Q about DNS with PIX 501 as PPPoE client

Hi!
I've got PIX 501 (PixOS 6.3.5) acting as PPPoE client. Outside interface gets IP and DNS addresses from access concentrator.
There is an example in config guide how to set DNS address (got from concentrator) for DHCH daemon in PIX, so clients in LAN can get that DNS address so.
But I don't use DHCP in LAN. Is there a way to set PIX inside address as DNS on LAN clients and make PIX somehow redirect DNS request to PPPoE DNS server by itself? (same as on simplest linux-build SOHO box by Linksys etc)
Thanks!

In this example, the intent is for the machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external You do not want the PIX to do DNS Doctoring of the DNS replies. Instead, you want the PIX to dnat the external (global) IP address of the web server to its "real" DMZ address (192.168.100.10).
Use the alias command to perform dnat:
alias(inside) 10.99.99.99 192.168.100.10 255.255.255.224

Similar Messages

  • DMZ zone with PIX 501

    - How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
    - If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
    (We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
    thanks,
    oleg

    When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

  • Manual key negotiation with pix 501

    how to use manual key negotiation with pix 501 6.3 to solve VPN tunnel negotiation problem

    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1045493
    "Manual configuration of SAs is not supported on the PIX 501 because of the restriction in the number of ISAKMP peers allowed on that platform."
    However I'm sure a proper solution can be found to your original problem (establishing VPN with huawei)
    Please rate helpful posts.
    Regards
    Farrukh

  • Trouble with PIX 501 user limit?

    I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.
    I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.
    The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.
    I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?
    Thanks very much for any advice you can offer.
    Best regards,
    Zac

    Any chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?
    pixfirewall# show local-host
    Interface inside: 10 active, 10 maximum active, 3493 denied
    local host: <192.168.1.2>,
    TCP connection count/limit = 12/unlimited
    TCP embryonic count = 2
    TCP intercept watermark = unlimited
    UDP connection count/limit = 0/unlimited
    AAA:
    Xlate(s):
    PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)
    PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)
    PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)
    PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)
    PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)
    PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)
    PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)
    etc, etc.

  • Span port with Pix 501?

    I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!

    Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
    I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
    I hope it helps ... please rate it if it does !!!

  • PIX 501 keeps rebooting

    Hi,
    We have four remote sites with PIX 501's.
    They are approximately two years old, but we are unaware of how long this issue has persisted.
    We have found all of them incredibly sensitive to movement. If you stamp on the floor near one of them, it will reboot.
    If you keep a console cable connected, you can see it just looks like a power cycle, as though there was a short or a small power outage.
    What gets me is, it seems to affect all of them.
    We are finding this difficult to deal with because it brings the VPNs we run offline, and they often take some time to reconnect.

    Hi,
    We have taken the devices out of their homes and tested in our office, so it's not a power outlet issue.
    We have swapped power supplies, but as all four have the issue, it's hard to rule out the supplies.
    Insultating material would only be a temporary fix, as they are SO sensitive, I doubt we could really protect them. Is this common?

  • Problem with VPN by ASA 5505 and PIX 501

    Hi
    I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
    I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
    When i configure the ASA i have this problem, when i configure nat for easy vpn.
    This is my nat configuration:
    nat (inside) 0 access-list 100
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 0.0.0.0 0.0.0.0 outside
    when i put this command:
    nat (inside) 0 access-list no-nat
    this command is necessary for configuration of easy vpn, but the previous nat:
    nat (inside) 0 access-list 100
    is replace with the latest command.

    To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
    For regular dynamic NAT:
    nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    For policy dynamic NAT and NAT exemption:
    nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
    no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

  • Cisco Pix 501 / DNS - DNS resolution stops working over time

    Hello,
    I currently have a Cisco Pix 501 with the configuration listed below. It  connects to the public internet via a cable modem and acts as a DCHP  server for the local LAN.
    When it first turns on, all computers obtain the correct IP settings and  can access the internet. Within 10-15 minutes, computers begin to loose  access to the Internet. What’s strange is that each computer that lost  Internet access can ping the remote address but cannot perform an  nslookup. (it shows as Server UnKnown)
    The DNS server is 167.206.254.2 which is the external dns server  provided by my ISP. I can ping this address but the local computer is  unable to use it for domain to ip resolution.
    Then network used to have an existing Windows Small Business Server that  was a DNS and WINS Server. I ran dcpromo to remove the role of the  server and uninstalled dns via add/remove components.
    Can someone please help me determine why the computers over time loose  the ability to resolve domain names and therefore loose internet access?  Can there be some bad DNS entries created? Is there anything I can run  on the local computers to further troubleshoot dns errors? Is it  possible that the existing Windows SBS server is still running DNS and  therefore causing conficts in some way?
    One thing to note is that when I reset the Pix 501, everything begins to  work again but only for a short time until one by one each computer can  no longer resolve domain names. Also, I noticed that once someone  connects via VPN and disconnects, one of the local computers looses the  ability to resolve DNS.
    Cisco Pix Config
    PIX# show config
    : Saved
    : Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password chiuzjKkSD33lwEw encrypted
    passwd chiuzjKkSD33lwEw encrypted
    hostname PIX
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names        
    access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
    access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
    access-list ping_acl permit icmp any any
    pager lines 24
    logging timestamp
    logging monitor debugging
    logging buffered debugging
    logging history debugging
    logging queue 0
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any echo outside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 192.168.3.0 255.255.255.0 inside
    pdm logging informational 512
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    access-group ping_acl in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server ACS protocol tacacs+
    aaa-server ACS max-failed-attempts 3
    aaa-server ACS deadtime 10
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
    crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
    crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
    crypto map MYMAP client authentication LOCAL
    crypto map MYMAP interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash md5
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    vpngroup VPNGRP idle-time 1800
    vpngroup VPNGROUP address-pool VPN
    vpngroup VPNGROUP dns-server 167.206.254.2
    vpngroup VPNGROUP wins-server 192.168.2.50
    vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
    vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
    vpngroup VPNGROUP idle-time 1800
    vpngroup VPNGROUP password ********
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.3.0 255.255.255.0 inside
    telnet timeout 30
    ssh 192.168.2.0 255.255.255.0 inside
    ssh 192.168.3.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd address 192.168.2.2-192.168.2.33 inside
    dhcpd dns 167.206.254.2 167.206.254.2
    dhcpd lease 7200
    dhcpd ping_timeout 750
    dhcpd enable inside
    username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
    username andrew password A340D92MQ0zV0hGs encrypted privilege 15
    terminal width 80
    Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec

    Wow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
    In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine.

  • PIX 501 PPPoE problems.

    I have a Zoom adsl modem setup to accept PPPoE connections. We have verified this with two other, non-cisco devices, and it works.
    I have configured the outside interface to connect via PPPoE to the router from within the PDM.
    I have set this up with the known correct username and password, and with PAP authentication.
    I have captured a debug with the following commands "debug pppoe packet", "debug pppoe error" and "debug pppoe event" and have attached it as file pppoedebug.txt.
    "show ip address outside pppoe" gives:
    PPPoE session has not been established yet.
    I have also attached a running config of the PIX.
    If anyone could take a quick look and see if my PIX config appears fine i'd much appreciate it.
    I am very new to working with PIX, i'm used to working with IOS.
    Thanks for your help.
    David

    I've upgraded to version 6.3(5) as opposed to 6.3(3) but i still get the same error. You say there might be a bug in 6.3 so me going to 6.3(5) wouldnt have made a difference anyways?
    Due to the PIX 501 having Total Memory (16mb) and flash (8mb) I cant upgrade to 7.x. And i really wouldnt want to downgrade to 6.2, but i guess that's worth a try, to see if it really is an firmware fault.
    Is there anything else you fine people could suggest?
    Thanks for your help.
    David.

  • Pix 501 Port Redirection with outside Dyn IP for DVR

    Hi,
    I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
    my ISP outside  is dynamic.
    The following is my config, please let me know what is wrong with it.
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password bJT00RrZ7Q9S5J1B
    encrypted
    passwd bJT00RrZ7Q9S5J1B encrypted
    hostname Haiyai
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside permit tcp any
    interface outside eq 1042
    access-list outside deny ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1
    255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface
    1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
    access-group outside in interface
    outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed
    0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip
    0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00
    sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts
    3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33
    inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:57847b305111572396f1ae0410e54f7e
    : end         
    Thanks
    Morgan

    Morgan,
    Your config is perfectly fin. You have your PAT static and opened the ACL for that port
    access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
    The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
    I hope it helps.
    PK

  • Amazon S3 Backup with Cisco PIX 501 Router - slowww

    We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
    I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
    Thanks!

    Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
    - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
      This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
    THANKS

  • Cisco Pix 501 - Need help with VPN passthrough

    Greetings!
    Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
    Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
    I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
    I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
    : Saved
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password RysZD25GpRAOMhF. encrypted
    passwd 0I6TSwviLDtVwaTr encrypted
    hostname Lorway-PIX
    domain-name lorwayco.com
    fixup protocol ftp 21
    fixup protocol ftp 22
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any any eq 50000
    access-list outside_access_in permit udp any any eq 50000
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
    access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
    access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
    access-list outside_access_in permit tcp any any eq pop3
    access-list outside_access_in permit tcp any any eq https
    access-list outside_access_in permit tcp any any eq ftp
    access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
    access-list outside_access_in permit tcp any any eq ftp-data
    access-list outside_access_in permit tcp any any eq 1009
    access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
    access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
    access-list outside_access_in permit tcp any any eq 7000
    access-list outside_access_in permit tcp any any eq pptp
    access-list outside_access_in permit gre any any
    access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 74.221.188.249 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 80
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    snmp-server host inside 192.168.1.118
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
    crypto map lorwayvpn 30 ipsec-isakmp
    crypto map lorwayvpn 30 match address 30
    crypto map lorwayvpn 30 set peer 66.18.55.250
    crypto map lorwayvpn 30 set transform-set lorway1
    crypto map lorwayvpn interface outside
    isakmp enable outside
    isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
    isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
    : end

    Config looks good to me.
    I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
    If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN?

  • PIX 501 passthrough with to a Win VPN Server

                       Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?
    pix  6.3(5)
    Outside staic IP - whatever 111.111.111.111
    Inside 192.168.1.1
    Win VPN server 192.168.1.10
    Thanks to anybody that can help.
    Note - I wnat to know if thi can be accomplished using PDM 3.0.4
    This pix has to have a use other than a glorified 4 port switch

    Yes you can enable PIX501 with version 6.3.5 for PPTP pass through.
    Command line:
    static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255
    fixup protocol pptp 1723
    access-list permit tcp any host 111.111.111.111 eq 1723
    If you don't already have an access-list applied to outside interface, then you also need the following:
    access-group in interface outside
    Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:
    static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
    Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.
    Hope that helps a little.

  • PIX 501 PDM with IE7

    Since updating to Internet Explorer version 7 I am no longer able to access the PIX 501 using the PDM software.
    Can anyone help with this situation.
    Mike

    Disable the IE popup blocker to see if it works.Disable the popup blocker of yahoo toolbar.Even if this doesnt work download JRE from the following link http://java.sun.com/products/archive/j2se/1.4.2_03/index.html.

  • Help with opening port 10000 on a pix 501

    I am attempting to open port 10000 so that I can remotely VPN using tcp port 10000. This is a pix 501 running version 6.3.5.
    What commands do I need to enter for this to happen?

    Remote vpn access can be configured on a pix 501 by using the configuration guide present in the links given below:
    Site-to-Site VPN Configuration Examples is present in the url below:
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
    Managing VPN Remote Access giude is present in the following url:
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html

Maybe you are looking for