PIX 515E Config Help!!!

Similar Messages

• Help needed to connect to remote PPTP VPN via PIX 515e

  Hello,
  A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
  The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
  "A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
  I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:
  fixup protocol pptp 1723.
  Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?
  I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?
  I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.
  Ros

  Hi Eugene,
  Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.
  Thanks again for your help,
  Ros
  PIX(config)# en
  Not enough arguments.
  Usage:  enable password [] [level ] [encrypted]
          no enable password level
          show enable
  PIX(config)# show config
  : Saved
  : Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
  PIX Version 6.3(3)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security10
  enable password XXX encrypted
  passwd XXX encrypted
  hostname PIX
  domain-name XXX.com
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name XX.XX.XX.XX Secondary
  access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl deny udp any any eq 135
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
  access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
  pager lines 24
  logging on
  logging host inside XX.XX.XX.XX
  icmp permit any outside
  icmp permit any inside
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside XX.XX.XX.XX 255.255.255.248
  ip address inside XX.XX.XX.XX 255.255.255.0
  no ip address DMZ
  ip audit info action alarm
  ip audit attack action alarm
  pdm location XX.XX.XX.XX 255.255.255.255 inside
  pdm location XX.XX.XX.XX 255.255.0.0 outside
  pdm location XX.XX.XX.XX 255.255.255.0 outside
  pdm logging debugging 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
  route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
  timeout xlate 3:00:00
  timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  ntp authenticate
  ntp server XX.XX.XX.XX source outside prefer
  http server enable
  http XX.XX.XX.XX 255.255.0.0 outside
  http XX.XX.XX.XX 255.255.255.0 outside
  http XX.XX.XX.XX 255.255.255.255 inside
  snmp-server host inside XX.XX.XX.XX
  no snmp-server location
  no snmp-server contact
  snmp-server community XXX
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
  crypto map outside_map 10 ipsec-isakmp dynamic cola
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer XX.XX.XX.XX
  crypto map outside_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map 25 ipsec-isakmp
  crypto map outside_map 25 match address USER1
  crypto map outside_map 25 set peer XX.XX.XX.XX
  crypto map outside_map 25 set transform-set ESP-3DES-MD5
  crypto map outside_map 30 ipsec-isakmp
  crypto map outside_map 30 match address outside_cryptomap_30
  crypto map outside_map 30 set peer XX.XX.XX.XX
  crypto map outside_map 30 set transform-set ESP-3DES-MD5
  crypto map outside_map 40 ipsec-isakmp
  crypto map outside_map 40 match address outside_cryptomap_40
  crypto map outside_map 40 set peer XX.XX.XX.XX
  crypto map outside_map 40 set transform-set ESP-3DES-MD5
  crypto map outside_map 50 ipsec-isakmp
  crypto map outside_map 50 match address outside_cryptomap_50
  crypto map outside_map 50 set peer XX.XX.XX.XX
  crypto map outside_map 50 set transform-set ESP-3DES-MD5
  crypto map outside_map 60 ipsec-isakmp
  crypto map outside_map 60 match address outside_cryptomap_60
  crypto map outside_map 60 set peer XX.XX.XX.XX
  crypto map outside_map 60 set transform-set ESP-3DES-MD5
  crypto map outside_map 70 ipsec-isakmp
  crypto map outside_map 70 match address outside_cryptomap_70
  crypto map outside_map 70 set peer XX.XX.XX.XX
  crypto map outside_map 70 set transform-set ESP-3DES-MD5
  crypto map outside_map 75 ipsec-isakmp
  crypto map outside_map 75 match address USER4
  crypto map outside_map 75 set peer XX.XX.XX.XX
  crypto map outside_map 75 set transform-set ESP-3DES-MD5
  crypto map outside_map 80 ipsec-isakmp
  crypto map outside_map 80 match address USER2
  crypto map outside_map 80 set peer XX.XX.XX.XX
  crypto map outside_map 80 set transform-set ESP-3DES-MD5
  crypto map outside_map 90 ipsec-isakmp
  crypto map outside_map 90 match address USER3
  crypto map outside_map 90 set peer XX.XX.XX.XX
  crypto map outside_map 90 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet XX.XX.XX.XX 255.255.0.0 outside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet timeout 30
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh timeout 30
  management-access inside
  console timeout 0
  terminal width 80
  Cryptochecksum:XXX
  PIX(config)#

• Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

  Hello,
  I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
  Thanks,
  Jeff Mateo
  PIX Version 6.3(4)
  interface ethernet0 100full
  interface ethernet1 100full
  interface ethernet2 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password GFO9OSBnaXE.n8af encrypted
  passwd GFO9OSBnaXE.n8af encrypted
  hostname morrow-pix-ct
  domain-name morrowco.com
  clock timezone EST -5
  clock summer-time EDT recurring
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 12.42.47.27 LI-PIX
  name 172.20.0.0 CT-NET
  name 172.23.0.0 LI-NET
  name 172.22.0.0 TX-NET
  name 172.25.0.0 NY-NET
  name 192.168.10.0 CT-DMZ-NET
  name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
  name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
  name 199.191.128.105 web-dns-1
  name 12.127.16.69 web-dns-2
  name 12.3.125.178 NY-PIX
  name 64.208.123.130 TX-PIX
  name 24.38.31.80 CT-PIX
  object-group network morrow-net
  network-object 12.42.47.24 255.255.255.248
  network-object NY-PIX 255.255.255.255
  network-object 64.208.123.128 255.255.255.224
  network-object 24.38.31.64 255.255.255.224
  network-object 24.38.35.192 255.255.255.248
  object-group service morrow-mgmt tcp
  port-object eq 3389
  port-object eq telnet
  port-object eq ssh
  object-group network web-dns
  network-object web-dns-1 255.255.255.255
  network-object web-dns-2 255.255.255.255
  access-list out1 permit icmp any any echo-reply
  access-list out1 permit icmp object-group morrow-net any
  access-list out1 permit tcp any host 12.193.192.132 eq ssh
  access-list out1 permit tcp any host CT-PIX eq ssh
  access-list out1 permit tcp any host 24.38.31.72 eq smtp
  access-list out1 permit tcp any host 24.38.31.72 eq https
  access-list out1 permit tcp any host 24.38.31.72 eq www
  access-list out1 permit tcp any host 24.38.31.70 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq https
  access-list out1 permit tcp any host 24.38.31.93 eq smtp
  access-list out1 permit tcp any host 24.38.31.93 eq ftp
  access-list out1 permit tcp any host 24.38.31.93 eq domain
  access-list out1 permit tcp any host 24.38.31.94 eq www
  access-list out1 permit tcp any host 24.38.31.94 eq https
  access-list out1 permit tcp any host 24.38.31.71 eq www
  access-list out1 permit tcp any host 24.38.31.71 eq 8080
  access-list out1 permit tcp any host 24.38.31.71 eq 8081
  access-list out1 permit tcp any host 24.38.31.71 eq 8090
  access-list out1 permit tcp any host 24.38.31.69 eq ssh
  access-list out1 permit tcp any host 24.38.31.94 eq ftp
  access-list out1 permit tcp any host 24.38.31.92 eq 8080
  access-list out1 permit tcp any host 24.38.31.92 eq www
  access-list out1 permit tcp any host 24.38.31.92 eq 8081
  access-list out1 permit tcp any host 24.38.31.92 eq 8090
  access-list out1 permit tcp any host 24.38.31.93 eq 3389
  access-list out1 permit tcp any host 24.38.31.92 eq https
  access-list out1 permit tcp any host 24.38.31.70 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq www
  access-list out1 permit tcp any host 24.38.31.74 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq smtp
  access-list out1 permit tcp any host 24.38.31.75 eq https
  access-list out1 permit tcp any host 24.38.31.75 eq www
  access-list out1 permit tcp any host 24.38.31.75 eq smtp
  access-list out1 permit tcp any host 24.38.31.70 eq smtp
  access-list out1 permit tcp any host 24.38.31.94 eq smtp
  access-list dmz1 permit icmp any any echo-reply
  access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
  access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
  access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
  access-list dmz1 permit ip any any
  access-list dmz1 deny ip any any
  access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
  access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
  access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
  .0
  access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
  55.255.0
  access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
  access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
  access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
  0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
  5.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
  0
  access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
  .248.0
  access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
  access-list in1 permit tcp host 172.20.1.21 any eq smtp
  access-list in1 permit tcp host 172.20.1.20 any eq smtp
  access-list in1 deny tcp any any eq smtp
  access-list in1 permit ip any any
  access-list in1 permit tcp any any eq smtp
  access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
  access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
  access-list in2 deny ip host 172.20.1.82 any
  access-list in2 deny ip host 172.20.1.83 any
  access-list in2 permit ip any any
  pager lines 43
  logging on
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging device-id hostname
  logging host inside 172.20.1.22
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside CT-PIX 255.255.255.224
  ip address inside 172.20.8.1 255.255.255.0
  ip address DMZ 192.168.10.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool ctpool 192.168.220.100-192.168.220.200
  ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
  pdm history enable
  arp timeout 14400
  global (outside) 1 24.38.31.81
  nat (inside) 0 access-list nat0
  nat (inside) 1 CT-NET 255.255.0.0 2000 10
  nat (DMZ) 0 access-list nat0-dmz
  static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
  static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
  static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
  static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
  static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
  access-group out1 in interface outside
  access-group dmz1 in interface DMZ
  route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
  route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
  route inside CT-NET 255.255.248.0 172.20.8.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ct-rad protocol radius
  aaa-server ct-rad max-failed-attempts 2
  aaa-server ct-rad deadtime 10
  aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 173.220.252.56 255.255.255.248 outside
  http 65.51.181.80 255.255.255.248 outside
  http 208.65.108.176 255.255.255.240 outside
  http CT-NET 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community m0rroW(0
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
  crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
  crypto dynamic-map dyn_map 20 match address vpn-dyn-match
  crypto dynamic-map dyn_map 20 set transform-set 3des-sha
  crypto map ct-crypto 10 ipsec-isakmp
  crypto map ct-crypto 10 match address vpn-ct-li-gre
  crypto map ct-crypto 10 set peer LI-PIX
  crypto map ct-crypto 10 set transform-set 3des-sha
  crypto map ct-crypto 15 ipsec-isakmp
  crypto map ct-crypto 15 match address vpn-ct-li
  crypto map ct-crypto 15 set peer LI-PIX
  crypto map ct-crypto 15 set transform-set 3des-sha
  crypto map ct-crypto 20 ipsec-isakmp
  crypto map ct-crypto 20 match address vpn-ct-ny
  crypto map ct-crypto 20 set peer NY-PIX
  crypto map ct-crypto 20 set transform-set 3des-sha
  crypto map ct-crypto 30 ipsec-isakmp
  crypto map ct-crypto 30 match address vpn-ct-tx
  crypto map ct-crypto 30 set peer TX-PIX
  crypto map ct-crypto 30 set transform-set 3des-sha
  crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
  crypto map ct-crypto client authentication ct-rad
  crypto map ct-crypto interface outside
  isakmp enable outside
  isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
  onfig-mode
  isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 1
  isakmp policy 30 lifetime 86400
  vpngroup remotectusers address-pool ctpool
  vpngroup remotectusers dns-server 172.20.1.5
  vpngroup remotectusers wins-server 172.20.1.5
  vpngroup remotectusers default-domain morrowny.com

  Amit,
  I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
  I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
  Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

• Download Speed on PIX 515E is Pretty Slow

  Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.
  Here's some information about the PIX 515E...
  Version 8.0(4)
  ASDM 6.1(3)
  Memory 128MB
  Here is the running config..
  Result of the command: "show running-config"
  : Saved
  PIX Version 8.0(4)
  hostname --------------------
  domain-name -----------------
  enable password -------------------------
  passwd --------------- encrypted
  names
  name 1.1.1.1 Data-Center-Firewall    #### Outside Address Changed
  name 10.0.0.0 Data-Center-Subnet
  dns-guard
  interface Ethernet0
  nameif inside
  security-level 100
  ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254
  interface Ethernet1
  nameif outside
  security-level 0
  ip address 2.2.2.1 255.255.255.252   #### Outside Address Changed
  interface Ethernet2
  description LAN/STATE Failover Interface
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name -------------
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service http8080 tcp
  description http8080
  port-object eq 8080
  object-group service DM_INLINE_TCP_1 tcp
  port-object range 50000 50100
  port-object eq 990
  access-list outside_access_in remark ip, tcp/990
  access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit icmp any any
  access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet2
  failover lan enable
  failover key *****
  failover replication http
  failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f
  failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290
  failover link failover Ethernet2
  failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image flash:/asdm-613.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list ACL-VPN
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  route inside 10.10.0.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.10.0.0 255.255.255.0 inside
  http 10.10.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  service resetoutside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map MAP-VPN 1 match address ACL-VPN
  crypto map MAP-VPN 1 set pfs
  crypto map MAP-VPN 1 set peer Data-Center-Firewall
  crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA
  crypto map MAP-VPN 1 set security-association lifetime seconds 28800
  crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000
  crypto map MAP-VPN interface outside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 10.10.1.0 255.255.255.0 inside
  telnet 10.10.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh 10.10.0.0 255.255.255.0 inside
  ssh 10.10.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *
  class-map class_ftp
  match port tcp eq ftp-data
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  class class_ftp
    inspect ftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534
  : end

  Please check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.
  Inside/outside are both set to auto/auto at
  Check for the processes usage of the cpu of the pix.
  CPU is running at 2%
  Process:      tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8
  LASTHOG At:   19:01:15 EST Dec 31 1992
  PC:           26b616 (suspend)
  Process:      tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8
  LASTHOG At:   19:01:15 EST Dec 31 1992
  PC:           26b616 (suspend)
  Traceback:    26b616  26bdb9  26ec89  1182b3
  Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   09:25:12 EDT Jul 18 2012
  PC:           130114b (interrupt)
  Traceback:    100178  12edd0c  9771e5  8c0e66  927164  928996  8ec3f5
                8ec7ed  79d35e  2780c3  1182b3
  Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   12:27:25 EDT Jul 18 2012
  PC:           130114b (interrupt)
  Traceback:    100178  d870cb  13016b3  15cf68  e91a6f  e9118b  abfcea
                a7cb2e  a7daeb  18d800  5ae9a9  5a6aa0  5a7272  5a75e5
  Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7
  LASTHOG At:   12:34:10 EDT Jul 18 2012
  PC:           5ae903 (suspend)
  Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7
  LASTHOG At:   12:34:10 EDT Jul 18 2012
  PC:           5ae903 (suspend)
  Traceback:    5ae903  5a6aa0  5a7272  5a75e5  5ad3d5  1182b3
  Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   12:37:47 EDT Jul 18 2012
  PC:           f4078b (suspend)
  Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   12:37:47 EDT Jul 18 2012
  PC:           f4078b (suspend)
  Traceback:    f40be2  130f41e  aab54d  aac3b0  5a6c2e  5a7272  5a75e5
                5ad3d5  1182b3
  Process:      IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   23:07:40 EDT Jul 19 2012
  PC:           1b6dd0 (interrupt)
  Traceback:    100178  1b8a31  1baaeb  6438d7  12efc6f  64250b  653fe9
                654b78  1182b3
  Process:      IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30
  LASTHOG At:   16:01:55 EDT Jul 23 2012
  PC:           654bab (suspend)
  Process:      CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27
  LASTHOG At:   16:01:55 EDT Jul 23 2012
  PC:           2087ec (suspend)
  Process:      IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27
  LASTHOG At:   16:01:55 EDT Jul 23 2012
  PC:           654bab (suspend)
  Traceback:    1182b3
  Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
  LASTHOG At:   17:23:30 EDT Jul 23 2012
  PC:           130003b (interrupt)
  Traceback:    100178  13008b8  f5a0cd  f5ac32  f5ae40  f60828  f617c1
                d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5
  Process:      Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35
  LASTHOG At:   17:37:03 EDT Jul 23 2012
  PC:           278207 (suspend)
  Process:      Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35
  LASTHOG At:   17:37:03 EDT Jul 23 2012
  PC:           278207 (suspend)
  Traceback:    278207  1182b3
  Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7
  LASTHOG At:   17:44:20 EDT Jul 23 2012
  PC:           118ed5 (suspend)
  Process:      Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7
  LASTHOG At:   17:44:20 EDT Jul 23 2012
  PC:           118ed5 (suspend)
  Traceback:    118ed5  b2d032  f5a80d  f5ac0a  f5ae40  f607e5  f617c1
                d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5
  CPU hog threshold (msec):  5.120
  Last cleared: None
  Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.
  Interface Ethernet0 "inside", is up, line protocol is up
    Hardware is i82559, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      MAC address __________, MTU 1500
      IP address 10.10.1.1, subnet mask 255.255.255.0
      60862937 packets input, 29025667892 bytes, 0 no buffer
      Received 1371 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      68515603 packets output, 44084404472 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max packets): hardware (0/1) software (0/47)
      output queue (curr/max packets): hardware (0/67) software (0/1)
    Traffic Statistics for "inside":
      60997029 packets input, 28080179952 bytes
      68553614 packets output, 43104566708 bytes
      29544 packets dropped
        1 minute input rate 63 pkts/sec,  30371 bytes/sec
        1 minute output rate 64 pkts/sec,  16557 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 91 pkts/sec,  45254 bytes/sec
        5 minute output rate 93 pkts/sec,  56181 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Ethernet1 "outside", is up, line protocol is up
    Hardware is i82559, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      MAC address ___________, MTU 1500
      IP address ___________, subnet mask 255.255.255.252
      67730933 packets input, 44248541375 bytes, 0 no buffer
      Received 4493 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      60418640 packets output, 29310509840 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max packets): hardware (0/1) software (0/39)
      output queue (curr/max packets): hardware (0/42) software (0/1)
    Traffic Statistics for "outside":
      67782987 packets input, 43276611710 bytes
      60562287 packets output, 28342787997 bytes
      206651 packets dropped
        1 minute input rate 57 pkts/sec,  14273 bytes/sec
        1 minute output rate 61 pkts/sec,  30258 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 89 pkts/sec,  54426 bytes/sec
        5 minute output rate 87 pkts/sec,  45115 bytes/sec
        5 minute drop rate, 0 pkts/sec
  enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.
  Not sure how to do that.

• PIX-515E - Reason 412: the remote peer is no longer responding...

  Hi,
  I am unable to VPN to my network from outside using cisco VPN client to PIX-515E.
  When I try it say:
  Reason 412: the remote peer is no longer responding...
  From inside everything work ok, I can connect... (same computer, same settings...)
  Maybe the problem is not in PIX??
  Few days ago I upgrade FWSM from 3.1.x to
  FWSM Firewall Version 4.1(9)
  Device Manager Version 6.2(2)F
  Can this upgrade cause problem???
  I compare running conf: and I notice this new commands:
  service reset no-connection
  no service reset connection marked-for-deletion
  I try with opposite:
  no service reset no-connection
  service reset connection marked-for-deletion
  but still I cannot VPN....
  Any advice?
  THX,
  Ivan

  Problem solved...
  as usual I cause the problem instead of 8 i wrote 3... i was checking that IP address several time but didn't see
  now when I was preparing to put running config online and replacing ip address ... something jump into my eye....
  So thnx Jennifer :-)

• Stuck at Initial stage CISCO pix 515e

  Hi
  I have a new pix 515e for Home pratice.
  1. I couldnt telnet the switch after configuring. should i have to use cross cable or not to connect PC-PIX? (as new switches and routers run through straight cable). more importantly i couldnt even ping the inside ip which is telnet and ssh enabled.
  2.  Recieveing the following after executing each and every command on global mode.
  ******warning****
  configuration Replication is NOT performed From standby Unit to Active Unit
  configurations are no longer synchronized.
  Hope you guys pull me out from these issues
  Thanks & Regards
  srikanth

  Hi thanks alain for the info.
  can you please look in to my config. ans guide me where am i doing wrong.
  pixfirewall(config)# sh run
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  interface ethernet3 auto shutdown
  interface ethernet4 auto shutdown
  interface ethernet5 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 intf2 security4
  nameif ethernet3 intf3 security6
  nameif ethernet4 intf4 security8
  nameif ethernet5 intf5 security10
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname pixfirewall
  domain-name wr
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu intf2 1500
  mtu intf3 1500
  mtu intf4 1500
  mtu intf5 1500
  no ip address outside
  ip address inside 10.10.22.1 255.255.255.0
  no ip address intf2
  no ip address intf3
  no ip address intf4
  no ip address intf5
  ip audit info action alarm
  ip audit attack action alarm
  no failover
  failover timeout 0:00:00
  failover poll 15
  no failover ip address outside
  no failover ip address inside
  no failover ip address intf2
  no failover ip address intf3
  no failover ip address intf4
  no failover ip address intf5
  pdm history enable
  arp timeout 14400
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 10.10.22.0 255.255.255.0 inside
  telnet timeout 5
  ssh 10.10.22.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 10.10.22.20-10.10.22.220 inside
  dhcpd lease 3600
  dhcpd ping_timeout 750
  username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 2
  terminal width 80
  Cryptochecksum:481acea90984580c5ac7ef32e5e83afd
  : end
  Thanks & Regards
  Srikanth

• Cisco PIX-515e reset to factory defaults

  Hi,
  I have a cisco PIX-515e which i have connected to a emulator through the console port, and im having trouble erasing data from it.
  I can get into 'pixfirewall' mode and 'monitor' mode but thats as far as i get. i have tried 'write erase' and 'configure factory-default' in both modes to no success.
  Any help would be much appreciated.
  thanks,

  this is a little late over a year, you probably alreay figured it out. in monitor mode.
  set your interface
  monitor> int 0          (this doesnt matter much as long as the interface is valid)
  next set the ip address of our pix
  monitor> add 192.168.1.50     (this just sets the pix int 0 to this ip address)
  now set the tftp server
  monitor> server 192.168.1.79     (this is the ip address of my pc with a tftp server)
  set the gateway
  monitor> gateway 0.0.0.0      (i had much trouble with this but until i set the gateway to this it didnt work)
  now back to your pc assuming you have a tftp server installed.
  download the necessary recover tool at (subject to change probably) make sure you put it in your default directory of your tftp server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
  this is key probably
  if you have the wrong tool the image will download successfully to your pix but it will not do anything just stop
  after the file has been received.
  so if your unsure try all the images.
  now back to the pix
  to initiate a file download you have to declare it so
  monitor> file np62.bin
  and then to start the download
  monitor> tftp
  see below.... (entire session via console cable)
  monitor> int 0
  0: i8255X @ PCI(bus:0 dev:14 irq:10)
  1: i8255X @ PCI(bus:0 dev:13 irq:11)
  Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC:
  monitor> add 192.168.1.50
  address 192.168.1.50
  monitor> server 192.168.1.79
  server 192.168.1.79
  monitor> gateway 0.0.0.0
  gateway 0.0.0.0
  monitor> file np62.bin
  file np62.bin
  monitor> tftp
  tftp [email protected].....................................................
  Received 73728 bytes
  Cisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
  System Flash=E28F128J3 @ 0xfff00000
  BIOS Flash=am29f400b @ 0xd8000
  Do you wish to erase the passwords? [yn]
  if that doesnt work im not sure just try the other images.

• Cisco PIX-515e reset to factory defaults *Expert Advice Only Please*

  Hi,
  I have a cisco PIX-515e which i have connected to a emulator through the console port, and im having trouble erasing data from it.
  I can get into 'pixfirewall' mode and 'monitor' mode but thats as far as i get. i have tried 'write erase' and 'configure factory-default' in both modes to no success.
  When i last posted this i had alot of replies mentioning ROMMON mode but i want to stress the PIX 515e does not have ROMMON mode it has MONITOR mode however the commands are not the same as ROMMON commands.
  Any help would be much appreciated.
  thanks,

  8 MB RAM
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  00  00   8086   7192  Host Bridge
  00  07  00   8086   7110  ISA Bridge
  00  07  01   8086   7111  IDE Controller
  00  07  02   8086   7112  Serial Bus         9
  00  07  03   8086   7113  PCI Bridge
  00  0D  00   8086   1209  Ethernet           11
  00  0E  00   8086   1209  Ethernet           10
  00  11  00   14E4   5823  Co-Processor       11
  00  13  00   8086   B154  PCI-to-PCI Bridge
  01  04  00   8086   1229  Ethernet           11
  01  05  00   8086   1229  Ethernet           10
  01  06  00   8086   1229  Ethernet           9
  01  07  00   8086   1229  Ethernet           5
  Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
  Platform PIX-515E
  System Flash=E28F128J3 @ 0xfff00000
  Use BREAK or ESC to interrupt flash boot.
  Use SPACE to begin flash boot immediately.
  Reading 123392 bytes of image from flash.
  PIX Flash Load Helper
  Initializing flashfs...
  flashfs[0]: 8 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 16128000
  flashfs[0]: Bytes used: 13963264
  flashfs[0]: Bytes available: 2164736
  flashfs[0]: Initialization complete.
  Booting first image in flash
  Launching image flash:/pix722.bin
  128MB RAM
  Total NICs found: 6
  mcwa i82559 Ethernet at irq 10  MAC: 0016.9da2.5907
  mcwa i82559 Ethernet at irq 11  MAC: 0016.9da2.5908
  mcwa i82559 Ethernet at irq 11  MAC: 000d.8810.d91c
  mcwa i82559 Ethernet at irq 10  MAC: 000d.8810.d91d
  mcwa i82559 Ethernet at irq  9  MAC: 000d.8810.d91e
  BIOS Flash=am29f400b @ 0xd8000  MAC: 000d.8810.d91f
  Initializing flashfs...
  flashfs[7]: 8 files, 3 directories
  flashfs[7]: 0 orphaned files, 0 orphaned directories
  flashfs[7]: Total bytes: 16128000
  flashfs[7]: Bytes used: 13963264
  flashfs[7]: Bytes available: 2164736
  flashfs[7]: flashfs fsck took 15 seconds.
  flashfs[7]: Initialization complete.
  Licensed features for this platform:
  Maximum Physical Interfaces : 6
  Maximum VLANs               : 25
  Inside Hosts                : Unlimited
  Failover                    : Active/Active
  VPN-DES                     : Enabled
  VPN-3DES-AES                : Enabled
  Cut-through Proxy           : Enabled
  Guards                      : Enabled
  URL Filtering               : Enabled
  Security Contexts           : 2
  GTP/GPRS                    : Disabled
  VPN Peers                   : Unlimited
  This platform has an Unrestricted (UR) license.
  Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
                                   |            |
                                  |||          |||
                                .|| ||.      .|| ||.
                             .:||| | |||:..:||| | |||:.
                              C i s c o  S y s t e m s
  Cisco PIX Security Appliance Software Version 7.2(2)
    ****************************** Warning *******************************
    This product contains cryptographic features and is
    subject to United States and local country laws
    governing, import, export, transfer, and use.
    Delivery of Cisco cryptographic products does not
    imply third-party authority to import, export,
    distribute, or use encryption. Importers, exporters,
    distributors and users are responsible for compliance
    with U.S. and local country laws. By using this
    product you agree to comply with applicable laws and
    regulations. If you are unable to comply with U.S.
    and local laws, return the enclosed items immediately.
    A summary of U.S. laws governing Cisco cryptographic
    products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by
    sending email to [email protected].
    ******************************* Warning *******************************
  Copyright (c) 1996-2006 by Cisco Systems, Inc.
                  Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
                  Cisco Systems, Inc.
                  170 West Tasman Drive
                  San Jose, California 95134-1706
  Cryptochecksum (unchanged): 43dccc97 2fb4bfec 15a33bef dad78b7e
  Type help or '?' for a list of available commands.
  pixfirewall>
  I am unable to get onto enable mode because i do not no the password? any idea of a way round, i need to get into that enable mode.

• Cisco PIX 515E multiple ISP support in a VPN scenario

  Iam currently running a cisco 7.2 ios in a Cisco PIX 515E appliance. I have terminated two ISP links in the two ports, and I also have a inside network (LAN). I want to establish 2 Site-Site VPN tunnels using each one of these ISP links respectively (Site 1 in ISP link 1 && Site 2 in ISP link 2).
  Is this possible to achieve??

  Hello,
  This should work. Route the remote endpoint for site 1 out link 1 (using a static route) and for site 2 out link 2 (using a static route) and that should do it.
  Return traffic should work, assuming both ISPs aren't advertising the networks your interfaces are on via BGP (ie, you don't want return traffic from site one coming down the link to site 2 because that ISP is advertising that AS as well.)
  --Jason

• I made a huge mistake, my wife loaded pix under guest and as I closed it to get to my account pix were deleted. Is there any way to recover these pix? Please help!!!

  I made a huge mistake, my wife loaded pix under guest and as I closed it to get to my account pix were deleted. Is there any way to recover these pix? Please help!!!

  You can try data recovery software, like Stellar Phoenix.  That may (or may not) recover some or (probably not) all of them.  Any that cannot be recovered have probably been overwritten and are gone for good.
  Note that you should not do anything further with the machine until you have the data recovery software, and should not install said software on the machine, since that may overwrite the data you're trying to recover.  You'll want to have some other drive you can boot from and use the recovery software from.

• RV0xx connecting to PIX (515e) via ipsec

  We have fielded aproximatly 40 previous revisoin rv042/rv082 routers running 1.3.12.19-tm firmware.
  We have recently begun reciveing v3 hardware running firmware 4.0.0.7.
  The previous routers connected with out complication to our existing PIX 515e 8.0(3) Router using ipsec vpn connections.
  The new version routers congiured with seemingly identical settings fail to connect ant throw the following errors in syslog on the rv042:
  protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
  The PIX syslog throws:
  Received an un-encrypted INVALID_ID_INFO notify message, dropping
  The two configurations never connect.
  Any suggestions would be appreciated.

  Hi !
  The reason this does not work is that you loose connection with the terminal server the second the VPN client is operativ. The VPN client is denied local access and therefore the connection between the internet user and the terminal server is disconnected.. When this happens you should not be able to do any work on the terminal server until the client is dosconnected.
  I use the same solution in my work (great for testing when installing VPN for customers). What I have done is this:
  1. On the Terminal server install VMWare or Microsoft Virtual PC.
  2. Install windows xp on as a virtual pc
  3. Start the virtual windows xp and install the VPN client
  4. Use the virtual windows xp and client when doing connections...
  This works great !!
  The reason this works, is that you no longer connect to the pc doing the actual VPN connection, but to a terminal showing the monitor of the client.
  Best of luck !!
  Jorgen Lanesskog
  Ementor, Norway

• IPS 4240 Blocking Questions with Pix 515E

  I have enabled Blocking on the 4240 and have set the Blocking Device as our Pix 515E. When I look at the Signature Configurations quite a few Signature Actions are set to Produce Alert only. If blocking is enabled do you have to also go and set the Signature Actions to Deny or TCP Reset? So far my IPS dosen't show any Denied Attackers and it has detected High level Traffic which I would assume should now be blocked. Thanks John

  Yes, you have to go under the signatures you want and enable blocking for them as an action. Configuring blocking globally (defining the blocking device, the interface,, the login details for the device, etc), doesn't actually enable any blocking on the sensor per se, you still have to go and enable blocking for that particular signature. when that particular sig fires in future, the sensor will block it on the device you have configured.
  Be very careful with blocking, the reason we don't simply block all signatures is that it would be very dangerous to blindly add access-lists to a device that will stop traffic. You first need to make sure you're not getting any false-positives on the signatures and end up blocking valid traffic. Also, on a busy sensor you could easily overrun both the sensor and the blocking device with writing and removing 1000's of access-lists onto it. And finally, although not likely, blocking can even be used as a denial of service attack, where an attacker, if they know what signatures you are blocking on, can spoof packets past your sensor so that it will deny traffic to legitimate hosts.
  You need to look at what signatures you really want to block on, then enable blocking on them individually.

• Pix 515e vpn setup

  I currently have a pix 515e setup as a firewall and vpn terminator. We will be moving our network to a new isp that will provide the firewall service, but i need to keep the pix for the vpn functionality. The pix currently has a public IP for the vpn but the new ISP want to do nat for the pix, so I have to give it a private ip. here is what the ISP sent me.
  >Essentially - Customer needs
  >1. Internal Server IP address that >will arrive from customer to the f/w.
  >
  >2. The public address NAT that will >represent the customer internal server.
  >
  >3. The proper ports open to support >this request. UDP ? 10000 or 4500 ? >and 500.
  I'm new to VPN I would like some direction on where to find some documents on how to setup the cisco behind another router and without a public ip. Also can the pix have both interfaces on the same subnet?
  Thank you
  rene

  Rene -
  You can't have both the interfaces on the same subnet.
  3. Ports needed for VPN to work.
  UDP - 500 ==> which is ISAKMP
  UDP - 4500 ==> NAT-T
  UDP - 10000 ===> IPSec over UDP
  ESP protocol ==> which is protocol number 50.
  1 & 2. Your external (outside) IP address of the PIX.
  Does this answer your question.

• Error in reload pix 515E

  Hi Guys ,
  When I try reload an pix 515E , appear the follow error :
  pix#reload
  pix#Currently writing image. Cannot reload.
  Anybody know this error ?
  Thanks
  Jorge

  I would check your flash file system for any errors. Perhaps if possible format it?
  Regards
  Farrukh

• Latest IOS for PIX 515E

  What is the latest version of IOS for Cisco PIX 515E ? I want to update. What are the best practices to safly upgrade IOS in PIX? How to take backup copy of existing configuration? I have conf saved in .txt file. Any other way ?

  please see below URL which explain IOS upgrade on PIX and how to backup configuration
  http://www.cisco.com/warp/public/110/upgrade.shtml