PIX 506 vs. 1812?
I have the following situation:
1 secure employee network (no Internet Connection, only terminal sessions to OPEN
network)
1 open employee network (with Internet Connection)
1 guest WLAN (Internet Connection ONLY - no local access)
I've been recommended to use either a PIX 506E or a 1812 router.
Which is the better for this task?
Approx. 30 users and 10Mbps WAN connection, secure/open network placed in separate VLANs on Catalyst 2950.
PIX 506E should be best suitable for the task. check out the following link for information on configuring PIX 506E :
http://www.cisco.com/application/pdf/en/us/guest/products/ps2030/c1616/ccmigration_09186a0080177097.pdf
Similar Messages
-
PIX 506 (6.3) configuration query
So just some background, I inherited a PIX 506 with 6.3. I will admit my background is more towards switching/routing. But while I know it is dinosaur, I need to maintain for partner interoperability. I just want to confirm that what I am thinking is correct and inf not how I can correct it.
My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed??
The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
All responses are appreciated.
Here is a snippet of the current config:
object-group network Ext_Net
network-object 192.168.0.0 255.255.255.255
object-group network Int_Net
network-object 10.0.0.0 255.255.240.0
object-group network DNS
network-object 192.168.0.254 255.255.255.255
network-object 192.168.0.253 255.255.255.255
object-group network Servers
network-object 192.168.0.25 255.255.255.255
network-object 192.168.0.62 255.255.255.255
network-object 192.168.0.87 255.255.255.255
object-group network Int_Net_ref
network-object 192.168.0.0 255.255.255.255
object-group service Ports tcp
port-object range 3995 3995
port-object range telnet telnet
port-object range 8010 8010
port-object range 8080 8080
port-object eq pop3
port-object eq imap4
port-object eq smtp
port-object eq 433
port-object eq www
port-object eq https
port-object eq ssh
port-object range https https
port-object eq 9100
port-object eq lpd
port-object eq 584
port-object eq 585
port-object range 500 700
access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
access-list inside_access_in permit udp object-group Int_Net object-group DNS
access-list inside_access_in permit tcp object-group Int_Net object-group Servers
access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 192.168.0.253 255.255.255.255 outside
pdm location
pdm group Ext_Net 255.255.255.255 outside
pdm group Int_Net 255.255.255.255 inside
nat (inside) 2 Int_Net 255.255.240.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed. Not the best thing to do.
The access-group command applies the ACL to the interface in either the in or out direction. These two commands in your config apply the ACL's to the ingress direction on the PIX:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
So traffic coming ingress to the outside interface will have the outside_access_in applied to it. -
I have a site to site VPN from my PIX to a clients VPN 3000 concentrator. The tunnel drops when there is no traffic and only comes back up when they ping or generate trafic from the VPN concentrator 3000, Till then trafic through the PIX 506 does not go through. Please help??
DPD or dead peer detection which is enabled by default should prevent this. Guess, you are running an older version of the OS that does not support DPD. Support for DPD on Cisco VPN 3000 Concentrator starts with software version 3.0 and on the PIX Firewall with software version 6.0(1). You will need to upgrade to these versions.
-
PIX 506 - Limited Throughput ?
Hi
I recently found a use for an old PIX 506 that I found in our store cupboard.
After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
RgrdsHi,
Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
as the below show ver indicates.
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0009.7c48.c0db, irq 10
1: ethernet1: address is 0009.7c48.c0dc, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Limited
IKE peers: Unlimited
Is this a licensing limitation?
Thanks
DGW -
Im trying to get a dhcp address from my cable modem to my pix 506 e but it fails
"ip address outside dchp setroute"
somebody know how to get this working?Try decreasing the MTU size to 1370. You can do that via the GUI.
-
A customer called me to ask about URL filtering. He bought a 506 a little over a year ago. I haven't been on site to see exactly what IOS he has, but he wants to know if he can filter certain web sites from certain PCs. Of course the answer is yes, but I need to know more about the capabilities of the 506 URL filtering capabilities. Can I create a "White list" for certain PCs in an address range and allow full access to other PCs?
The real problem is on 3 PCs that midnight shift users like to use for porn surfing!
If the 506 can't do the filtering, then I may just add a local piece of software on the 3 problem PCs.
Any advice on the 506 capabilities would be appreciated.hi
You can use websense in addition to PIX F/W to filter the traffic based on the URL,which is most widely deployed,but again u need to decide the cost factor involved in doing so.
regds -
Cisco Pix 506 Blocks certain websites in Win 7/Vista but not XP
We have been using a Pix 506E with Websense for many years and it has worked fine. We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines. When the Win 7 machine is taken off site, the websites are accessible. How do we correct this? If I have to post my configuration, what should not be shown?
We have been using a Pix 506E with Websense for many years and it has worked fine. We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines. When the Win 7 machine is taken off site, the websites are accessible. How do we correct this? If I have to post my configuration, what should not be shown?
-
Hello;
I would like to edit the config to open up a FTP port, but need to know the exact steps/procedures.
1.) I can remote in via the LAN with Hyperterm.
2.) Can probably use a system to console in if necessary.
Here's part of the config for the ACL I would like to update:
access-list outside_in permit tcp any host <public IP> eq www
access-list outside_in permit tcp any host <public IP> eq https
Would this be the correct access list entry for ftp to this system?
access-list outside_in permit tcp any host <public IP> eq ftp
I just need to know:
1.) Once I remote in, can I somehow place this acl line right below the https one?
2.) Can I use a TFTP program and move a text file config onto the PIX?
3.) If I need to revert back or erase the line, would I just type:
no access-list outside_in permit tcp any host <public IP> eq ftp
Thanks, SteveThat's correct:
access-list outside_in permit tcp any host eq ftp
To insert it you can do:
access-list outside_in line 3 permit tcp any host eq ftp
The "line 3" will insert ABOVE the existing line 3. It will make the current line 3, line 4.
You can use tftp by using write net.
And to remote your line, you do exactly like you have it.
Don't forget your statics though.
static (inside, outside) netmask 255.255.255.255
clear xlate
--John -
Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.
Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
If the above is not of a concern at all, then what Andrew sugested would work.
Rgds
-Jorge -
I was under impression that PIX 506 or 515e did not support netflow but, ASA did. I noticed a few post stating that its not supported on the PIX but not a cisco doc. does anyone happen to know where i can locate a document stating the above.
Pix does not support Netflow to the best of my knowledge.
Cisco is amazingly lackadaisacal about posting comprehensive information regarding Netflow support. I've found the best summary at a 3rd party site here. -
We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.
Thanks for your reply. This is already set allong with the following.
icmp permit any inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
When I do an inspect on the ping packets from the remote LAN I get an interesting result.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected -
WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS
I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
any examples on how to do this would be great.
here is what i have for the dhcp scope:
Dhcp Scope Info
Scope: Guest.Data.DHCP
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
Here is what i have for the wlan
WLAN Identifier.................................. 2
Network Name (SSID).............................. Guest.Data
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ guest.data
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
--More-- or (q)uit
Radio Policy..................................... All
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
Management Frame Protection................... Ewhen i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
any other suggestions on guest vlans would be appricated....
Tom
Interface Name................................... wireless.guest.data
IP Address....................................... 192.168.255.1
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.255.2
VLAN............................................. 150
Quarantine-vlan.................................. no
Physical Port.................................... 2
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Scope: wireless.guest.data.dhcp.server
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0 -
Hello All,
I have a WLC4402 nad have been using it internally for approx 4 years with ACS authentication. Everything is working great.
I am now truing to use the second port for a Guest Wireless setup running under a seperate VLAN. I setup a PIX 506 for a second internet connection and that works great, when I connect the PIX to the second port on the WLC, immediately the interface stays up but protocol goes down. I have tried both a cross over and straight through cable.
If I change the Port speed from Auto to 1000 I lose layer 2 connctivity.
Any ideas ?
ColinIt's probably be an issue with trunking. I'm don't remember if the Pix's will trunk 801.q. The 4402 ports are hard coded to be 801.q trunks by default. So if both sides of the physical link (PiX/4402) don't match then the line protocol will go down.
You could try to set the guest VLAN on the 4402 to be untagged (set it to '0' to untag it.) This will allow the guest traffic to go across the wired link between the PIX and 4402 to be untagged so that the PIX won't get confused. -
Any suggestions on a low end router capable of providing a decent firewall that would begin to meet the security requirements needed for a DMZ setup? (example Cisco PIX 506 Firewall)
And whether it can be done with just a couple of wireless routers, one with an enabled DMZ? My initial thought on this is that the standard consumer wireless routers have an eight character password which is far from secure enough to do
much of anything. (brainstorm details below)
Thought is to place a web form login page in the DMZ... add a read only file to test the web form access. Nothing fancy and for now, it does nothing except verify that user can login or is denied login. Verified login goes nowhere except
"Success". Build something later when the first part works (if it works).
Plan is to exist over two lans (or IP sets within the domain - one set is 192.168.01.xxx and the other set is 192.168.02.xxx) and set up bypass rules between the two. The Lan 192.168.01.xxx would house the DMZ (with HTTP port 80 access) and the
Lan 192.168.02.xxx would house the internal domain (SBS 2011 DC running VPN, Sharepoint etc, HyperV server with virtuals running SQL and TFS, and laptop access). The 192.168.01.xxx is a guest lan for non-domain (non-hostile) members.
So my questions:
1) Can the HTTP header be forwarded from SBS 2011 router rules on the router firewall to hit the second lan (http requests from 192.168.02.xxx would be routed over to 192.168.01.xxx)?
2) Can an inexpensive router like the PIX ($30 used) above solve the "crack the eight character router password issue?" (Maybe I just need a newer router in general where the passwords are more secure?)
Currently RWW open, SSL open, VPN (1723) open, 25 open... all other ports closed. [Does this create any snafu's?]
Hard to make head or tails of
http://forums.untangle.com/networking/25935-setting-up-sbs-2011-secondary-internal-dmz-3.html
R, JWhile all this is good information, I would clarify one point
Port 80 should not be open and port forwarded as it's the single most commonly attacked port
Users should be taught to come in via port 443, using https
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
MVPs do not work for Microsoft
Please do not submit questions directly to me.
<Linda Graham> wrote in message
news:[email protected]...
Hi,
I have deployed similar setups for clients. The main thing is the quality of the router/firewall facing the internet. I assume when you talk about open ports, you mean open via NAT (network address translation) otherwise, you are leaving the firewall to
do the hard work. I am a fan of Draytek 2830 adsl routers. They also have cable routers if you connect via cable. These are much more expensive than $30 - about £230 in the UK. Cheaper models by other manufacturers are available, but what you should look for
is a fully customisable NAT server (also called virtual server on some cheaper models) Have a look at Zyxel and TP-Link professional routers. Passwords with these routers can be as complex as you need.
I assume you have a static IP address or block of static IP addresses for your public wan address. Using dynamic DNS will create problems with spam filters if you are using an Exchange/smtp server on your SBS server to send email and is not recommended.
SBS needs to be able to access your server via ports 25, 80, 443 and 987. You may also want to use 1726 if you need a VPN connection. Use NAT to map these ports from WAN to LAN. for example if your WAN address is XXX.XXX.XXX.XXX and your LAN subnet
is 192.168.1.0 with your SNS server IP address set to 192.168.1.1 and your router IP is 192.168.1.254, then you would add the following to the NAT address table:
WAN XXX.XXX.XXX.XXX port 25 to LAN 192.168.1.1 port 25
WAN XXX.XXX.XXX.XXX port 80 to LAN 192.168.1.1 port 80
WAN XXX.XXX.XXX.XXX port 443 to LAN 192.168.1.1 port 43
WAN XXX.XXX.XXX.XXX port 987 to LAN 192.168.1.1 port 987
This will provide secure access to these ports from WAN to LAN and will enable SBS remote web access, SBS Exchange Email and Outlook Web Access. Computers connecting will require either a third party domain certificate (eg from Verisign or
GoDaddy etc) or the self issued certificate (found in the public document folder on the SBS server) to be distributed to machines to enable them to use this remote access.
For the non secure subnet, you will need another router connected to a LAN port on your main router. Configure the WAN address of the secondary router to be 192.168.1.253 and the LAN subnet to be anything suitable but different from your primary
LAN, eg 192.168.2.0. On your main router, set the WAN IP address of your secondary router (192.168.1.253) on the DMZ. This opens the WAN port of the secondary router to the internet but isolates it from your primary LAN subnet.
This setup is suitable for a secure network with public wifi access via the secondary router. Use the secondary router to restrict bandwidth, download types adult content etc. to prevent public abuse of your Wifi network, but still making it suitble
for smatphones to connect.
I hope this is clear, but if you have any questions, post again.
regards,
Linda
Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL -
Why does show isakmp sa shows multiple ISAKMP key exchanges for same peer
I have a site-2-site vpn tunnel between a Pix 506e 6.3(3) and an ASA 5510 running 9.0(3)6. I can control both sides of the config.
This tunnel worked fine until we did a firmware update on the ASA which was originally running 8.4(2). I have 3 tunnels which terminate at our ASA with peer Ips that are on device pix 506e models having issues and I cant figure out why. I will focus on one tunnel in particular in hopes that someone can help me fix it and I can try to apply the fix to the other two acting up.
The symptoms are as follows:
Tunnel will come up with Phase 1 and Phase 2. Everything will work fine for a variable amount of time then the tunnel will drop. I see this over and over again in the logs of the ASA
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel
If I go into the ASA and I remove the crypto map and then re-add it. The tunnel comes back up and remains active for a variable amount of time once again. And when I say variable I mean it can stay up and working for as long as a half a day or as little as 15 min .
During the outage if I do a show isakmp sa on the pix I get the following
pix# show isakmp sa
Total : 6
Embryonic : 0
dst src state pending created
66.1x3.93.212 207.207.x.146 QM_IDLE 0 115
66.1x3.93.212 207.207.x.146 QM_IDLE 0 254
66.1x3.93.212 207.207.x.146 QM_IDLE 0 123
66.1x3.93.212 207.207.x.146 QM_IDLE 0 108
66.1x3.93.212 207.207.x.146 QM_IDLE 0 224
66.1x3.93.212 207.207.x.146 QM_IDLE 0 129
On the ASA doing the same cmd will get me
IKE Peer: 66.193.93.212
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG2
If I want to bring the tunnel back up right away, I can remove the crypto map from the ASA and then re-add it and everything will work again for a bit. What should I be checking?
Is there some kind of difference I should now be aware of between the isakmp config on pix and ikev1 on ASA? It was all working before when the ASA was on 8.4(2) and this is ONLY happening to my tunnels that are terminating on the PIX 506 e devices running 6.3(3) . Thats a clue I know, I just don't understand what I should be looking at to figure out how to fix it.There are several things that could cause these symptoms, and we do not have enough information provided to identify which one it is.
- Certainly it could cause these symptoms if the peer ASA5520 is not yet configured.
- It could also cause these symptoms if the peer ASA5520 is configured but some of the configuration parameters do not match what you have configured.
- I am puzzled why there are two addresses configured on the interface. If the peer ASA5520 configured its peer address to use the secondary address it might cause these symptoms.
- I see that address translation is configured. Some mistakes in configuring address translation might cause symptoms like these.
As a first step I would suggest that you contact the administrator of the ASA5520 and ask if their configuration is complete. If they believe that their configuration is complete then you might ask them to specify what parameters they have configured and compare them to your parameters.
As a follow up step, running debug crypto isakmp might provide some insight into what is happening and what is the problem.
HTH
Rick
Maybe you are looking for
-
IPhone 3GS doesn't recognise sim card. Status either says no sim or searching. If it does find network it's only for a minute or two?? Any ideas?
-
ISync not syncing all contacts to Moto Razr V3i
Hi, I have a Motorola Razr V3i that I'd like to sync with my Mac address book. I'm running Leopard 10.5.1. I keep the Address Book as the reference for all my contacts. When I connect my Razr to the Mac, I want to replace all the contacts on the phon
-
Error in ALV display when run in background
Hi All, My program gives ALV Block Display . I am getting an extra ALV block displayed before display of each of my ALV block . However , while in normal execution (F8) , the program is running fine. Can I debug a background job ? Please help.
-
Disable Alarm/Event on CPI 2.0
Hi, We have CPI 2.0 in production. and overwhelmed interface down/up alrms from access switches are annoying. Is there a way to turn it off, I believe it is on by default. Thanks
-
I would be really helpfull to access access data with spry without using xml! Is it planned to add such a functionallity?