PIX 506 vs. 1812?

Similar Messages

• PIX 506 (6.3) configuration query

  So just some background, I inherited a PIX 506 with 6.3.  I will admit my background is more towards switching/routing.  But while I know it is dinosaur, I need to maintain for partner interoperability.  I just want to confirm that what I am thinking is correct and inf not how I can correct it.
  My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?? 
  The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
  All responses are appreciated.
  Here is a snippet of the current config:
  object-group network Ext_Net
    network-object 192.168.0.0 255.255.255.255
  object-group network Int_Net
    network-object 10.0.0.0 255.255.240.0
  object-group network DNS
    network-object 192.168.0.254 255.255.255.255
    network-object 192.168.0.253 255.255.255.255
  object-group network Servers
    network-object 192.168.0.25 255.255.255.255
    network-object 192.168.0.62 255.255.255.255
    network-object 192.168.0.87 255.255.255.255
  object-group network Int_Net_ref
    network-object 192.168.0.0 255.255.255.255
  object-group service Ports tcp
    port-object range 3995 3995
    port-object range telnet telnet
    port-object range 8010 8010
    port-object range 8080 8080
    port-object eq pop3
    port-object eq imap4
    port-object eq smtp
    port-object eq 433
    port-object eq www
    port-object eq https
    port-object eq ssh
    port-object range https https
    port-object eq 9100
    port-object eq lpd
    port-object eq 584
    port-object eq 585
    port-object range 500 700 
  access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
  access-list inside_access_in permit udp object-group Int_Net object-group DNS
  access-list inside_access_in permit tcp object-group Int_Net object-group Servers
  access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
  access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
  access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
  pdm location 192.168.0.254 255.255.255.255 outside
  pdm location 192.168.0.253 255.255.255.255 outside
  pdm location
  pdm group Ext_Net 255.255.255.255 outside
  pdm group Int_Net 255.255.255.255 inside
  nat (inside) 2 Int_Net 255.255.240.0 0 0
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed.  Not the best thing to do. 
  The access-group command applies the ACL to the interface in either the in or out direction.  These two commands in your config apply the ACL's to the ingress direction on the PIX:
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  So traffic coming ingress to the outside interface will have the outside_access_in applied to it.

• PIX 506 & 3000 Concentrator

  I have a site to site VPN from my PIX to a clients VPN 3000 concentrator. The tunnel drops when there is no traffic and only comes back up when they ping or generate trafic from the VPN concentrator 3000, Till then trafic through the PIX 506 does not go through. Please help??

  DPD or dead peer detection which is enabled by default should prevent this. Guess, you are running an older version of the OS that does not support DPD. Support for DPD on Cisco VPN 3000 Concentrator starts with software version 3.0 and on the PIX Firewall with software version 6.0(1). You will need to upgrade to these versions.

• PIX 506 - Limited Throughput ?

  Hi
  I recently found a use for an old PIX 506 that I found in our store cupboard.
  After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
  Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
  Rgrds

  Hi,
  Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
  as the below show ver indicates.
  Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
  Flash E28F640J3 @ 0x300, 8MB
  BIOS Flash AM29F400B @ 0xfffd8000, 32KB
  0: ethernet0: address is 0009.7c48.c0db, irq 10
  1: ethernet1: address is 0009.7c48.c0dc, irq 11
  Licensed Features:
  Failover:           Disabled
  VPN-DES:            Enabled
  VPN-3DES:           Enabled
  Maximum Interfaces: 2
  Cut-through Proxy:  Enabled
  Guards:             Enabled
  URL-filtering:      Enabled
  Inside Hosts:       Unlimited
  Throughput:         Limited
  IKE peers:          Unlimited
  Is this a licensing limitation?
  Thanks
  DGW

• Pix 506 E with cable modem

  Im trying to get a dhcp address from my cable modem to my pix 506 e but it fails
  "ip address outside dchp setroute"
  somebody know how to get this working?

  Try decreasing the MTU size to 1370. You can do that via the GUI.

• URL Filtering w/ PIX 506

  A customer called me to ask about URL filtering. He bought a 506 a little over a year ago. I haven't been on site to see exactly what IOS he has, but he wants to know if he can filter certain web sites from certain PCs. Of course the answer is yes, but I need to know more about the capabilities of the 506 URL filtering capabilities. Can I create a "White list" for certain PCs in an address range and allow full access to other PCs?
  The real problem is on 3 PCs that midnight shift users like to use for porn surfing!
  If the 506 can't do the filtering, then I may just add a local piece of software on the 3 problem PCs.
  Any advice on the 506 capabilities would be appreciated.

  hi
  You can use websense in addition to PIX F/W to filter the traffic based on the URL,which is most widely deployed,but again u need to decide the cost factor involved in doing so.
  regds

• Cisco Pix 506 Blocks certain websites in Win 7/Vista but not XP

  We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

  We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

• PIX 506 Config

  Hello;
  I would like to edit the config to open up a FTP port, but need to know the exact steps/procedures.
  1.) I can remote in via the LAN with Hyperterm.
  2.) Can probably use a system to console in if necessary.
  Here's part of the config for the ACL I would like to update:
  access-list outside_in permit tcp any host <public IP> eq www
  access-list outside_in permit tcp any host <public IP> eq https
  Would this be the correct access list entry for ftp to this system?
  access-list outside_in permit tcp any host <public IP> eq ftp
  I just need to know:
  1.) Once I remote in, can I somehow place this acl line right below the https one?
  2.) Can I use a TFTP program and move a text file config onto the PIX?
  3.) If I need to revert back or erase the line, would I just type:
  no access-list outside_in permit tcp any host <public IP> eq ftp
  Thanks, Steve

  That's correct:
  access-list outside_in permit tcp any host eq ftp
  To insert it you can do:
  access-list outside_in line 3 permit tcp any host eq ftp
  The "line 3" will insert ABOVE the existing line 3. It will make the current line 3, line 4.
  You can use tftp by using write net.
  And to remote your line, you do exactly like you have it.
  Don't forget your statics though.
  static (inside, outside) netmask 255.255.255.255
  clear xlate
  --John

• PIX 501 and UPnP

  Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

  Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
  Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
  If the above is not of a concern at all, then what Andrew sugested would work.
  Rgds
  -Jorge

• Netflow on Pix?

  I was under impression that PIX 506 or 515e did not support netflow but, ASA did.  I noticed a few post stating that its not supported on the PIX but not a cisco doc. does anyone happen to know where i can locate a document stating the above.

  Pix does not support Netflow to the best of my knowledge.
  Cisco is amazingly lackadaisacal about posting comprehensive information regarding Netflow support. I've found the best summary at a 3rd party site here.

• ASA 5505 VPN Issue

  We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.

  Thanks for your reply. This is already set allong with the following.
  icmp permit any inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
  When I do an inspect on the ping packets from the remote LAN I get an interesting result.
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected

• WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

  I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
  However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
  any examples on how to do this would be great.
  here is what i have for the dhcp scope:
  Dhcp Scope Info
  Scope: Guest.Data.DHCP
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
  Here is what i have for the wlan
  WLAN Identifier.................................. 2
  Network Name (SSID).............................. Guest.Data
  Status........................................... Disabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. Infinity
  Interface........................................ guest.data
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Enabled
  Quality of Service............................... Silver (best effort)
  WMM.............................................. Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  --More-- or (q)uit
  Radio Policy..................................... All
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  IP Security Passthru.......................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  Management Frame Protection................... E

  when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
  what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
  any other suggestions on guest vlans would be appricated....
  Tom
  Interface Name................................... wireless.guest.data
  IP Address....................................... 192.168.255.1
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 192.168.255.2
  VLAN............................................. 150
  Quarantine-vlan.................................. no
  Physical Port.................................... 2
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... No
  Scope: wireless.guest.data.dhcp.server
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

• Guest Wireless

  Hello All,
  I have a WLC4402 nad have been using it internally for approx 4 years with ACS authentication. Everything is working great.
  I am now truing to use the second port for a Guest Wireless setup running under a seperate VLAN. I setup a PIX 506 for a second internet connection and that works great, when I connect the PIX to the second port on the WLC, immediately the interface stays up but protocol goes down. I have tried both a cross over and straight through cable.
  If I change the Port speed from Auto to 1000 I lose layer 2 connctivity.
  Any ideas ?
  Colin

  It's probably be an issue with trunking. I'm don't remember if the Pix's will trunk 801.q. The 4402 ports are hard coded to be 801.q trunks by default. So if both sides of the physical link (PiX/4402) don't match then the line protocol will go down.
  You could try to set the guest VLAN on the 4402 to be untagged (set it to '0' to untag it.) This will allow the guest traffic to go across the wired link between the PIX and 4402 to be untagged so that the PIX won't get confused.

• DMZ setup for SBS 2011

  Any suggestions on a low end router capable of providing a decent firewall that would begin to meet the security requirements needed for a DMZ setup?  (example Cisco PIX 506 Firewall) 
  And whether it can be done with just a couple of wireless routers, one with an enabled DMZ?   My initial thought on this is that the standard consumer wireless routers have an eight character password which is far from secure enough to do
  much of anything. (brainstorm details below)
  Thought is to place a web form login page in the DMZ... add a read only file to test the web form access.  Nothing fancy and for now, it does nothing except verify that user can login or is denied login.   Verified login goes nowhere except
  "Success".  Build something later when the first part works (if it works).
  Plan is to exist over two lans (or IP sets within the domain - one set is 192.168.01.xxx and the other set is 192.168.02.xxx) and set up bypass rules between the two.  The Lan 192.168.01.xxx would house the DMZ (with HTTP port 80 access) and the
  Lan 192.168.02.xxx would house the internal domain (SBS 2011 DC running VPN, Sharepoint etc, HyperV server with virtuals running SQL and TFS, and laptop access).  The 192.168.01.xxx is a guest lan for non-domain (non-hostile) members.
  So my questions: 
  1) Can the HTTP header be forwarded from SBS 2011 router rules on the router firewall to hit the second lan (http requests from 192.168.02.xxx would be routed over to 192.168.01.xxx)?
  2) Can an inexpensive router like the PIX ($30 used) above solve the "crack the eight character router password issue?"  (Maybe I just need a newer router in general where the passwords are more secure?)
  Currently RWW open, SSL open, VPN (1723) open, 25 open... all other ports closed.  [Does this create any snafu's?]
  Hard to make head or tails of
  http://forums.untangle.com/networking/25935-setting-up-sbs-2011-secondary-internal-dmz-3.html
  R, J

  While all this is good information, I would clarify one point
  Port 80 should not be open and port forwarded as it's the single most commonly attacked port
  Users should be taught to come in via port 443, using https
  Cris Hanna [SBS - MVP] (since 1997)
  Co-Contributor, Windows Small Business Server 2008 Unleashed
  http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
  Owner, CPU Services, Belleville, IL
  A Microsoft Registered Partner
  MVPs do not work for Microsoft
  Please do not submit questions directly to me.
  <Linda Graham> wrote in message
  news:[email protected]...
  Hi,
  I have deployed similar setups for clients. The main thing is the quality of the router/firewall facing the internet. I assume when you talk about open ports, you mean open via NAT (network address translation) otherwise, you are leaving the firewall to
  do the hard work. I am a fan of Draytek 2830 adsl routers. They also have cable routers if you connect via cable. These are much more expensive than $30 - about £230 in the UK. Cheaper models by other manufacturers are available, but what you should look for
  is a fully customisable NAT server (also called virtual server on some cheaper models) Have a look at Zyxel and TP-Link professional routers. Passwords with these routers can be as complex as you need.
  I assume you have a static IP address or block of static IP addresses for your public wan address. Using dynamic DNS will create problems with spam filters if you are using an Exchange/smtp server on your SBS server to send email and is not recommended.
  SBS needs to be able to access your server via ports 25, 80, 443 and 987. You may also want to use 1726 if you need a VPN connection. Use NAT to map these ports from WAN to LAN. for example if your WAN address is XXX.XXX.XXX.XXX and your LAN subnet
  is 192.168.1.0 with your SNS server IP address set to 192.168.1.1 and your router IP is 192.168.1.254, then you would add the following to the NAT address table:
  WAN XXX.XXX.XXX.XXX port 25 to LAN 192.168.1.1 port 25
  WAN XXX.XXX.XXX.XXX port 80 to LAN 192.168.1.1 port 80
  WAN XXX.XXX.XXX.XXX port 443 to LAN 192.168.1.1 port 43
  WAN XXX.XXX.XXX.XXX port 987 to LAN 192.168.1.1 port 987
  This will provide secure access to these ports from WAN to LAN and will enable SBS remote web access, SBS Exchange Email and Outlook Web Access. Computers connecting will require either a third party domain certificate (eg from Verisign or
  GoDaddy etc) or the self issued certificate (found in the public document folder on the SBS server) to be distributed to machines to enable them to use this remote access.
  For the non secure subnet, you will need another router connected to a LAN port on your main router. Configure the WAN address of the secondary router to be 192.168.1.253 and the LAN  subnet to be anything suitable but different from your primary
  LAN, eg 192.168.2.0. On your main router, set the WAN IP address of your secondary router (192.168.1.253) on the DMZ. This opens the WAN port of the secondary router to the internet but isolates it from your primary LAN subnet.
  This setup is suitable for a secure network with public wifi access via the secondary router. Use the secondary router to restrict bandwidth, download types adult content etc. to prevent public abuse of your Wifi network, but still making it suitble
  for smatphones to connect.
  I hope this is clear, but if you have any questions, post again.
  regards,
  Linda
  Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL

• Why does show isakmp sa shows multiple ISAKMP key exchanges for same peer

  I have a site-2-site vpn tunnel between a Pix 506e 6.3(3) and an ASA 5510 running 9.0(3)6. I can control both sides of the config.
  This tunnel worked fine until we did a firmware update on the ASA which was originally running 8.4(2).  I have 3 tunnels which terminate at our ASA with peer Ips that are on device  pix 506e models having issues and I cant figure out why. I will focus on one tunnel in particular in hopes that someone can help me fix it and I can try to apply the fix to the other two acting up.
  The symptoms are as follows:
  Tunnel will come up with Phase 1 and Phase 2. Everything will work fine for a variable amount of time then the tunnel will drop. I see this over and over again in the logs of the ASA
  Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel
  If I go into the ASA and I remove the crypto map and then re-add it. The tunnel comes back up and remains active for a variable amount of time once again. And when I say variable I mean it can stay up and working for as long as a half a day or as little as 15 min .
  During the outage if I do a show isakmp sa on the pix I get the following
  pix# show isakmp sa
  Total     : 6
  Embryonic : 0
          dst               src        state     pending     created
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         115
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         254
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         123
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         108
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         224
     66.1x3.93.212   207.207.x.146    QM_IDLE         0         129
  On the ASA doing the same cmd will get me
  IKE Peer: 66.193.93.212
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG2
  If I want to bring the tunnel back up right away, I can remove the crypto map from the ASA and then re-add it and everything will work again for a bit. What should I be checking?
  Is there some kind of difference I should now be aware of between the isakmp config on pix and ikev1 on ASA? It was all working before when the ASA was on 8.4(2) and this is ONLY happening to my tunnels that are terminating on the PIX 506 e devices running 6.3(3) . Thats a clue I know, I just don't understand what I should be looking at to figure out how to fix it.

  There are several things that could cause these symptoms, and we do not have enough information provided to identify which one it is.
  - Certainly it could cause these symptoms if the peer ASA5520 is not yet configured.
  - It could also cause these symptoms if the peer ASA5520 is configured but some of the configuration parameters do not match what you have configured.
  - I am puzzled why there are two addresses configured on the interface. If the peer ASA5520 configured its peer address to use the secondary address it might cause these symptoms.
  - I see that address translation is configured. Some mistakes in configuring address translation might cause symptoms like these.
  As a first step I would suggest that you contact the administrator of the ASA5520 and ask if their configuration is complete. If they believe that their configuration is complete then you might ask them to specify what parameters they have configured and compare them to your parameters.
  As a follow up step, running debug crypto isakmp might provide some insight into what is happening and what is the problem.
  HTH
  Rick