PIX 506E routes died

Similar Messages

• Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

  Hi:
  I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
  a) Use the 506E as a firewall and use the 600 as a wireless access point, or
  b) Use the 600 as a firewall and wireless access point.
  Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
  Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
  (Edited subject to keep threads from stretching. Thanks!)
  Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

  The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
  The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
  Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
  To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
  Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
  BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

• Pix 506e firewall configring for mail( Exhange), Web, FTP server

  Hi
  I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.
  I have fix static live ip 59.181.103.220 which i have got ISP (MTNL), and the same ip is given in fqdn in www.net4india.com (a company from where we have registered domaim name and taken space)
  My problem is i am not able to send mail through my mail server (loyalindia.co.in)but i am receiving mails from any server.
  My network design is as fallows:-
  ADSL (WAN)59.181.103.220, ADSL (LAN)59.181.103.221. Pix 506e (out) 59.181.103.222, Pix 506e (in) 192.168.1.1. My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2
  I am tryied with (ADSL)natting and without natting but the problem is same.
  If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly.
  can anybody who can support me?.

  Hello
  I think there won't be one QUCK START to get all of this up and running, there are multiple examples on the following page, a few that might help would be:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
  PIX/ASA : Connecting Three Internal Networks with Internet Configuration Example
  PIX/ASA : Connecting Two Internal Networks with Internet Configuration Example
  ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example
  PIX/ASA 7.x: Enable VoIP (SIP, MGCP, H323, SCCP) Services Configuration Example
  PIX/ASA 7.x and FWSM: NAT and PAT Statements
  PIX/ASA 7.x and later : Port Redirection(Forwarding) with nat, global, static and access-list Commands
  Configuring PIX Firewall with Mail Server Access on the DMZ
  Configuring the PIX Firewall with Mail Server Access on Inside Network
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Manual for PIX 506E?

  Hi everyone! I just became in charge of a PIX 506E, which I have no experience with. I was not told how it was set up, what the password is, etc...Oh, and the dongle for the console connection is non-existent as well.
  On Cisco's website, I can't find any manuals for it. The only documentation I could find was a quick setup guide, which is not helpful at all if it is already set up.
  Basically, I am looking for any help anyone can provide so that I can get into the interface for the PIX 506E so I can see how things are set up and to change things in the future. Thank you in advance!

  This could be a long journey or a short one, but for sake to help you here we go..
  When I say long journey it is because all depends on what type of resources you have at hand, at least you have us in netpro, but more specifically if you do not know the admin password for the PIX that is number one headache, you need password recovery procedure, please try to make an effort to obtain the password to not go through all these procedures, if you cannot then you need password recovery .
  See password recovery.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
  Please have handy these tools
  1- Console cable to connect to COM port in PC and PIX console port
  2- Terminal emulator - hyperterminal
  3- Mini hub to connect your PC and pix pysical interface to it
  4- tftp server software running on your PC
  Follow instructions on link.
  As for instructions about the PIX there are hundreds of documentation in Cisco website, we can direct you to them but first you need to gain access to PIX.
  HTH
  -Jorge

• Can PIX 506e return port unreachable

  Hello
  Can PIX 506e return ICMP port unreachable on Linux traceroute with UDP data gram, and if somebody knows how, can you make an example of the access-list how it should be written to allow this response?

  PIX won't return an ICMP port unreachable message and access lists cannot be configured to make PIX to respond a port unreachable.

• Pix 506e as Content Filter

  Is there any way to effectively use a Pix 506e as a content filter? I see some example configurations involving an ASA 5500, but I was wondering if the pix alone will allow content filtering. We are a small business that is looking to restrict just a few websites to our DHCP users. (i.e. eBay, yahoo mail, Amazon). We already have the pix. Thanks!

  Suppose if you want to filter streaming media content with PIX 506E, you have two options. The first one is to block ports on the PIX and the second is to use Proxy Server to filter URLs. Since our main concern is doing it on the PIX, You may enter these commands on the PIX for well-known ports that you could block on the firewall:
  access-list nostream deny udp any any eq 2979
  access-list nostream deny udp any any eq 1790
  access-list nostream deny udp any any eq 1755
  access-list nostream deny udp any any eq 1736
  access-list nostream deny udp any any eq 554
  access-list nostream deny udp any any eq 537
  access-list nostream deny tcp any any eq 2979
  access-list nostream deny tcp any any eq 1790
  access-list nostream deny tcp any any eq 1755
  access-list nostream deny tcp any any eq 1736
  access-list nostream deny tcp any any eq 554
  access-list nostream deny tcp any any eq 537
  access-list nostream permit tcp any any eq 80
  access-list nostream permit ip any any
  access-group nostream in interface inside
  However, some streaming applications use random ports using auto-configure options that are difficult to block with the PIX. To resolve this issue, you have the second option, using a proxy server to filter the URLs. You may use Websense and any other software to filter web traffic.

• Replace fan in Pix 506e

  A customer has a Cisco Pix 506e in which the fan is making some serious noise. What is the part number to replace this fan?

  It is not a FRU, you'll have to open a TAC case to have the device replaced.
  Hope that helps.

• Pix 506E SNMP V3??

  Hi Everyone,
    i know this is an old unit but, was trying to find an article if the pix 506E support snmp version 3.
  thanks,
  Jason                  

  Hi Jason,
  Unfortunately SNMP version 3 is supported only on ASA 8.2 or higher:
  http://www.cisco.com/en/US/docs/security/asa/asa82/snmp/snmpv3_1.html
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• PIX 506e - cannot browse startup.html

  I just got a PIX 506e from a friend that was not longer using it. I'm trying to get started with the configuration page. I've reset it to factory defaults, rebooted and connected up ethernet. I can ping the device at 192.168.1.1 and access it via console. I browse the site https://192.168.1.1/startup.html, get the invalid ssl certification, get a login prompt (user/pass) and as the document says I leave it blank. As soon as I hit ok it goes to the 404 error Page Not found.
  Thanks in advance!
  second part, anyone have a good article/document on standard configurations via cli? I worked my way through
  http://www.dslreports.com/faq/15785 but didn't have any luck. Thats why I want to start with the web config then work into CLI.

  I meant to reply sorry.
  I found out that its 6.3 but that the previous owner removed PDM. I found the download on cisco HOWEVER I don't have an account so I have no way of actually downloading the PDM or 6.3 with pdm bin file.
  do you know where I can get that?
  thanks

• Pix 506e

  Hi,
  We have planning to Purchase Cisco Pix 506E Firewall. We are having 50
  Computers & Users.If we purchase Pix 506E Firewall,its require to purchase
  any aditional license.
  with regds
  prem

  For the PIX 506E there is only one license that can be purchased which is the 3DES/AES and DES Encryption Licenses. Right now I think you can download that license for free. The following link will provide you with details on that license and the data sheet on that PIX (scroll down about half way for the license information).
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b13.html
  The following link will give you the data sheet and describe the three different licenses available with upper models of the PIX as it relates to the 515E (restricted, unrestricted, and failover).
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

• ISAKMP spi size buffer overflow for PIX 506e

  Hello,
  We have perform a vulnerability scan for our network and found a high risk vulnerability result as stated below:
  "H IsakmpSpiSizeBo: ISAKMP spi size buffer overflow
  Additional Information More Information
  Internet Security Association and Key Management Protocol (ISAKMP) is a key exchange protocol signature. ISAKMP is vulnerable to a
  buffer overflow. A remote attacker can send a specially-crafted ISAKMP payload to a vulnerable VPN client or server to overflow a buffer
  and execute arbitrary code on the system, possibly with administrative privileges.
  The supported operating systems in the Platforms Affected list are only vulnerable if they use the LibKmp ISAKMP library. Only VPN
  or firewall products which implement the Entrust LibKmp ISAKMP library are vulnerable.
  Remedy:
  Apply the appropriate hotfix for this vulnerability, as listed in the Symantec Security Response SYM04-012 and available from the
  Symantec FTP Update Web site. See References."
  I have search it on cisco but found no clue on resolving the issue. Our firewall is PIX 506E model.
  Your inputs are highly appreciated.
  Thank you
  Neil

  The cause of the issue was the remote peer, the parameters of phase 2 were wrong

• Can't access internal network from VPN using PIX 506E

  Hello,
  I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
  Building configuration...
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password N/JZnmeC2l5j3YTN encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname SwantonFw2
  domain-name *****.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside_access_in permit icmp any any
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  access-list INSIDE-IN permit tcp interface inside interface outside
  access-list INSIDE-IN permit udp any any eq domain
  access-list INSIDE-IN permit tcp any any eq www
  access-list INSIDE-IN permit tcp any any eq ftp
  access-list INSIDE-IN permit icmp any any echo
  access-list INSIDE-IN permit tcp any any eq https
  access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  access-list swanton_splitTunnelAcl permit ip any any
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  no pager
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.150 255.255.255.0
  ip address inside 192.168.0.35 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN_Pool 192.168.240.1-192.168.240.254
  pdm location 0.0.0.0 255.255.255.0 outside
  pdm location 192.168.1.26 255.255.255.255 outside
  pdm location 192.168.240.0 255.255.255.0 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.0.0 255.255.255.0 0 0
  access-group outside_access_in in interface outside
  access-group INSIDE-IN in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup swanton address-pool VPN_Pool
  vpngroup swanton dns-server 192.168.1.1
  vpngroup swanton split-tunnel swanton_splitTunnelAcl
  vpngroup swanton idle-time 1800
  vpngroup swanton password ********
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.0.36-192.168.0.254 inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username scott password hwDnqhIenLiwIr9B encrypted privilege 15
  username norm password ET3skotcnISwb3MV encrypted privilege 2
  username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
  username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
  username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
  username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
  username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
  username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
  username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
  username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
  username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
  terminal width 80
  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
  : end
  [OK]
  Any help will be greatly appreciated

  Bj,
  Are you trying to access network resources behind the inside interface?
  ip address inside 192.168.0.35 255.255.255.0
  If so, please make the following changes:
  1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
          vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
  3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  4- isakmp nat-traversal 30
  Let me know how it goes.
  Portu.
  Please rate any helpful posts   

• Amazon S3 Backup with Cisco PIX 501 Router - slowww

  We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
  I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
  Thanks!

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
  - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
    This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  THANKS

• PIX 501 route outside command

  All,
  I have a friend trying to configure an existing PIX.  They needed to change IP addresses due to ISP switch.  Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config.  Does anyone have any ideas what this could be?  He only changed outside IP address, a static translation
  All replies rated.   Thanks in advance!

  Hi Angel,
  My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
  You have statically set the outside interface "interface ethernet0 10baset"
  Please post :
  show int e0
  PS : nice software version 6.2
  Regards
  Dan

• PIX - IOS Router Redundancy

  PIX at remote, Dual Interface/Dual ISP IOS Router at core.
  Is there a way to have an IPSEC Tunnel fromt he PIX to the Dual ISP Router at the core?
  Can't get the PIX to pass traffic over the second IPSEC Tunnel when one ISP/Interface goes down at the IOS Router.
  Help!
  Thanks,
  Bob

  PIX-501 at the remote
  Cisco1721 with Dual ISP feeds at Central site.
  I want two tunnels from the PIX to the Cisco1721.
  One ISP goes down, tarffic goes over the second tunnel.
  Thanks,
  Bob