PIX 506 Config
Hello;
I would like to edit the config to open up a FTP port, but need to know the exact steps/procedures.
1.) I can remote in via the LAN with Hyperterm.
2.) Can probably use a system to console in if necessary.
Here's part of the config for the ACL I would like to update:
access-list outside_in permit tcp any host <public IP> eq www
access-list outside_in permit tcp any host <public IP> eq https
Would this be the correct access list entry for ftp to this system?
access-list outside_in permit tcp any host <public IP> eq ftp
I just need to know:
1.) Once I remote in, can I somehow place this acl line right below the https one?
2.) Can I use a TFTP program and move a text file config onto the PIX?
3.) If I need to revert back or erase the line, would I just type:
no access-list outside_in permit tcp any host <public IP> eq ftp
Thanks, Steve
That's correct:
access-list outside_in permit tcp any host eq ftp
To insert it you can do:
access-list outside_in line 3 permit tcp any host eq ftp
The "line 3" will insert ABOVE the existing line 3. It will make the current line 3, line 4.
You can use tftp by using write net.
And to remote your line, you do exactly like you have it.
Don't forget your statics though.
static (inside, outside) netmask 255.255.255.255
clear xlate
--John
Similar Messages
-
PIX 506 (6.3) configuration query
So just some background, I inherited a PIX 506 with 6.3. I will admit my background is more towards switching/routing. But while I know it is dinosaur, I need to maintain for partner interoperability. I just want to confirm that what I am thinking is correct and inf not how I can correct it.
My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed??
The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
All responses are appreciated.
Here is a snippet of the current config:
object-group network Ext_Net
network-object 192.168.0.0 255.255.255.255
object-group network Int_Net
network-object 10.0.0.0 255.255.240.0
object-group network DNS
network-object 192.168.0.254 255.255.255.255
network-object 192.168.0.253 255.255.255.255
object-group network Servers
network-object 192.168.0.25 255.255.255.255
network-object 192.168.0.62 255.255.255.255
network-object 192.168.0.87 255.255.255.255
object-group network Int_Net_ref
network-object 192.168.0.0 255.255.255.255
object-group service Ports tcp
port-object range 3995 3995
port-object range telnet telnet
port-object range 8010 8010
port-object range 8080 8080
port-object eq pop3
port-object eq imap4
port-object eq smtp
port-object eq 433
port-object eq www
port-object eq https
port-object eq ssh
port-object range https https
port-object eq 9100
port-object eq lpd
port-object eq 584
port-object eq 585
port-object range 500 700
access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
access-list inside_access_in permit udp object-group Int_Net object-group DNS
access-list inside_access_in permit tcp object-group Int_Net object-group Servers
access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 192.168.0.253 255.255.255.255 outside
pdm location
pdm group Ext_Net 255.255.255.255 outside
pdm group Int_Net 255.255.255.255 inside
nat (inside) 2 Int_Net 255.255.240.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed. Not the best thing to do.
The access-group command applies the ACL to the interface in either the in or out direction. These two commands in your config apply the ACL's to the ingress direction on the PIX:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
So traffic coming ingress to the outside interface will have the outside_access_in applied to it. -
I have a site to site VPN from my PIX to a clients VPN 3000 concentrator. The tunnel drops when there is no traffic and only comes back up when they ping or generate trafic from the VPN concentrator 3000, Till then trafic through the PIX 506 does not go through. Please help??
DPD or dead peer detection which is enabled by default should prevent this. Guess, you are running an older version of the OS that does not support DPD. Support for DPD on Cisco VPN 3000 Concentrator starts with software version 3.0 and on the PIX Firewall with software version 6.0(1). You will need to upgrade to these versions.
-
PIX 506 - Limited Throughput ?
Hi
I recently found a use for an old PIX 506 that I found in our store cupboard.
After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
RgrdsHi,
Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
as the below show ver indicates.
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0009.7c48.c0db, irq 10
1: ethernet1: address is 0009.7c48.c0dc, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Limited
IKE peers: Unlimited
Is this a licensing limitation?
Thanks
DGW -
Im trying to get a dhcp address from my cable modem to my pix 506 e but it fails
"ip address outside dchp setroute"
somebody know how to get this working?Try decreasing the MTU size to 1370. You can do that via the GUI.
-
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
A customer called me to ask about URL filtering. He bought a 506 a little over a year ago. I haven't been on site to see exactly what IOS he has, but he wants to know if he can filter certain web sites from certain PCs. Of course the answer is yes, but I need to know more about the capabilities of the 506 URL filtering capabilities. Can I create a "White list" for certain PCs in an address range and allow full access to other PCs?
The real problem is on 3 PCs that midnight shift users like to use for porn surfing!
If the 506 can't do the filtering, then I may just add a local piece of software on the 3 problem PCs.
Any advice on the 506 capabilities would be appreciated.hi
You can use websense in addition to PIX F/W to filter the traffic based on the URL,which is most widely deployed,but again u need to decide the cost factor involved in doing so.
regds -
PIX 515E Config Help!!!
I just got my PIX515e configured and thought I had it working correctly, but on my 3745 router, the line protocol is down, I've looked through the configs for bot the PIX and the 3745 and can't seem to figure out why I don't have access. Would anyone be able to please help resolve the issue for me?
Pix515E config:
pixfirewall# show run
: Saved
PIX Version 8.0(4)32
hostname pixfirewall
domain-name home.jkkcc.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.20.1 255.255.255.248
interface Ethernet2
nameif DMZ
security-level 50
ip address 10.0.30.1 255.255.255.248
ftp mode passive
dns server-group DefaultDNS
domain-name home.jkkcc.com
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
router eigrp 1
network 10.0.0.0 255.0.0.0
network 192.168.0.0 255.255.255.0
network 192.168.2.0 255.255.255.0
network 192.168.4.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7359e3905dd13a5aa1a1c0e85a91f52
: end
3745 Config:
3745-Internet#show run
Building configuration...
Current configuration : 2248 bytes
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname 3745-Internet
boot-start-marker
boot system flash:
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
memory-size iomem 25
no network-clock-participate slot 2
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.150
ip dhcp pool HOME-Network
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.127 192.168.1.128
ip dhcp pool home-network
ip domain name www.jkkcc.com
ip name-server 192.168.2.127
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
username woodjl1650 privilege 15 password 0 henry999
archive
log config
hidekeys
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 10.0.20.2 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0
description $FW_INSIDE$
ip address 10.0.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
interface Serial0/1
description $FW_INSIDE$
ip address 10.0.10.2 255.255.255.248
ip nat inside
ip virtual-reassembly
router eigrp 1
network 10.0.0.0
network 192.168.0.0
network 192.168.2.0
network 192.168.4.0
auto-summary
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 15 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.2.21 80 interface FastEthernet0/0 80
ip nat inside source list 104 interface FastEthernet0/0 overload
access-list 15 permit 10.0.8.0 0.0.7.255
access-list 15 permit 192.168.4.0 0.0.0.255
access-list 104 permit ip any any
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps tty
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet
webvpn cef
endEverything seems to be working fine now, except one last issue. I can ping my exchange server. Do you see anything wrong or why my ping would not go through? I can ping 10.0.20.1 (Pix Ethernet 1) and I can ping from all my computers to the 10.0.20.1 but not I get this when trying to ping 10.0.30.1
C:\Users\Exchange>ping 10.0.30.1
Pinging 10.0.30.1 with 32 bytes of data:
Reply from 10.0.30.3: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Ping statistics for 10.0.30.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Exchange = 10.0.30.3 255.255.255.248
Pix Ethernet 2 (exchange) = 10.0.30.1 255.255.255.248
Current Config:
PIX Version 8.0(4)32
hostname pixfirewall
domain-name home.jkkcc.com
enable password DQucN59Njn0OjpJL encrypted
passwd DQucN59Njn0OjpJL encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.20.1 255.255.255.248
interface Ethernet2
nameif exchange
security-level 100
ip address 10.0.30.1 255.255.255.248
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.127
name-server 192.168.2.22
domain-name home.jkkcc.com
access-list inbound extended permit tcp any host 68.224.242.13 eq www
access-list inbound extended permit tcp any host 68.224.242.13 eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu exchange 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (exchange) 1 0.0.0.0 0.0.0.0
static (exchange,outside) tcp interface smtp 10.0.30.3 smtp netmask 255.255.255.
255
router eigrp 1
network 10.0.0.0 255.0.0.0
network 192.168.0.0 255.255.255.0
network 192.168.2.0 255.255.255.0
network 192.168.4.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
service-policy global_policy global
prompt hostname context
Cryptochecksum:3672d254988d246453e4be381a198858
: end
pixfirewall# -
I'm about to use a new PIX 501 firewall.
I've attached the configuration I intend to use.
I simply need to allow all outbound traffic, and allow inbound traffic only on specific IPs/ports to specific IPs/ports as in the "static" commands
Do you think this config will work?
Any recommendations?
Thanks in advance
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bla1 encrypted
passwd bla2 encrypted
hostname F-PHL-01
domain-name abc.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 100
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.51.34 255.255.255.224
ip address inside 192.168.21.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.51.35-xx.xx.51.62 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.51.39 80 192.168.21.39 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.40 80 192.168.21.40 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.41 80 192.168.21.41 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.42 80 192.168.21.42 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.43 80 192.168.21.43 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.47 80 192.168.21.47 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 80 192.168.21.48 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 443 192.168.21.48 443 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
static (inside,outside) udp xx.xx.51.48 53 192.168.21.48 53 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.49 80 192.168.21.49 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.50 80 192.168.21.50 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.53 80 192.168.21.53 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.54 80 192.168.21.54 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.51.61 80 192.168.21.61 80 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.51.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:bla3Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
Cisco Pix 506 Blocks certain websites in Win 7/Vista but not XP
We have been using a Pix 506E with Websense for many years and it has worked fine. We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines. When the Win 7 machine is taken off site, the websites are accessible. How do we correct this? If I have to post my configuration, what should not be shown?
We have been using a Pix 506E with Websense for many years and it has worked fine. We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines. When the Win 7 machine is taken off site, the websites are accessible. How do we correct this? If I have to post my configuration, what should not be shown?
-
PIX 506 vs. 1812?
I have the following situation:
1 secure employee network (no Internet Connection, only terminal sessions to OPEN
network)
1 open employee network (with Internet Connection)
1 guest WLAN (Internet Connection ONLY - no local access)
I've been recommended to use either a PIX 506E or a 1812 router.
Which is the better for this task?
Approx. 30 users and 10Mbps WAN connection, secure/open network placed in separate VLANs on Catalyst 2950.PIX 506E should be best suitable for the task. check out the following link for information on configuring PIX 506E :
http://www.cisco.com/application/pdf/en/us/guest/products/ps2030/c1616/ccmigration_09186a0080177097.pdf -
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
MalcolmI cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup. -
Problem with VPN Client and PIX 7.0(5)
Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
Thanks in AdvancedHi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255 -
Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.
Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
If the above is not of a concern at all, then what Andrew sugested would work.
Rgds
-Jorge -
Able to ping PIX 501 but not SNMP
i'm able to ping the outside interface of our PIX 501 but i'm not able to get any SNMP stats. i'm sure the PIX is config-ed alittle too tightly.
i'm not the one who set it up so i'm don't know which command will loosen it up.
Thanks
here is the config for reference:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password yRWxZrM.WqHNW5QV encrypted
passwd 6xrNSBzsamLXqLkj encrypted
hostname KWCH-statefair
domain-name themeganet.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 10.30.6.0 255.255.255.0 10.200.0.0 255.255.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 permit ip 10.30.6.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.40.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.16.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.30.24.0 255.255.248.0
access-list 101 permit ip 10.30.6.0 255.255.255.0 10.31.40.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1400
mtu inside 1500
ip address outside 68.99.115.199 255.255.255.224
ip address inside 10.30.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 10.30.6.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 68.99.115.193 1
route outside 207.243.40.7 255.255.255.255 70.165.98.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.30.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community hiway
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto map toRichmond 5 ipsec-isakmp
crypto map toRichmond 5 match address 101
crypto map toRichmond 5 set peer 64.148.165.242
crypto map toRichmond 5 set transform-set strong
crypto map toRichmond 10 ipsec-isakmp
crypto map toRichmond 10 match address 102
crypto map toRichmond 10 set peer 12.5.1.200
crypto map toRichmond 10 set transform-set strong
crypto map toRichmond interface outside
isakmp enable outside
isakmp key ******** address 12.5.1.200 netmask 255.255.255.255
isakmp key ******** address 64.148.165.242 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 500 60
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 64.148.165.242 255.255.255.255 outside
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.30.6.0 255.255.255.0 inside
telnet 10.30.40.0 255.255.248.0 inside
telnet timeout 5
ssh 207.243.40.7 255.255.255.255 outside
ssh 66.136.242.129 255.255.255.255 outside
ssh 10.30.6.0 255.255.255.0 inside
ssh 10.200.24.0 255.255.248.0 inside
ssh 10.30.40.0 255.255.248.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.30.6.1-10.30.6.32 inside
dhcpd dns 10.30.47.4 10.30.47.7
dhcpd wins 10.30.47.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain kbsad.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f0cc1b0a4205617b2b0bdb70b2a84c5aYou need to configure a location that is allowed to query SNMP. Here's an example-
snmp-server host inside 172.16.210.252 poll
This will allow the host 172.16.210.252 to access SNMP on the PIX.
Hope that helps.
Maybe you are looking for
-
New processor FX-8150 doesn't fit socket AM3b
Can anyone help with this? Bought an FX-8150 based on statement by AMD tech that it would fit my Hp h8-1234. I removed the old FX-6120 to find the socket to be an AM3b not the AM3+ expected. It looks like I could jerry rig it with wire ties or rubber
-
I have a chart region - Flash 2D Line chart with two series based on different tables, both with dates along the X axis and a figure that represents hours up the Y axis. The idea is for two lines to be displayed on the same graph so they can be easil
-
Hi all, I hope not to break the rules - but I am transferring my post from: +Mac OS X & Related s/w >>OS X Panther & earlier>> installation & setup+. (perhaps I put it in the wrong place). Here is my original post: ""I am new to OS X. I've only just
-
Oracle 11g is not connecting from network client machine.
Oracle 11g was installed on windows server 2003. ORA-12514: TNS:listener does not currently know of service requested in connect descriptor ._ we are getting the above oracle exception when we give the following command: LSNRCTL> services oracle11g_l
-
[Error]List attribute binding not properly updating Iterator value
Hi, I created an ADF Form page with ADF navigation buttons. Along with that I added Create, Commit and Rollback buttons in the form. One of my attributeValue binding i changed it to dynamic list binding with another iterator (LOV style). I removed al