PIX 501 speed and ipv6

Hello,
i have 20M/20M isp speed. Will pix 501 slow my network connection? On the Cisco website, it says 60Mbps, but elsewhere on the net you can here the speed is max 10Mbps.
And the second question. Is ipv6 supported?
Tnx.

Hello,
According to Cisco Performance docummentation you will be more than fine.
Now regarding IPv6 being supported. For cisco Dedicated firewall appliances the support for IPv6 started on version 7.0.1.
Due to memory requirements I do not think ur firewall support that version hence IPv6 will not be supported.
Regards,
Jcarvaja

Similar Messages

Persistent VPN between PIX 501 and ASA 5505

I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

PIX 501 Not working, why??

Hi,
I have just purchased a nex Cisco pix 501 firewall and i have installed these certificates it asks for. Now the situation is that the certificates have been installed but this stupid thing won't even goto the PDM window.it just tell me that a new window will open but nothing happens and i am just tired of this thing. I have even installed java latest version but same issue then i read on the forums to use java 1.5x version, tried that too and it won't go to the. Now can anyone tell me how can i make this thing to work and move on to the PDM window. i also used tried it on mozilla, IE, chrome but same issue.
Please help me out here ppl. Its getting really annoying
Regards,
Ali

Hi Julio,
Thank you so much for taking the time to assist me with this issue. I'm not sure it's an ISP issue though (at least I hope not!) Please consider:
- When I first attempted to implement this change, I didn't even think to install a router between the cable modem, and switch. I figured I would simply install a switch (or hub) between the cable modem and firewall, and that I would be able to plug my IDS into that switch (or hub), But it wouldn't work. The PIX couldn't pull an IP. I found out the problem was that the ISP was seeing the switch as the primary device, and grabbing it's MAC address. The PIX was ignored, and therefore never able to connect. I called the ISP and they confirmed this is how they control how many devices are connected, And since I only want to pay for 1 IP address from them, that's how it is.
- Then I decided to try the router approach. And it seems to work. The 1st router interface is getting the IP address from the ISP. I have communications between the pix and router, and also between the router and internal hosts. I don't think the ISP cares what's on the other side of the router (do they?)
- Each time I go home to try your recommendations I unplug the PIX from the cable modem, and connect the router inline. That's when I lose internet connectivity. But once I revert back to that configuration, it works again. So the internet connection works fine. It's only when I add the router to the mix that I lose it.
Please let me know if you think there's anything else I can try here. I can't help thinking it is my configuration and not an ISP issue - hoping you are able to find something else I may have done incorrectly.
Thank you!
-Bk

Pix 501 PDM 30 - can't get web browser access

I just got two used Pix 501 units, and cannot get the web browser working. OK to first login box with blank username and password per manual, click Yes to certificate popup, "Loading Startup Wizard" prompts for username and password - blank is NOT accpeted here.
Get java.security.AccessControlException: access denied in lower border of browser window.
How do I get past this?

Phil, this is a known issue with certain old versions of PDM.
Refer to this link for work around.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a008046c805.shtml
also try java update
Java runtime environment version 6 update 2 is available , try this and see if it resolves the issue
http://www.java.com/en/download/index.jsp
Jorge

Problem with VPN by ASA 5505 and PIX 501

Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

Vonage VoIP and PIX 501

I have a SOHO currently using cable modem connected to the outside interface of a PIX 501. The inside interface of the PIX connects to a hub with 8 ports.I have 2 PC's and a LinkSys AP plugged into the hub. I have been looking at using Vonage VoIP. My questions are:
1) Is it possible?
2) Do I need to use a special fixup protocol or config?
3) Has anyone used Vonage VoIP and how is it working?
Thanks,
Paul Lane

Paul,
I have been using Vonage succesfully with a very similar configuration. You don't neet any fixups or special configurations to make this work.
My only suggestion is to connect your ATA to a switch port behind the PIX, as opposed to the hub.
Have fun!
Fernando Macias

Pix 501 and H323

Thank you in advanced.
Is video teleconference supported on the PIX 501?
I am trying to configure a static router from the inside to the outside using static routers and I can not do it.
Please can some one send me config examples if Pix 501 supports VIdeo COnferencing using H323.
Cristian

Have a look here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378
If connectivity still fails, a look at the pix log might help ('sh log').

PIX 501 and UPnP

Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
If the above is not of a concern at all, then what Andrew sugested would work.
Rgds
-Jorge

Pix 501 IPSec VPN no LAN access and no ping

Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,

Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni

PIX 501 and Java

Hello,
Trying to move some servers today and lo and behold this.... not good news...
Does anyone have an easy workaround for the Java issue for a Cisco Pix 501? Is there an easy way to revert to older versions of Java without affecting everything else? Does QuickTime use Java? This is very frustrating.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/productsfieldnotice09186a008046c805.shtml
"Customers running these versions of PDM or IDM should either uninstall the newer Java Plug-Ins and re-install previous versions of the Java Plug-In, or upgrade their PDM and IDM images to the versions indicated in the following table."
Thanks,
Rich

Rich,
Welcome to the forums.
This notice doesn't apply to using Java programs or applets.
It specifically applies to computers that will need to access the PDM or IDM to make changes.
"Impacted PDM and IDM versions will not load when launched from a browser"
As long as you don't need to access the PDM or IDM from the browser, you don't need to worry about this advisory.
If you do, my advice would be to upgrade the PIX, as that seems the most logical thing to do (especially as it's a fix that Cisco has already released).

PIX 501 and Linksys VPN Router (WRV200)

I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
Key Exchange Method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre-Shared Key: xxx
PFS: Enabled/Disabled
ISAKMP Key Lifetime: 28800
IPSec Key Lifetime: 3600
On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
I chose the following settings when doing the VPN Wizard:
Type of VPN: Remote Access VPN
Interface: Outside
Type of VPN Client Device used: Cisco VPN Client
(can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
VPN Client Group
Group Name: RabyEstates
Pre Shared Key: rabytest
Extended Client Authentication: Disabled
Address Pool
Pool Name: VPN-LAN
Range Start: 192.168.2.200
Range End: 192.168.2.250
DNS/WINS/Default Domain: None
IKE Policy
Encryption: 3DES
Authentication: MD5
DH Group: Group 2 (1024-bit)
Transform Set
Encryption: 3DES
Authentication: MD5
I have attached the VPN log from the Linksys VPN Router.
This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
Thanks for your help!

Hi again,
I believe the pix has a 3des license because of the following parts of the "show version"
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
This PIX has a Restricted (R) license.
I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
As for the other show commands they give:
pixfirewall# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall#
Thanks again Daniel, i really appreciate your help on this matter.

Redhat EL 4 and pix 501

I have recently configured pix 501 to work with 3 server. two server is on windows and one is on redhat el 4.
The firewall policy is very simple.
Only 3 static ip apply with this three server. No nat or pat for group of ips.
All this three server have some services allowed for external internet users.
The problem is both windows server is working fine, only redhat el 4 is not working. RH4 server cannot ping or goto internet any ware. Both windows server can ping or can go to internet. External users can get both windows server except RH4. my access policy is same for all this three server. Also for troubleshooting i enable full access in and out to all. Same result happens, both windows server can go out, external users can access everything on this two windows server except linux. is there any particular problem with Linux RH4 with pix?

can you post your config, it will help in troubleshooting

Android and pix 501

Has anyone successfully configured a Pix 501 to communicate to a LG Pheonix (I'm assuming android OS) via a L2TP/IPSEC vpn?

Our current working config relevent to L2TP:
access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list REMOTE_RA extended permit ip any 192.168.100.0 255.255.255.0
nat (Inside) 0 access-list NO_NAT
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES192_SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.1.20 10.10.1.23
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTE_RA
default-domain value ******.com
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 15 retry 2

IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

Dear Mr.
The same problem has occured with me.

Slow PIX 501 performance

PIX 501 connected to a residential cable modem. Speedtests are giving me 3mbit down. When I plug a machine into the cable modem I am getting 10-12mbit.
Posting pertinent info:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside INSIDE_IP 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 SUBNET1 255.255.255.240 0 0
nat (inside) 1 SUBNET2 255.255.255.240 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.93.44.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 80

Ensure that the speed and duplex negotioated for the outside are correct, issue a "show interface e0" and see if you have any input/output errors.
HTH>

PIX 501 speed and ipv6

Similar Messages

Maybe you are looking for