Problems discovering PIX 525
Hi all,
In Common services I have problems discovering some pix firewalls, running 6.3(5) software. I have a SNMP tool that can discover the firewalls if i'm using SNMP version 1. I don't have the option to choose version 1 in Cisco Works (except if i do a SNMP walk from the device center, then it works. In device center I can choose version 1). In the discovery settings, I can only choose version 2c or 3.
Any good ideas besides opgrading the firewall softvare
Thanks,
Jesper
According to the bug notes, Common Services 3.3 should have support for SNMPv1 device discovery:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsu82153
So if you can upgrade to LMS 3.2, that'd be one way to work around upgrading the PIX.
Similar Messages
-
Cisco Pix 525 VPN - iPhone/iPad won't connect
hi,
i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
im starting to think that this really is in the configuration. could it be the transform set specification?
can some one shed some light on this subject?
below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
thcvpn01(config)# show config
: Saved
: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
PIX Version 8.0(4)
hostname thcvpn01
domain-name somewhere.net
enable password* encrypted
passwd * encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (outside) 101 10.1.2.0 255.255.255.0 outside
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
jeffhi,
as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
in all of the frustration, do not, as i did, forget that your username is case sensitive.
jeff -
Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
SamirHi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read) Okay
sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write) Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2 Failed
TELNET Okay
Waiting for your reply.
Samir -
PIX 525 UR With 1 4-Port FE, 1 VPN Accel Card
Good day;
I have a PIX 525 Unrestricted with failover.
802.bin IOS
There is 1 4-port FE and a VPN Accelerator card installed in each unit.
I tried to install a second 4-port FE in both prime and secondary units and the following is the result.
Once I power up both units the second 4-port FE mimics the first one. Although there are no physical connections to the second 4-port FE's, the port lights on the second FE's light up as the ones on the first 4-port FE.
Example:
1st 4-port FE
Fa0/2 - physical connection - Light on
Fa0/3 - no physical connection - Light off
Fa0/4 - physical connection - Light on
Fa0/5 - no physical connection - Light off
2nd 4-port FE
Fa0/6 - no physical connection - Light on
Fa0/7 - no physical connection - Light off
Fa0/8 - no physical connection - Light on
Fa0/9 - no physical connection - Light off
Also, when the second card is installed the first card will not function and this sets both PIX's as active.
I'm somewhat baffled.Hi;
Here's the show version.
As you will see, it allows for 10 physical interfaces.
I'm scratching my head over this one.
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"
MHCPPIX1 up 27 days 22 hours
failover cluster up 93 days 1 hour
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0011.924b.dd31, irq 10
1: Ext: Ethernet1 : address is 0011.924b.dd32, irq 11
2: Ext: Ethernet2 : address is 000d.88ee.5d70, irq 11
3: Ext: Ethernet3 : address is 000d.88ee.5d71, irq 10
4: Ext: Ethernet4 : address is 000d.88ee.5d72, irq 9
5: Ext: Ethernet5 : address is 000d.88ee.5d73, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license. -
[svn:osmf:] 14971: Fix a problem discovered by the unit test.
Revision: 14971
Revision: 14971
Author: [email protected]
Date: 2010-03-23 16:34:10 -0700 (Tue, 23 Mar 2010)
Log Message:
Fix a problem discovered by the unit test.
Modified Paths:
osmf/trunk/framework/OSMF/org/osmf/net/httpstreaming/f4f/BoxParser.as(Removed)
-
We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb. Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput. Any insight as to what else could be causing the errors would be appreciated.
Sent from Cisco Technical Support iPhone AppHello,
First, double check the speed/duplex configuration and make sure they match on both ends of each cable. Also, CRC errors are usually caused by the transmitter, but they show up as errors on the receiver side. Therefore, if you're only seeing CRC errors on the PIX and the switch ports look clean, I would focus on why the switch is corrupting the packets. You might try moving the cables to a different unused switch port and see if that helps.
-Mike -
I was wondering if someone can tell me how to upgrade a Cisco Pix 525 boot rom from 4.0 to 4.3. Is it a physical chip or software upgrade? Is it needed to upgrade to latest IOS on Cisco Pix 525 to 8.0. Where can I find more information on it? Thanks in advance
This link should help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
Reards,
Sachin -
Pix 525 6.2 Mac control
Hello, I'm trying to configure a pix 525 with 6.2 firmware version, usually I would try this:
mac access-list extended (name)
permit host (mac) any
int f0/0
mac access-group (name) in
but this pix doesn't have mac commands. Can someone help me?
Thanks
Mario SilvaHello;
That does not work unless u are running in transparent mode.
Hope it helps.
Mike
Sent from Cisco Technical Support Android App -
Pix 525 I need erasedisk.bin
hey ,
i have PIX 525 can any one provide me with erasedisk.bin to erase my flash memory
thnx in advance ,From the cisco.com terms and conditions:
"You may not post, modify, distribute, or reproduce in any way copyrighted or other proprietary materials without obtaining the prior written consent of the copyright owner of such materials. We may terminate an account, deny access to a site or service, or terminate any user who is alleged to have infringed the copyright or proprietary rights of another."
This is further reinforced in the CSC-specific Acceptable Use Agreement.
You need to ask the TAC (or your reseller) for binaries. -
Two aaa-server TACACS+ in PIX 525
I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
Once it happens, how long does the aaa requests are send to the secundary aaa-server?
Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
Thanks a lot.The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.
-
Goodmorning,
I have a message on my pix 525 someone is spoofing on a server from my dmz. How can i prevent spoofing attacks? It goes something like that : Deny IP due to Land Attack from 10.10.8.1 to 10.10.8.1The thing is that i have exhaustion of resources. How can i stop that?
-
Phase 2 tunnel is not going up between PIX 525 and Watchguard
Hi Folks,
Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
here is the debug :
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3168983470
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 484086886
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 32000
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 287560609
ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSdebug
ISAKMP (0): retransmitting phase 1 (0)...
Thanks,
IsmailHi Kanishka,
The Phase 2 Parameters are the same also PFS is disabled !
There are some curious things in the debug msg, could you please throw some light on them
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
Also in ecryption its says encryption 3DES-CBC
i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
the log messages on WATCH GUARD states that there is no proposal chosen!
why both firewalls are not friends?
I appreciate any input -
Hello
I have a problem with installing agent on a cent os sytem. Everything works fine and looks good untill the step "validating..." then the wizard stopps suddently with no errors and all I can do is click "Done" but the System doesnt
appear in the console...
I researched and found this debugview tool many admins used it to solve problems with installtions.
unfortunately i cant find any error in these debugview either...
can someone help me?
Hello,
I have the same problem. No errors detected, but wizard stops in "Validating..." step and the machine is not discovered. Any clue?
Andrés GuerreroAndres,
Try turning logging on and see if it helps pinpoint the issue. Start with
EnableOpsmgrModuleLogging
http://technet.microsoft.com/en-us/library/hh212862.aspx
Also make sure port 1270 is open on the CentOS system.
Regards,
-Steve -
Oracle application having problem on PIX to ASA L2L tunnel.
Hi ALL,
My customer has performed a PIX migration to ASA5520 on last weekend. And the configuration on the new ASA5520 is almost the same as the original PIX515. There are several L2L vpn tunnel configuration on the ASA5520. After the migration, all VPN tunnel can establish without problem. But my customer found that their Oracle application running on one of the VPN tunnel has connectivity issue. This application did not have problem when in the original environment.
This VPN tunnel is a L2L tunnel between remote and main office. In remote office, the VPN endpoint is a PIX515E w/ OS 7.0(5). In main office is an ASA5520 with 7.2(2). The original firewall in main office is a PIX 515 w/ 7.0(5). The IPSec match address list is an IP network to IP network access list without port definition.
We found that the Oracle client on remote office can connect to the port opened on the Oracle server on main office. But after connected to the port on the server, the application will re-establish a new connection using random port between this client and server, and this new connection seems to not able to establish.
Anyone can tell me that is it possible to impact the Oracle application on this IPSec tunnel? The ACL is an IP to IP acl. What can I do to troubleshoot this issue? Why the issue rise on the new ASA implementation?
I'm looking forward to your reply! Please help!
JasonHi,
Here is the end to end troubleshooting steps for L2L tunnel.
Please check debug commands carefully you will get your key point where is troubble.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Regards,
Dharmesh Purohit -
Multiple Internal IP in PIX 525 v7.2 unable to access from HQ
Hi Guys,
I got a problem where my HQ(private IP)unable to ping and access server with ip 10.45.x.42 reside at my branch.Both HQ and my Branch using private IP.My LAN using 2 IP Range.
LAN FW Exinda Router
10.45.x.0/19(old range)----->10.36.x.12----> 10.39.x.3 ----> 10.39.x.1----->Internet
10.36.x.0/16(New range)
Previously im using both IP Range in my network-object and i ask our provider to ping to my LAN but no reply.
Now the problem is from the HQ/provider cant ping to 10.45.x.0/19 it stuck at pix.
When i use packet-tracer i got this result.Seem it stuck at Nat.
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list net36
nat-control
match ip inside 10.45.x.0 255.255.224.0 Net any
dynamic translation to pool 1 (10.39.x.2 [Interface PAT])
translate_hits = 3185, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4dc4d38, priority=2, domain=nat-reverse, deny=false
hits=1782778, user_data=0x4d2e470, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.45.x.0, mask=255.255.224.0, port=0
Here is my config of network-object
object-group network NET_CLIENT
network-object 10.36.x.0 255.255.0.0
network-object 10.45.x.0 255.255.224.0
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
access-list net36 extended permit ip object-group NET_CLIENT any
access-list net36 extended permit tcp object-group NET_CLIENT any
access-list net36 extended permit udp object-group NET_CLIENT any
access-list net36 extended permit icmp object-group NET_CLIENT any
I really appreciate your help and adviceHi Jouni,
I cant do the packet-tracer as the PIX already bypass by my superior.
As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443
*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.
===============
PIX Version 7.2(1)
hostname SD
names
dns-guard
interface Ethernet0
nameif Net
security-level 0
ip address 10.39.x.x 255.255.255.128
interface Ethernet1
nameif inside
security-level 100
ip address 10.36.x.x 255.255.255.248
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.36.x.17
logging ftp-bufferwrap
mtu Net 1500
mtu inside 1500
ip verify reverse-path interface Net
ip verify reverse-path interface inside
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (Net) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group permit-all in interface Net
access-group permit-all in interface inside
route Net 0.0.0.0 0.0.0.0 10.39.x.x 1
route inside 10.36.0.0 255.255.0.0 10.36.x.x 1
route inside 10.45.x.0 255.255.224.0 10.36.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.36.x.142 255.255.255.255 inside
snmp-server location level 2
snmp-server contact Network
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 10.36.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
Maybe you are looking for
-
Net due date incorrect in FBL3N report
Hi, Net due date is coming correctly in Vendor Display report FBL1N, however the same entry when we see in reconciliation account in FBL3N we get the wrong due date. We are going thorough GL head to get the correct amount which is tallying with f.08
-
Control C picked up by background java application
On Unix platform, the super user starts a stand alone Java application using "nohup java ... &" and run this command in the background. Reuse the same Unix session, vi command or "tail -f" any file, and stop the vi or tail with control-C. However con
-
Saving a character displayed on JPanel as an image
Hi, Merry christmas! I am new to Java programming. Please englighten me with the following problem I am facing currently. I have been trying to save a chinese character displayed on a JPanel as an image. However, what I do not understand is that when
-
Is it possible to delete the apps that come with the ipod touch version 1 with the 2.1 upgrade? When I bought my ipod I had "apps" like stocks, you tube, etc....can those be deleted? As well as for example under the clock, there was some place entere
-
Apologies for asking this question. First Question: How do I use the Document Builder to open an XML document? Document xmlMessage; DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); domFactory.setNamespaceAware(true);