
vpngroup MY_VPN password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.93.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.93.230-192.168.93.240 inside
dhcpd dns ff.gg.hh.ii ff.gg.hh.ii
dhcpd lease 65536
dhcpd ping_timeout 750
dhcpd domain xxxxxx.biz
dhcpd auto_config outside
dhcpd enable inside
username xxxx password xxxxxxx encrypted privilege 15
cisco(config)# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. aa.bb.cc.dd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.205/255.255.255.255/0/0)
current_peer: jj.kk.ll.mm:1265
dynamic allocated peer ip: 10.0.1.205
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: aa.bb.cc.dd, remote crypto endpt.: 97.93.95.133
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 3a898e67
inbound esp sas:
spi: 0xeeb64931(4004923697)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28610)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3a898e67(982093415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:I just set the logging to high on all areas of the Cisco VPN client. Below is the resulting log. Everything looks ok from here:
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
29 09:57:02.887 09/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
30 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
31 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "a.b.c.d"
32 09:57:02.907 09/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with a.b.c.d.
33 09:57:02.917 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to a.b.c.d
34 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
35 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
36 09:57:03.228 09/03/12 Sev=Info/6 IPSEC/0x6370002C
Sent 47 packets, 0 were fragmented.
37 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
38 09:57:03.979 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from a.b.c.d
39 09:57:04.039 09/03/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
40 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
41 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
42 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
43 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
44 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
45 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
46 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to a.b.c.d
47 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0421, Remote Port = 0x1194
49 09:57:03.999 09/03/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
50 09:57:03.999 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
51 09:57:04.029 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
52 09:57:04.029 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) from a.b.c.d
53 09:57:04.029 09/03/12 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
54 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
55 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
56 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
57 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
58 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
59 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
60 09:57:04.039 09/03/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
61 09:57:09.327 09/03/12 Sev=Info/4 CM/0x63100017
xAuth application returned
62 09:57:09.327 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
63 09:57:09.367 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
64 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
65 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
66 09:57:09.367 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
67 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
68 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
69 09:57:09.387 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
70 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
71 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
72 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.205
73 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.1
74 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.biz
75 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
76 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
77 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
78 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
79 09:57:09.427 09/03/12 Sev=Info/4 CM/0x63100019
Mode Config data received
80 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.1.205, GW IP = a.b.c.d, Remote IP = 0.0.0.0
81 09:57:09.437 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to a.b.c.d
82 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
83 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
84 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
85 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
86 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to a.b.c.d
87 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D70550E6 OUTBOUND SPI = 0xB335C6DA INBOUND SPI = 0xE99E1A59)
88 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xB335C6DA
89 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE99E1A59
90 09:57:09.527 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 172.16.0.11 0.0.0.0 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
91 09:57:10.448 09/03/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.0.1.205/255.0.0.0
DNS=4.2.2.1,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=xxxx.biz
Split DNS Names=
92 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 25
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
93 09:57:10.458 09/03/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
94 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 1
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
a.b.c.d 255.255.255.255 172.16.0.1 172.16.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.1 255.255.255.255 172.16.0.11 172.16.0.11 1
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
95 09:57:10.458 09/03/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
96 09:57:10.508 09/03/12 Sev=Info/4 CM/0x6310001A
One secure connection established
97 09:57:10.618 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 172.16.0.11. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
98 09:57:10.638 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.1.205. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
99 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
101 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xdac635b3 into key list
102 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
103 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x591a9ee9 into key list
104 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.0.1.205
105 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 172.16.0.11. SG: a.b.c.d
106 09:57:10.638 09/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
107 09:57:19.741 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
108 09:57:19.741 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445672
109 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
110 09:57:19.772 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
111 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445672, seq# expected = 3951445672
112 09:57:30.257 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
113 09:57:30.257 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445673
114 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
115 09:57:30.297 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
116 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445673, seq# expected = 3951445673
117 09:57:40.772 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
118 09:57:40.772 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445674
119 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
120 09:57:40.802 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
121 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445674, seq# expected = 3951445674
122 09:57:54.291 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
123 09:58:04.306 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
124 09:58:14.320 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
125 09:58:24.334 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
126 09:58:34.349 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
127 09:58:41.359 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
128 09:58:41.359 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445675
129 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
130 09:58:41.389 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
131 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445675, seq# expected = 3951445675
132 09:58:54.378 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 09:59:04.392 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
134 09:59:14.406 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
135 09:59:24.421 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
136 09:59:34.435 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
137 09:59:41.946 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
138 09:59:41.946 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445676
139 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
140 09:59:41.976 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
141 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445676, seq# expected = 3951445676
142 09:59:54.464 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA -
Able to ping PIX 501 but not SNMP
i'm able to ping the outside interface of our PIX 501 but i'm not able to get any SNMP stats. i'm sure the PIX is config-ed alittle too tightly.
i'm not the one who set it up so i'm don't know which command will loosen it up.
Thanks
here is the config for reference:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password yRWxZrM.WqHNW5QV encrypted
passwd 6xrNSBzsamLXqLkj encrypted
hostname KWCH-statefair
domain-name themeganet.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 10.30.6.0 255.255.255.0 10.200.0.0 255.255.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.40.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.16.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.24.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.31.40.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1400
mtu inside 1500
ip address outside 68.99.115.199 255.255.255.224
ip address inside 10.30.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 10.30.6.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 68.99.115.193 1
route outside 207.243.40.7 255.255.255.255 70.165.98.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.30.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community hiway
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto map toRichmond 5 ipsec-isakmp
crypto map toRichmond 5 match address 101
crypto map toRichmond 5 set peer 64.148.165.242
crypto map toRichmond 5 set transform-set strong
crypto map toRichmond 10 ipsec-isakmp
crypto map toRichmond 10 match address 102
crypto map toRichmond 10 set peer 12.5.1.200
crypto map toRichmond 10 set transform-set strong
crypto map toRichmond interface outside
isakmp enable outside
isakmp key ******** address 12.5.1.200 netmask 255.255.255.255
isakmp key ******** address 64.148.165.242 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 500 60
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 64.148.165.242 255.255.255.255 outside
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.30.6.0 255.255.255.0 inside
telnet 10.30.40.0 255.255.248.0 inside
telnet timeout 5
ssh 207.243.40.7 255.255.255.255 outside
ssh 66.136.242.129 255.255.255.255 outside
ssh 10.30.6.0 255.255.255.0 inside
ssh 10.200.24.0 255.255.248.0 inside
ssh 10.30.40.0 255.255.248.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.30.6.1-10.30.6.32 inside
dhcpd dns 10.30.47.4 10.30.47.7
dhcpd wins 10.30.47.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain kbsad.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f0cc1b0a4205617b2b0bdb70b2a84c5aYou need to configure a location that is allowed to query SNMP. Here's an example-
snmp-server host inside 172.16.210.252 poll
This will allow the host 172.16.210.252 to access SNMP on the PIX.
Hope that helps. -
PIX 501 PPPoE problems.
I have a Zoom adsl modem setup to accept PPPoE connections. We have verified this with two other, non-cisco devices, and it works.
I have configured the outside interface to connect via PPPoE to the router from within the PDM.
I have set this up with the known correct username and password, and with PAP authentication.
I have captured a debug with the following commands "debug pppoe packet", "debug pppoe error" and "debug pppoe event" and have attached it as file pppoedebug.txt.
"show ip address outside pppoe" gives:
PPPoE session has not been established yet.
I have also attached a running config of the PIX.
If anyone could take a quick look and see if my PIX config appears fine i'd much appreciate it.
I am very new to working with PIX, i'm used to working with IOS.
Thanks for your help.
DavidI've upgraded to version 6.3(5) as opposed to 6.3(3) but i still get the same error. You say there might be a bug in 6.3 so me going to 6.3(5) wouldnt have made a difference anyways?
Due to the PIX 501 having Total Memory (16mb) and flash (8mb) I cant upgrade to 7.x. And i really wouldnt want to downgrade to 6.2, but i guess that's worth a try, to see if it really is an firmware fault.
Is there anything else you fine people could suggest?
Thanks for your help.
David. -
Hi, I've had this 501 for several months now and really stuggled to get the client VPN side working.
I can get site to site working with no problems using the wizard but the Client VPN never works.
Latest i've set it up for pptp which I can get the client to connect with no problems but fails to get any traffic from the pix - I can however ping the remote PC from a PC behind the PIX.
I'm setting these up by the PDM buy i've attached a copy of the config anyway.
Best,
ChrisHi Kamal.
It didnt like the command
nat (inside) 0 access0list nonat
I can attach via Cisco VPN Client but the same occurs - I can ping the remote from the network - but not the other way round.
Config attached. - Best, Chris
: Written by enable_15 at 02:14:05.990 UTC Mon Feb 12 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
access-list split permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.x.146.72 255.255.x.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.10.10.1-10.10.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.x.249.x.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map cisco 1 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool vpnpool
vpngroup vpn dns-server 192.168.1.1
vpngroup vpn idle-time 1800
vpngroup vpn password 634083
vpngroup VPNclient split-tunnel split
vpngroup VPNclient idle-time 1800
vpngroup VPNclient password ******
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 89.238.129.211
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end -
I'm about to use a new PIX 501 firewall.
I've attached the configuration I intend to use.
I simply need to allow all outbound traffic, and allow inbound traffic only on specific IPs/ports to specific IPs/ports as in the "static" commands
Do you think this config will work?
Any recommendations?
Thanks in advance
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bla1 encrypted
passwd bla2 encrypted
hostname F-PHL-01
domain-name abc.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 100
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.51.34 255.255.255.224
ip address inside 192.168.21.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.51.35-xx.xx.51.62 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.51.39 80 192.168.21.39 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.40 80 192.168.21.40 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.41 80 192.168.21.41 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.42 80 192.168.21.42 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.43 80 192.168.21.43 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.47 80 192.168.21.47 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 80 192.168.21.48 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 443 192.168.21.48 443 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
static (inside,outside) udp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.49 80 192.168.21.49 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.50 80 192.168.21.50 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.53 80 192.168.21.53 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.54 80 192.168.21.54 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.61 80 192.168.21.61 80 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.51.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:bla3Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
Problem with VPN by ASA 5505 and PIX 501
Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq] -
Remote access VPN issues using Pix 501
We have taken over a network where there was little to no documentation. I have a remote access VPN terminated on a Pix 501 that is having a connectivity issue. I can connect using Cisco VPN Client. There is a server on the inside network that is used for mail etc. It has an IP of 192.168.0.4. I cannot ping it from my VPN session but from the Pix itself, I can ping it. There are different source IP's as the IP pool for the VPN session is 172.16.x.x and the inside network is 192.168.x.x. I can ping other hosts on the same inside network that are in the ARP table of the Pix. I have attached the configuration of the Pix 501. After researching, I cannot figure out what the issue is. I was assuming it was the route inside 172.16.x.x was set incorrectly but I can ping some hosts on the 192.168.x.x network. Thanks
Aru,
Hi. Thanks for responding. I did try and remove that route inside command and I still could not ping the server. I also tried removing those static translations and did a clear xlate but still no luck. This one has me puzzled. Especially since I can ping other hosts on that network and also ping the server but only from the Pix. The source on the Pix would be different 192.168.0.x than when I am connected using the VPN 172.16.1.x. That is the biggest difference. If it was routing, I would assume I could not ping any host on the 192.168.0.x network from the VPN session. I did remove that route inside as all of the other config examples did not have a specific route statement for the local pool even though it is not on the inside network. I have limited knowledge of their network as we just were told to manage it. Thanks again. -
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
Hello All,
I have a PIX 501. I configured it with Public IP add outside and private IP inside. I am able to connect to the device fron inside via telnet but NOT from outside. I configured the telnet access on both Interfaces with telnet command. I am able to connect to the device from outside but only via HTTPS://. Can you help me guys? Do I have to use static command with port 23??
Regards
RumenPix doesn't allow telnet on the outside interface, you must use ssh.
Maybe you are looking for
-
Standard function module inside a loop.
Hi Experts, I am trying to improve performance program that has a standard abap function module inside a loop. I am some what lost on what to do here. Here below is what the code looks like as of now. I have read that i need to try and not use the fu
-
XML/AS3 Lightbox style gallery - need starting point....
I've made a gallery slideshow before but wasn't as intuitive looking back at it now and I want to start fresh on this new project. I would like to convert a jQuery lightbox style gallery into a flash XML based AS3 image gallery with categories. I don
-
How to Include Double Quotes in the Column Name
Hi, I am using Dynamic Sql for creating the columns of a table. I am getting a situation where the user will give the double quotes for some column names. So,Can we add double quote to the column name. Thanks in advance. Regards, Alok Dubey
-
Better cost tracking WBS or OAA(Operation Account assignment)
hi Experts, One of my Client want to know whether, . They are a big SAP shop wants to track costs of projects at WBS level. They are implementing SAP Primavera . Some consulting companies have suggested SAP Project Systems but they has doubts o
-
Hi folks, I am working on file to idoc scenario. I Imported the IDOC to my scenario. In Messaga Mapping IDOC structure displaying fields as a documention. but i need techincal names of those fields. for Example: In my IDOC 1 field is showing comp