PIX 506 Config

Hello;
I would like to edit the config to open up a FTP port, but need to know the exact steps/procedures.
1.) I can remote in via the LAN with Hyperterm.
2.) Can probably use a system to console in if necessary.
Here's part of the config for the ACL I would like to update:
access-list outside_in permit tcp any host <public IP> eq www
access-list outside_in permit tcp any host <public IP> eq https
Would this be the correct access list entry for ftp to this system?
access-list outside_in permit tcp any host <public IP> eq ftp
I just need to know:
1.) Once I remote in, can I somehow place this acl line right below the https one?
2.) Can I use a TFTP program and move a text file config onto the PIX?
3.) If I need to revert back or erase the line, would I just type:
no access-list outside_in permit tcp any host <public IP> eq ftp
Thanks, Steve

That's correct:
access-list outside_in permit tcp any host eq ftp
To insert it you can do:
access-list outside_in line 3 permit tcp any host eq ftp
The "line 3" will insert ABOVE the existing line 3. It will make the current line 3, line 4.
You can use tftp by using write net.
And to remote your line, you do exactly like you have it.
Don't forget your statics though.
static (inside, outside) netmask 255.255.255.255
clear xlate
--John

Similar Messages

  • PIX 506 (6.3) configuration query

    So just some background, I inherited a PIX 506 with 6.3.  I will admit my background is more towards switching/routing.  But while I know it is dinosaur, I need to maintain for partner interoperability.  I just want to confirm that what I am thinking is correct and inf not how I can correct it.
    My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?? 
    The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
    All responses are appreciated.
    Here is a snippet of the current config:
    object-group network Ext_Net
      network-object 192.168.0.0 255.255.255.255
    object-group network Int_Net
      network-object 10.0.0.0 255.255.240.0
    object-group network DNS
      network-object 192.168.0.254 255.255.255.255
      network-object 192.168.0.253 255.255.255.255
    object-group network Servers
      network-object 192.168.0.25 255.255.255.255
      network-object 192.168.0.62 255.255.255.255
      network-object 192.168.0.87 255.255.255.255
    object-group network Int_Net_ref
      network-object 192.168.0.0 255.255.255.255
    object-group service Ports tcp
      port-object range 3995 3995
      port-object range telnet telnet
      port-object range 8010 8010
      port-object range 8080 8080
      port-object eq pop3
      port-object eq imap4
      port-object eq smtp
      port-object eq 433
      port-object eq www
      port-object eq https
      port-object eq ssh
      port-object range https https
      port-object eq 9100
      port-object eq lpd
      port-object eq 584
      port-object eq 585
      port-object range 500 700 
    access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
    access-list inside_access_in permit udp object-group Int_Net object-group DNS
    access-list inside_access_in permit tcp object-group Int_Net object-group Servers
    access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
    access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
    access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
    pdm location 192.168.0.254 255.255.255.255 outside
    pdm location 192.168.0.253 255.255.255.255 outside
    pdm location
    pdm group Ext_Net 255.255.255.255 outside
    pdm group Int_Net 255.255.255.255 inside
    nat (inside) 2 Int_Net 255.255.240.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

    Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed.  Not the best thing to do. 
    The access-group command applies the ACL to the interface in either the in or out direction.  These two commands in your config apply the ACL's to the ingress direction on the PIX:
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    So traffic coming ingress to the outside interface will have the outside_access_in applied to it.

  • PIX 506 & 3000 Concentrator

    I have a site to site VPN from my PIX to a clients VPN 3000 concentrator. The tunnel drops when there is no traffic and only comes back up when they ping or generate trafic from the VPN concentrator 3000, Till then trafic through the PIX 506 does not go through. Please help??

    DPD or dead peer detection which is enabled by default should prevent this. Guess, you are running an older version of the OS that does not support DPD. Support for DPD on Cisco VPN 3000 Concentrator starts with software version 3.0 and on the PIX Firewall with software version 6.0(1). You will need to upgrade to these versions.

  • PIX 506 - Limited Throughput ?

    Hi
    I recently found a use for an old PIX 506 that I found in our store cupboard.
    After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
    Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
    Rgrds

    Hi,
    Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
    as the below show ver indicates.
    Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
    Flash E28F640J3 @ 0x300, 8MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    0: ethernet0: address is 0009.7c48.c0db, irq 10
    1: ethernet1: address is 0009.7c48.c0dc, irq 11
    Licensed Features:
    Failover:           Disabled
    VPN-DES:            Enabled
    VPN-3DES:           Enabled
    Maximum Interfaces: 2
    Cut-through Proxy:  Enabled
    Guards:             Enabled
    URL-filtering:      Enabled
    Inside Hosts:       Unlimited
    Throughput:         Limited
    IKE peers:          Unlimited
    Is this a licensing limitation?
    Thanks
    DGW

  • Pix 506 E with cable modem

    Im trying to get a dhcp address from my cable modem to my pix 506 e but it fails
    "ip address outside dchp setroute"
    somebody know how to get this working?

    Try decreasing the MTU size to 1370. You can do that via the GUI.

  • PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

    One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           
    Some other info from the client end:
    I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
    Also Tunnel received 0 and sent 115119
    Encryption is 168-bit 3-DES
    Authentication is HMAC-SHA1
    also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
    also Transparent tunneling is selcted but in the stats it states it is inactive
    I am connecting with the Cisco VPN Client Ver 5.0.07.0440
    This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
    I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
    Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
    I still cannot seem to find the issue with this config and any help will be greatly appreciated.
    This is the config
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password somepassword
    hostname hostname
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network internal_trusted_net
      network-object 192.168.40.0 255.255.255.0
    object-group icmp-type icmp_outside
      icmp-object echo-reply
      icmp-object unreachable
      icmp-object time-exceeded
      icmp-object source-quench
    access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
    access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
    access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
    access-list OutToIn permit ip any any
    access-list outbound permit ip any any
    (NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.xxx 255.255.255.248
    ip address inside 192.168.40.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.
    nat (inside) 0 access-list no_nat_inside
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl_outside_in in interface outside
    access-group outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.40.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community $XXXXXX$
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
    crypto dynamic-map clientmap 50 set transform-set 3des_strong
    crypto map vpn 50 ipsec-isakmp dynamic clientmap
    crypto map vpn client configuration address initiate
    crypto map vpn client configuration address respond
    crypto map vpn client authentication LOCAL
    crypto map vpn interface outside
    isakmp enable outside
    isakmp identity address
    isakmp client configuration address-pool local vpn_client_pool outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup remote-vpn split-tunnel split_tunnel
    vpngroup remote-vpn idle-time 10800
    vpngroup remote-vpn password ANOTHER PASSWORD
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 192.168.40.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 60
    dhcpd address 192.168.40.100-192.168.40.131 inside
    dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    username AUSER password PASSWORD privilege 15
    terminal width 80
    ****************** End of config
    I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
    Thank you once again.

    Hi,
    PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
    If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
    But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
    I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
    Here is a PDF of the original ASA5500 Series.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
    Here is a PDF of the new ASA5500-X Series
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
    I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
    Could you provide the requested outputs?
    From the PIX after connection test
    show crypto ipsec sa
    Screen captures of the VPN Client routing and statistics sections.
    - Jouni

  • URL Filtering w/ PIX 506

    A customer called me to ask about URL filtering. He bought a 506 a little over a year ago. I haven't been on site to see exactly what IOS he has, but he wants to know if he can filter certain web sites from certain PCs. Of course the answer is yes, but I need to know more about the capabilities of the 506 URL filtering capabilities. Can I create a "White list" for certain PCs in an address range and allow full access to other PCs?
    The real problem is on 3 PCs that midnight shift users like to use for porn surfing!
    If the 506 can't do the filtering, then I may just add a local piece of software on the 3 problem PCs.
    Any advice on the 506 capabilities would be appreciated.

    hi
    You can use websense in addition to PIX F/W to filter the traffic based on the URL,which is most widely deployed,but again u need to decide the cost factor involved in doing so.
    regds

  • PIX 515E Config Help!!!

    I just got my PIX515e configured and thought I had it working correctly, but on my 3745 router, the line protocol is down, I've looked through the configs for bot the PIX and the 3745 and can't seem to figure out why I don't have access. Would anyone be able to please help resolve the issue for me?
    Pix515E config:
    pixfirewall# show run
    : Saved
    PIX Version 8.0(4)32
    hostname pixfirewall
    domain-name home.jkkcc.com
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.0.20.1 255.255.255.248
    interface Ethernet2
    nameif DMZ
    security-level 50
    ip address 10.0.30.1 255.255.255.248
    ftp mode passive
    dns server-group DefaultDNS
    domain-name home.jkkcc.com
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside) 1 0.0.0.0 0.0.0.0
    router eigrp 1
    network 10.0.0.0 255.0.0.0
    network 192.168.0.0 255.255.255.0
    network 192.168.2.0 255.255.255.0
    network 192.168.4.0 255.255.255.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect http
      inspect ils
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:c7359e3905dd13a5aa1a1c0e85a91f52
    : end
    3745 Config:
    3745-Internet#show run
    Building configuration...
    Current configuration : 2248 bytes
    version 12.4
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname 3745-Internet
    boot-start-marker
    boot system flash:
    boot-end-marker
    no logging buffered
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    memory-size iomem 25
    no network-clock-participate slot 2
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.2.1 192.168.2.150
    ip dhcp pool HOME-Network
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.1
       dns-server 192.168.2.127 192.168.1.128
    ip dhcp pool home-network
    ip domain name www.jkkcc.com
    ip name-server 192.168.2.127
    multilink bundle-name authenticated
    parameter-map type regex sdm-regex-nonascii
    pattern [^\x00-\x80]
    username woodjl1650 privilege 15 password 0 henry999
    archive
    log config
      hidekeys
    interface FastEthernet0/0
    description $FW_OUTSIDE$
    ip address 10.0.20.2 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface Serial0/0
    description $FW_INSIDE$
    ip address 10.0.10.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description $FW_INSIDE$
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    interface Serial0/1
    description $FW_INSIDE$
    ip address 10.0.10.2 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    router eigrp 1
    network 10.0.0.0
    network 192.168.0.0
    network 192.168.2.0
    network 192.168.4.0
    auto-summary
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source list 15 interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.2.21 80 interface FastEthernet0/0 80
    ip nat inside source list 104 interface FastEthernet0/0 overload
    access-list 15 permit 10.0.8.0 0.0.7.255
    access-list 15 permit 192.168.4.0 0.0.0.255
    access-list 104 permit ip any any
    snmp-server community public RO
    snmp-server community private RW
    snmp-server enable traps tty
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet
    webvpn cef
    end

    Everything seems to be working fine now, except one last issue.  I can ping my exchange server.  Do you see anything wrong or why my ping would not go through?  I can ping 10.0.20.1 (Pix Ethernet 1) and I can ping from all my computers to the 10.0.20.1 but not I get this when trying to ping 10.0.30.1
    C:\Users\Exchange>ping 10.0.30.1
    Pinging 10.0.30.1 with 32 bytes of data:
    Reply from 10.0.30.3: Destination host unreachable.
    Reply from 192.168.2.1: Destination host unreachable.
    Reply from 192.168.2.1: Destination host unreachable.
    Reply from 192.168.2.1: Destination host unreachable.
    Ping statistics for 10.0.30.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Exchange = 10.0.30.3 255.255.255.248
    Pix Ethernet 2 (exchange) = 10.0.30.1 255.255.255.248
    Current Config:
    PIX Version 8.0(4)32
    hostname pixfirewall
    domain-name home.jkkcc.com
    enable password DQucN59Njn0OjpJL encrypted
    passwd DQucN59Njn0OjpJL encrypted
    names
    interface Ethernet0
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.0.20.1 255.255.255.248
    interface Ethernet2
    nameif exchange
    security-level 100
    ip address 10.0.30.1 255.255.255.248
    ftp mode passive
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 192.168.2.127
    name-server 192.168.2.22
    domain-name home.jkkcc.com
    access-list inbound extended permit tcp any host 68.224.242.13 eq www
    access-list inbound extended permit tcp any host 68.224.242.13 eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu exchange 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any outside
    asdm image flash:/asdm-61551.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (exchange) 1 0.0.0.0 0.0.0.0
    static (exchange,outside) tcp interface smtp 10.0.30.3 smtp netmask 255.255.255.
    255
    router eigrp 1
    network 10.0.0.0 255.0.0.0
    network 192.168.0.0 255.255.255.0
    network 192.168.2.0 255.255.255.0
    network 192.168.4.0 255.255.255.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect http
      inspect ils
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:3672d254988d246453e4be381a198858
    : end
    pixfirewall#

  • PIX 501 config review

    I'm about to use a new PIX 501 firewall.
    I've attached the configuration I intend to use.
    I simply need to allow all outbound traffic, and allow inbound traffic only on specific IPs/ports to specific IPs/ports as in the "static" commands
    Do you think this config will work?
    Any recommendations?
    Thanks in advance
    interface ethernet0 10baset
    interface ethernet1 10full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password bla1 encrypted
    passwd bla2 encrypted
    hostname F-PHL-01
    domain-name abc.com
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    pager lines 100
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.51.34 255.255.255.224
    ip address inside 192.168.21.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 xx.xx.51.35-xx.xx.51.62 netmask 255.255.255.224
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xx.xx.51.39 80 192.168.21.39 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.40 80 192.168.21.40 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.41 80 192.168.21.41 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.42 80 192.168.21.42 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.43 80 192.168.21.43 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.47 80 192.168.21.47 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.48 80 192.168.21.48 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.48 443 192.168.21.48 443 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
    static (inside,outside) udp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.49 80 192.168.21.49 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.50 80 192.168.21.50 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.53 80 192.168.21.53 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.54 80 192.168.21.54 80 netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.51.61 80 192.168.21.61 80 netmask 255.255.255.255
    route outside 0.0.0.0 0.0.0.0 xx.xx.51.33 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.21.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    telnet 192.168.21.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:bla3

    Hi,
    PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
    If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
    But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
    I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
    Here is a PDF of the original ASA5500 Series.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
    Here is a PDF of the new ASA5500-X Series
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
    I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
    Could you provide the requested outputs?
    From the PIX after connection test
    show crypto ipsec sa
    Screen captures of the VPN Client routing and statistics sections.
    - Jouni

  • Cisco Pix 506 Blocks certain websites in Win 7/Vista but not XP

    We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

    We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

  • PIX 506 vs. 1812?

    I have the following situation:
    1 secure employee network (no Internet Connection, only terminal sessions to OPEN
    network)
    1 open employee network (with Internet Connection)
    1 guest WLAN (Internet Connection ONLY - no local access)
    I've been recommended to use either a PIX 506E or a 1812 router.
    Which is the better for this task?
    Approx. 30 users and 10Mbps WAN connection, secure/open network placed in separate VLANs on Catalyst 2950.

    PIX 506E should be best suitable for the task. check out the following link for information on configuring PIX 506E :
    http://www.cisco.com/application/pdf/en/us/guest/products/ps2030/c1616/ccmigration_09186a0080177097.pdf

  • NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above

    Hi folks,
    I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
    Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently  on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
    The  scenario that the PIX has 3 NAT groups which are mapped to 3 separate  addresses, where multiple hosts are behint the NAT / PAT.  Current  config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
    global (outside) 1 10.50.50.38
    global (outside) 2 10.50.50.39
    global (outside) 3 10.50.50.49
    nat (inside) 0 access-list no-nat-all
    nat (inside) 2 Host_1 255.255.255.255 0 0
    nat (inside) 2 Host_2 255.255.255.255 0 0
    nat (inside) 2 Host_3 255.255.255.255 0 0
    nat (inside) 1 Host_4 255.255.255.255 0 0
    nat (inside) 1 Host_5 255.255.255.255 0 0
    nat (inside) 1 Host_6 255.255.255.255 0 0
    nat (inside) 1 Host_7 255.255.255.255 0 0
    nat (inside) 3 Network_3 255.255.255.0 0 0
    ASA Config
    After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3  to the following - Also is it easier to just do this in  ASDM?  Looks pretty easy from youtube videos but rather have something  to put on the box when I arrive at site NAT wise as opposed to working  it out there!
    Define NAT Objects (outside IP addreses)
    object network NAT_1_outside_10.50.50.38
    host 10.50.50.38
    object network NAT_2_outside_10.50.50.39
    host 10.50.50.39
    object network NAT_3_outside_10.50.50.49
    host 10.50.50.49
    exit
    Define NAT Objects (inside IP addreses)
    object-group network NAT_1_Objects
    network-object Host_4 255.255.255.255
    network-object Host_5 255.255.255.255
    network-object Host_6 255.255.255.255
    network-object Host_7 255.255.255.255
    nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
    object-group network NAT_2_Objects
    network-object Host_1 255.255.255.255
    network-object Host_2 255.255.255.255
    network-object Host_3 255.255.255.255
    nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
    object-group network NAT_3_Objects
    network-object Network_1 255.255.255.0
    nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
    Any assistance with this would be appreciated.
    cheers
    Malcolm

    I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
    If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP).  Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server.  One does not worry about groups of users for this direction of nat rule.
    If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes.    So conceptually speaking allow all lan users  static nat, and then only allow group 1 hosts access to first external IP,  group 2 hosts to second external IP, and group 3 hosts to third external IP.  Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
    Am I close......... before going any further need more details on the requirements nevermind setup.

  • Problem with VPN Client and PIX 7.0(5)

    Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
    sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
    and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
    I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
    This is the configuration i apply
    access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
    access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
    access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
    access-list acl-vpn-sap-remoto extended permit ip any any
    access-list acl-vpn-sap-remoto extended permit icmp any any
    ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
    nat (inside) 0 access-list cryptomap-scada
    group-policy VPN_SAP_PED internal
    group-policy VPN_SAP_PED attributes
    vpn-filter value acl-vpn-sap-remoto
    vpn-tunnel-protocol IPSec
    username vpnuser password **** encrypted
    username vpnuser attributes
    vpn-group-policy VPN_SAP_PED
    crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
    crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
    crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
    crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption 3des
    isakmp policy 7 hash sha
    isakmp policy 7 group 2
    isakmp policy 7 lifetime 43200
    tunnel-group VPN_SAP_PED type ipsec-ra
    tunnel-group VPN_SAP_PED general-attributes
    address-pool pool_vpn_sap
    default-group-policy VPN_SAP_PED
    tunnel-group VPN_SAP_PED ipsec-attributes
    pre-shared-key clavevpnsap
    Thanks in Advanced

    Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
    PIX-Principal(config)# show running-config nat
    nat (inside) 0 access-list cryptomap-scada
    nat (inside) 9 JOsorioPC 255.255.255.255
    nat (inside) 9 GColinaPC 255.255.255.255
    nat (inside) 9 AlfonsoPC 255.255.255.255
    nat (inside) 9 AngelPC 255.255.255.255
    nat (inside) 9 JerryPC 255.255.255.255
    nat (inside) 9 EstebanPC 255.255.255.255
    nat (inside) 9 GiancarloPC 255.255.255.255
    nat (inside) 9 WilliamsPC 255.255.255.255
    nat (inside) 9 PerniaPC 255.255.255.255
    nat (inside) 9 ElvisDomPC 255.255.255.255
    nat (inside) 8 LBermudezPC 255.255.255.255
    nat (inside) 9 HelpDeskPC 255.255.255.255
    nat (inside) 9 OscarOPC 255.255.255.255
    nat (inside) 9 AnaPC 255.255.255.255
    nat (inside) 9 RobertoPC 255.255.255.255
    nat (inside) 9 MarthaPC 255.255.255.255
    nat (inside) 9 NOCPc5-I 255.255.255.255
    nat (inside) 9 NOCPc6-I 255.255.255.255
    nat (inside) 9 CiraPC 255.255.255.255
    nat (inside) 9 JaimePC 255.255.255.255
    nat (inside) 9 EugemarPC 255.255.255.255
    nat (inside) 9 JosePC 255.255.255.255
    nat (inside) 9 RixioPC 255.255.255.255
    nat (inside) 9 DaniellePC 255.255.255.255
    nat (inside) 9 NorimarPC 255.255.255.255
    nat (inside) 9 NNavaPC 255.255.255.255
    nat (inside) 8 ManriquePC 255.255.255.255
    nat (inside) 8 MarcialPC 255.255.255.255
    nat (inside) 8 JAlbornozPC 255.255.255.255
    nat (inside) 9 GUrdanetaPC 255.255.255.255
    nat (inside) 9 RVegaPC 255.255.255.255
    nat (inside) 9 LLabarcaPC 255.255.255.255
    nat (inside) 9 Torondoy-I 255.255.255.255
    nat (inside) 9 Escuque-I 255.255.255.255
    nat (inside) 9 Turbio-I 255.255.255.255
    nat (inside) 9 JoseMora 255.255.255.255
    nat (inside) 8 San-Juan-I 255.255.255.255
    nat (inside) 8 Router7507 255.255.255.255
    nat (inside) 8 NOCPc4-I 255.255.255.255
    nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255

  • PIX 501 and UPnP

    Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

    Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
    Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
    If the above is not of a concern at all, then what Andrew sugested would work.
    Rgds
    -Jorge

  • Able to ping PIX 501 but not SNMP

    i'm able to ping the outside interface of our PIX 501 but i'm not able to get any SNMP stats. i'm sure the PIX is config-ed alittle too tightly.
    i'm not the one who set it up so i'm don't know which command will loosen it up.
    Thanks
    here is the config for reference:
    PIX Version 6.3(1)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password yRWxZrM.WqHNW5QV encrypted
    passwd 6xrNSBzsamLXqLkj encrypted
    hostname KWCH-statefair
    domain-name themeganet.com
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list 102 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list 102 permit ip 10.30.6.0 255.255.255.0 10.200.0.0 255.255.0.0
    access-list 103 permit ip 10.30.6.0 255.255.255.0 10.0.0.0 255.0.0.0
    access-list 103 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.40.0 255.255.248.0
    access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.16.0 255.255.248.0
    access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.24.0 255.255.248.0
    access-list 101 permit ip 10.30.6.0 255.255.255.0 10.31.40.0 255.255.255.0
    pager lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    mtu outside 1400
    mtu inside 1500
    ip address outside 68.99.115.199 255.255.255.224
    ip address inside 10.30.6.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 103
    nat (inside) 1 10.30.6.0 255.255.255.0 0 0
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 68.99.115.193 1
    route outside 207.243.40.7 255.255.255.255 70.165.98.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.30.6.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community hiway
    no snmp-server enable traps
    no floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto map toRichmond 5 ipsec-isakmp
    crypto map toRichmond 5 match address 101
    crypto map toRichmond 5 set peer 64.148.165.242
    crypto map toRichmond 5 set transform-set strong
    crypto map toRichmond 10 ipsec-isakmp
    crypto map toRichmond 10 match address 102
    crypto map toRichmond 10 set peer 12.5.1.200
    crypto map toRichmond 10 set transform-set strong
    crypto map toRichmond interface outside
    isakmp enable outside
    isakmp key ******** address 12.5.1.200 netmask 255.255.255.255
    isakmp key ******** address 64.148.165.242 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 500 60
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800
    telnet 64.148.165.242 255.255.255.255 outside
    telnet 172.16.0.0 255.255.0.0 inside
    telnet 10.30.6.0 255.255.255.0 inside
    telnet 10.30.40.0 255.255.248.0 inside
    telnet timeout 5
    ssh 207.243.40.7 255.255.255.255 outside
    ssh 66.136.242.129 255.255.255.255 outside
    ssh 10.30.6.0 255.255.255.0 inside
    ssh 10.200.24.0 255.255.248.0 inside
    ssh 10.30.40.0 255.255.248.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 10.30.6.1-10.30.6.32 inside
    dhcpd dns 10.30.47.4 10.30.47.7
    dhcpd wins 10.30.47.4
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain kbsad.local
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:f0cc1b0a4205617b2b0bdb70b2a84c5a

    You need to configure a location that is allowed to query SNMP. Here's an example-
    snmp-server host inside 172.16.210.252 poll
    This will allow the host 172.16.210.252 to access SNMP on the PIX.
    Hope that helps.

Maybe you are looking for

  • New processor FX-8150 doesn't fit socket AM3b

    Can anyone help with this? Bought an FX-8150 based on statement by AMD tech that it would fit my Hp h8-1234. I removed the old FX-6120 to find the socket to be an AM3b not the AM3+ expected. It looks like I could jerry rig it with wire ties or rubber

  • Flash 2D Line chart

    I have a chart region - Flash 2D Line chart with two series based on different tables, both with dates along the X axis and a figure that represents hours up the Y axis. The idea is for two lines to be displayed on the same graph so they can be easil

  • USB card installation

    Hi all, I hope not to break the rules - but I am transferring my post from: +Mac OS X & Related s/w >>OS X Panther & earlier>> installation & setup+. (perhaps I put it in the wrong place). Here is my original post: ""I am new to OS X. I've only just

  • Oracle 11g is not connecting from network client machine.

    Oracle 11g was installed on windows server 2003. ORA-12514: TNS:listener does not currently know of service requested in connect descriptor ._ we are getting the above oracle exception when we give the following command: LSNRCTL> services oracle11g_l

  • [Error]List attribute binding not properly updating Iterator value

    Hi, I created an ADF Form page with ADF navigation buttons. Along with that I added Create, Commit and Rollback buttons in the form. One of my attributeValue binding i changed it to dynamic list binding with another iterator (LOV style). I removed al