PIX 525 Cluster

We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb. Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput. Any insight as to what else could be causing the errors would be appreciated.
Sent from Cisco Technical Support iPhone App

Hello,
First, double check the speed/duplex configuration and make sure they match on both ends of each cable. Also, CRC errors are usually caused by the transmitter, but they show up as errors on the receiver side. Therefore, if you're only seeing CRC errors on the PIX and the switch ports look clean, I would focus on why the switch is corrupting the packets. You might try moving the cables to a different unused switch port and see if that helps.
-Mike

Similar Messages

PIX 525 UR With 1 4-Port FE, 1 VPN Accel Card

Good day;
I have a PIX 525 Unrestricted with failover.
802.bin IOS
There is 1 4-port FE and a VPN Accelerator card installed in each unit.
I tried to install a second 4-port FE in both prime and secondary units and the following is the result.
Once I power up both units the second 4-port FE mimics the first one. Although there are no physical connections to the second 4-port FE's, the port lights on the second FE's light up as the ones on the first 4-port FE.
Example:
1st 4-port FE
Fa0/2 - physical connection - Light on
Fa0/3 - no physical connection - Light off
Fa0/4 - physical connection - Light on
Fa0/5 - no physical connection - Light off
2nd 4-port FE
Fa0/6 - no physical connection - Light on
Fa0/7 - no physical connection - Light off
Fa0/8 - no physical connection - Light on
Fa0/9 - no physical connection - Light off
Also, when the second card is installed the first card will not function and this sets both PIX's as active.
I'm somewhat baffled.

Hi;
Here's the show version.
As you will see, it allows for 10 physical interfaces.
I'm scratching my head over this one.
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"
MHCPPIX1 up 27 days 22 hours
failover cluster up 93 days 1 hour
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0011.924b.dd31, irq 10
1: Ext: Ethernet1 : address is 0011.924b.dd32, irq 11
2: Ext: Ethernet2 : address is 000d.88ee.5d70, irq 11
3: Ext: Ethernet3 : address is 000d.88ee.5d71, irq 10
4: Ext: Ethernet4 : address is 000d.88ee.5d72, irq 9
5: Ext: Ethernet5 : address is 000d.88ee.5d73, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.

Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1

Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
Samir

Hi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP     Failed
      sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP     Failed
      sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read)     Okay
     sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write)     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2     Failed
TELNET     Okay
Waiting for your reply.
Samir

Pix 525 Boot rom?

I was wondering if someone can tell me how to upgrade a Cisco Pix 525 boot rom from 4.0 to 4.3. Is it a physical chip or software upgrade? Is it needed to upgrade to latest IOS on Cisco Pix 525 to 8.0. Where can I find more information on it? Thanks in advance

This link should help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
Reards,
Sachin

Pix 525 6.2 Mac control

Hello, I'm trying to configure a pix 525 with 6.2 firmware version, usually I would try this:
mac access-list extended (name)
permit host (mac) any
int f0/0
mac access-group (name) in
but this pix doesn't have mac commands. Can someone help me?
Thanks
Mario Silva

Hello;
That does not work unless u are running in transparent mode.
Hope it helps.
Mike
Sent from Cisco Technical Support Android App

Pix 525 I need erasedisk.bin

hey ,
i have PIX 525 can any one provide me with erasedisk.bin to erase my flash memory
thnx in advance ,

From the cisco.com terms and conditions:
"You may not post, modify, distribute, or reproduce in any way copyrighted or other proprietary materials without obtaining the prior written consent of the copyright owner of such materials. We may terminate an account, deny access to a site or service, or terminate any user who is alleged to have infringed the copyright or proprietary rights of another."
This is further reinforced in the CSC-specific Acceptable Use Agreement.
You need to ask the TAC (or your reseller) for binaries.

Two aaa-server TACACS+ in PIX 525

I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
Once it happens, how long does the aaa requests are send to the secundary aaa-server?
Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
Thanks a lot.

The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.

Cisco pix 525 land attack

Goodmorning,
I have a message on my pix 525 someone is spoofing on a server from my dmz. How can i prevent spoofing attacks? It goes something like that : Deny IP due to Land Attack from 10.10.8.1 to 10.10.8.1

The thing is that i have exhaustion of resources. How can i stop that?

Cisco Pix 525 VPN - iPhone/iPad won't connect

hi,
i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
im starting to think that this really is in the configuration. could it be the transform set specification?
can some one shed some light on this subject?
below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
thcvpn01(config)# show config
: Saved
: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
PIX Version 8.0(4)
hostname thcvpn01
domain-name somewhere.net
enable password* encrypted
passwd * encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (outside) 101 10.1.2.0 255.255.255.0 outside
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
jeff

hi,
as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
in all of the frustration, do not, as i did, forget that your username is case sensitive.
jeff

PIX 525 administration

I'm new to this forum so send me along if this sounds like nonsense. I have a SecurePIX 525 (s/w v6.3(4) in my production environment. Is there a GUI management tool for the PIX and if so, how do I go about setting it up? Thanks.

Hi Sean
You can ask any question in these forums whether or not it's nonsense :)
Yes there is a GUI management tool, it's called Pix Device Manager and for your version of software you need v3 of PDM. You may well find the actuall software is on your pix already.
Attached is a link to a doc on installing and configuring PDM
http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html
HTH
Jon

Phase 2 tunnel is not going up between PIX 525 and Watchguard

Hi Folks,
Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
here is the debug :
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3168983470
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 484086886
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 32000
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 287560609
ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSdebug
ISAKMP (0): retransmitting phase 1 (0)...
Thanks,
Ismail

Hi Kanishka,
The Phase 2 Parameters are the same also PFS is disabled !
There are some curious things in the debug msg, could you please throw some light on them
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
Also in ecryption its says encryption 3DES-CBC
i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
the log messages on WATCH GUARD states that there is no proposal chosen!
why both firewalls are not friends?
I appreciate any input

Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)

Hello,
I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4
https://supportforums.cisco.com/docs/DOC-1230
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos
The tunnel is being defined by the following commands:
crypto map prdmay 20 match address vpn_1
crypto map prdmay 20 set peer 61.172.142.222
crypto map prdmay 20 set transform-set TS
access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any
access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any
tunnel-group 61.172.142.222 type ipsec-l2l
tunnel-group 61.172.142.222 ipsec-attributes
pre-shared-key *
Is the following what I need to do in order to accomplish what I want:
priority-queue outside
class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000
service-policy police-priority-policy interface outside
Thank you for your help.

I don't think the ASA will let you match on ACL and tunnel group at the same time.
Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).
Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK

Multiple Internal IP in PIX 525 v7.2 unable to access from HQ

Hi Guys,
I got a problem where my HQ(private IP)unable to ping and access server with ip 10.45.x.42 reside at my branch.Both HQ and my Branch using private IP.My LAN using 2 IP Range.
    LAN                       FW                 Exinda             Router
10.45.x.0/19(old range)----->10.36.x.12----> 10.39.x.3 ----> 10.39.x.1----->Internet
10.36.x.0/16(New range)
Previously im using both IP Range in my network-object and i ask our provider to ping to my LAN but no reply.
Now the problem is from the HQ/provider cant ping to 10.45.x.0/19 it stuck at pix.
When i use packet-tracer i got this result.Seem it stuck at Nat.
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list net36
nat-control
match ip inside 10.45.x.0 255.255.224.0 Net any
    dynamic translation to pool 1 (10.39.x.2 [Interface PAT])
    translate_hits = 3185, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4dc4d38, priority=2, domain=nat-reverse, deny=false
    hits=1782778, user_data=0x4d2e470, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.45.x.0, mask=255.255.224.0, port=0
Here is my config of network-object
object-group network NET_CLIENT
network-object 10.36.x.0 255.255.0.0
network-object 10.45.x.0 255.255.224.0
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
access-list net36 extended permit ip object-group NET_CLIENT any
access-list net36 extended permit tcp object-group NET_CLIENT any
access-list net36 extended permit udp object-group NET_CLIENT any
access-list net36 extended permit icmp object-group NET_CLIENT any
I really appreciate your help and advice

Hi Jouni,
I cant do the packet-tracer as the PIX already bypass by my superior.
As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443
*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.
===============
PIX Version 7.2(1)
hostname SD
names
dns-guard
interface Ethernet0
nameif Net
security-level 0
ip address 10.39.x.x 255.255.255.128
interface Ethernet1
nameif inside
security-level 100
ip address 10.36.x.x 255.255.255.248
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.36.x.17
logging ftp-bufferwrap
mtu Net 1500
mtu inside 1500
ip verify reverse-path interface Net
ip verify reverse-path interface inside
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (Net) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group permit-all in interface Net
access-group permit-all in interface inside
route Net 0.0.0.0 0.0.0.0 10.39.x.x 1
route inside 10.36.0.0 255.255.0.0 10.36.x.x 1
route inside 10.45.x.0 255.255.224.0 10.36.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.36.x.142 255.255.255.255 inside
snmp-server location level 2
snmp-server contact Network
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 10.36.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

PIX 525 aaa authentication with both tacacs and local

Hi,
I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
It works fine, now i would like to add the back up authentication, as follows:
- If the ACS goes down i can to be authenticated with the local database.
Is it possible with PIX, if yes how?

Hi,
I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
1.It dosent ask for username /password in first level.
2.on second level it asks for user name it dosent authenticate the user .
Cud u pls let me know if the following config is correct.If not cud u help me .
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authen enable console TACACS+

Pix 525 6.3 Password Recovery shuts down TFTP server

I noticed that everytime I try to run the password recovery procedure to retrieve the np63.bin file from my tftp server, the pix hangs and the tftp app shuts down completely. I am investigating but if any one knows off the top,,I would appreciate the sharing.

I got it...I'm not sure what it was but as soon as I plugged both inside and outside interfaces in that allowed the file to be received. I guess that's the way it works. The document must presume you know this.
The "Duhs" have it! Motion passed!!

PIX 525 Cluster

Similar Messages

Maybe you are looking for