Stuck at Initial stage CISCO pix 515e

Similar Messages

• Cisco PIX-515e reset to factory defaults *Expert Advice Only Please*

  Hi,
  I have a cisco PIX-515e which i have connected to a emulator through the console port, and im having trouble erasing data from it.
  I can get into 'pixfirewall' mode and 'monitor' mode but thats as far as i get. i have tried 'write erase' and 'configure factory-default' in both modes to no success.
  When i last posted this i had alot of replies mentioning ROMMON mode but i want to stress the PIX 515e does not have ROMMON mode it has MONITOR mode however the commands are not the same as ROMMON commands.
  Any help would be much appreciated.
  thanks,

  8 MB RAM
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  00  00   8086   7192  Host Bridge
  00  07  00   8086   7110  ISA Bridge
  00  07  01   8086   7111  IDE Controller
  00  07  02   8086   7112  Serial Bus         9
  00  07  03   8086   7113  PCI Bridge
  00  0D  00   8086   1209  Ethernet           11
  00  0E  00   8086   1209  Ethernet           10
  00  11  00   14E4   5823  Co-Processor       11
  00  13  00   8086   B154  PCI-to-PCI Bridge
  01  04  00   8086   1229  Ethernet           11
  01  05  00   8086   1229  Ethernet           10
  01  06  00   8086   1229  Ethernet           9
  01  07  00   8086   1229  Ethernet           5
  Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
  Platform PIX-515E
  System Flash=E28F128J3 @ 0xfff00000
  Use BREAK or ESC to interrupt flash boot.
  Use SPACE to begin flash boot immediately.
  Reading 123392 bytes of image from flash.
  PIX Flash Load Helper
  Initializing flashfs...
  flashfs[0]: 8 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 16128000
  flashfs[0]: Bytes used: 13963264
  flashfs[0]: Bytes available: 2164736
  flashfs[0]: Initialization complete.
  Booting first image in flash
  Launching image flash:/pix722.bin
  128MB RAM
  Total NICs found: 6
  mcwa i82559 Ethernet at irq 10  MAC: 0016.9da2.5907
  mcwa i82559 Ethernet at irq 11  MAC: 0016.9da2.5908
  mcwa i82559 Ethernet at irq 11  MAC: 000d.8810.d91c
  mcwa i82559 Ethernet at irq 10  MAC: 000d.8810.d91d
  mcwa i82559 Ethernet at irq  9  MAC: 000d.8810.d91e
  BIOS Flash=am29f400b @ 0xd8000  MAC: 000d.8810.d91f
  Initializing flashfs...
  flashfs[7]: 8 files, 3 directories
  flashfs[7]: 0 orphaned files, 0 orphaned directories
  flashfs[7]: Total bytes: 16128000
  flashfs[7]: Bytes used: 13963264
  flashfs[7]: Bytes available: 2164736
  flashfs[7]: flashfs fsck took 15 seconds.
  flashfs[7]: Initialization complete.
  Licensed features for this platform:
  Maximum Physical Interfaces : 6
  Maximum VLANs               : 25
  Inside Hosts                : Unlimited
  Failover                    : Active/Active
  VPN-DES                     : Enabled
  VPN-3DES-AES                : Enabled
  Cut-through Proxy           : Enabled
  Guards                      : Enabled
  URL Filtering               : Enabled
  Security Contexts           : 2
  GTP/GPRS                    : Disabled
  VPN Peers                   : Unlimited
  This platform has an Unrestricted (UR) license.
  Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
                                   |            |
                                  |||          |||
                                .|| ||.      .|| ||.
                             .:||| | |||:..:||| | |||:.
                              C i s c o  S y s t e m s
  Cisco PIX Security Appliance Software Version 7.2(2)
    ****************************** Warning *******************************
    This product contains cryptographic features and is
    subject to United States and local country laws
    governing, import, export, transfer, and use.
    Delivery of Cisco cryptographic products does not
    imply third-party authority to import, export,
    distribute, or use encryption. Importers, exporters,
    distributors and users are responsible for compliance
    with U.S. and local country laws. By using this
    product you agree to comply with applicable laws and
    regulations. If you are unable to comply with U.S.
    and local laws, return the enclosed items immediately.
    A summary of U.S. laws governing Cisco cryptographic
    products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by
    sending email to [email protected].
    ******************************* Warning *******************************
  Copyright (c) 1996-2006 by Cisco Systems, Inc.
                  Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
                  Cisco Systems, Inc.
                  170 West Tasman Drive
                  San Jose, California 95134-1706
  Cryptochecksum (unchanged): 43dccc97 2fb4bfec 15a33bef dad78b7e
  Type help or '?' for a list of available commands.
  pixfirewall>
  I am unable to get onto enable mode because i do not no the password? any idea of a way round, i need to get into that enable mode.

• Cisco PIX 515E multiple ISP support in a VPN scenario

  Iam currently running a cisco 7.2 ios in a Cisco PIX 515E appliance. I have terminated two ISP links in the two ports, and I also have a inside network (LAN). I want to establish 2 Site-Site VPN tunnels using each one of these ISP links respectively (Site 1 in ISP link 1 && Site 2 in ISP link 2).
  Is this possible to achieve??

  Hello,
  This should work. Route the remote endpoint for site 1 out link 1 (using a static route) and for site 2 out link 2 (using a static route) and that should do it.
  Return traffic should work, assuming both ISPs aren't advertising the networks your interfaces are on via BGP (ie, you don't want return traffic from site one coming down the link to site 2 because that ISP is advertising that AS as well.)
  --Jason

• Cisco PIX-515e reset to factory defaults

  Hi,
  I have a cisco PIX-515e which i have connected to a emulator through the console port, and im having trouble erasing data from it.
  I can get into 'pixfirewall' mode and 'monitor' mode but thats as far as i get. i have tried 'write erase' and 'configure factory-default' in both modes to no success.
  Any help would be much appreciated.
  thanks,

  this is a little late over a year, you probably alreay figured it out. in monitor mode.
  set your interface
  monitor> int 0          (this doesnt matter much as long as the interface is valid)
  next set the ip address of our pix
  monitor> add 192.168.1.50     (this just sets the pix int 0 to this ip address)
  now set the tftp server
  monitor> server 192.168.1.79     (this is the ip address of my pc with a tftp server)
  set the gateway
  monitor> gateway 0.0.0.0      (i had much trouble with this but until i set the gateway to this it didnt work)
  now back to your pc assuming you have a tftp server installed.
  download the necessary recover tool at (subject to change probably) make sure you put it in your default directory of your tftp server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
  this is key probably
  if you have the wrong tool the image will download successfully to your pix but it will not do anything just stop
  after the file has been received.
  so if your unsure try all the images.
  now back to the pix
  to initiate a file download you have to declare it so
  monitor> file np62.bin
  and then to start the download
  monitor> tftp
  see below.... (entire session via console cable)
  monitor> int 0
  0: i8255X @ PCI(bus:0 dev:14 irq:10)
  1: i8255X @ PCI(bus:0 dev:13 irq:11)
  Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC:
  monitor> add 192.168.1.50
  address 192.168.1.50
  monitor> server 192.168.1.79
  server 192.168.1.79
  monitor> gateway 0.0.0.0
  gateway 0.0.0.0
  monitor> file np62.bin
  file np62.bin
  monitor> tftp
  tftp [email protected].....................................................
  Received 73728 bytes
  Cisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
  System Flash=E28F128J3 @ 0xfff00000
  BIOS Flash=am29f400b @ 0xd8000
  Do you wish to erase the passwords? [yn]
  if that doesnt work im not sure just try the other images.

• Agent installation stuck on initial stage

  The agent never get installed successfully. It is on initial status forever during installation. After reboot, the agent service does not start. Anyone see this
  problem.

  On 04/05/2010 16:26, Donald Wu wrote:
  > On 12/04/2010 15:56, jblackett wrote:
  >>
  >> Can you provide any more info? What platform are you installing the
  >> agent on? We have seen a problem where the SETUP.EXE for the ZESM
  >> components of the agent hang on an XP install. We are investigating the
  >> cause. We have also seen the same on devices that have unsupported
  >> Windows 7 device drivers. If you can provide some more info I'll see
  >> what we can figure out.
  >>
  >> Jason
  >>
  >>
  > It is XP SP3, installer 3.01.4001.5512. I de-select endpoint security,
  > imaging, remote control installation on zcc agent setting, but it has
  > not effect.
  >
  > I then upgrade the installer to 4.5.6001.22159, but it does not fix it.
  >
  > The installer package is full standalone with .net.
  >
  > Donald
  More information:
  It also has Zenworks 7 agent installed. I did a further test as below
  1. upgrade installer to 4.5.6001.22159
  2. install zcm11 agent, it is on initial stage forever.
  3. re-boot the machine. zenworks agent service did not start, but
  Novell application launch service(a zenworks 7 service I think) did.
  However the Novell Application Launch service entry has been removed
  (I think it is done by zcm agent after reboot, but the service has
  already started)
  4. manual start the zcm zenworks agent service, it works fine.
  5. re-boot again, agent service start automatically.
  Does anyone know how to log the installation process?
  Donald

• How do you log incoming traffic (SMTP) on a Cisco PIX 515E?

                     Hi Everyone,
       I have a good one for you guys. I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console. Any ideas? Do I need to use a SYSLOG server? I can probably set one up on my laptop... Any replies would be appreciated. Thanks!

  Hi,
  Naturally a long term solution for gathering this information would be to send logs to a separate Syslog server.
  On the syslog server you will have better tools to go through the logs than just looking at the log buffer on the CLI of the ASA/PIX or on the ASDM real time monitor.
  The very basic "logging" configuration would be
  logging on
  logging timestamp
  logging device-id hostname
  logging trap informational (or notifications)
  logging host
  This would include only the logs for syslog server.
  There are options to tweak the log output but the above is a pretty basic setting without any extra.
  With the above configuration (logging trap informational) you would get logs of every connection formed and every connection teardown. You could then parse the logs for the log messages of SMTP (TCP/25) connections. Naturally this would also log same for translations and other information and depending on the size of the network or amount of the connections this might generate quite a lot of logs.
  You can also configure a "log" keyword on "access-list" lines that permit traffic (SMTP in this case). You can also configure a non default "level" for the messages after the "log" keyword.
  Most of our Syslog setups log with pretty basic configurations and we use the Syslog server to check for the logs we need.
  Your logging setup/configuration naturally depends on your needs. Is it something needed for long term monitoring of connections or just for some quick troubleshooting purposes. Generally I think it would be good to keep logs of most things that happen on the firewall to help with troubleshooting etc.
  - Jouni

• Webcenter Installation Stuck at Initial Stage

  Hi All,
  Good Morning..
  Here im posting an error which I got while installing Webcenter on Oracle 11gR1(11.1.1.3.0).
  Error:
  "INST-07286: Specified Oracle Middleware home location does not have version 10.3.4.0 of Weblogic Server. If the version is incorrect then congfiguring with the weblogic server wil faill."
  This error i got while installing webcenter(11.1.1.5.0) on Windows 64bit, this error coming at "Installation Location" screen level.
  Pls anybody advice me on the same what steps should I take to move forward my installation successfully as it is urgent base at my level.
  Here im putting my installtion location details for Middleware "C:\Oracle\Middleware", and for weblogic "C:\Oracle\Middleware\wlserver_10.3"
  Pls share ur suggestions at your earliest.
  Thanks in Advance all of you.
  Thanks
  Munnelli

  Hi All,
  Good Morning..
  Here im posting an error which I got while installing Webcenter on Oracle 11gR1(11.1.1.3.0).
  Error:
  "INST-07286: Specified Oracle Middleware home location does not have version 10.3.4.0 of Weblogic Server. If the version is incorrect then congfiguring with the weblogic server wil faill."
  This error i got while installing webcenter(11.1.1.5.0) on Windows 64bit, this error coming at "Installation Location" screen level.
  Pls anybody advice me on the same what steps should I take to move forward my installation successfully as it is urgent base at my level.
  Here im putting my installtion location details for Middleware "C:\Oracle\Middleware", and for weblogic "C:\Oracle\Middleware\wlserver_10.3"
  Pls share ur suggestions at your earliest.
  Thanks in Advance all of you.
  Thanks
  Munnelli

• Help needed to connect to remote PPTP VPN via PIX 515e

  Hello,
  A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
  The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
  "A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
  I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:
  fixup protocol pptp 1723.
  Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?
  I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?
  I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.
  Ros

  Hi Eugene,
  Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.
  Thanks again for your help,
  Ros
  PIX(config)# en
  Not enough arguments.
  Usage:  enable password [] [level ] [encrypted]
          no enable password level
          show enable
  PIX(config)# show config
  : Saved
  : Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
  PIX Version 6.3(3)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security10
  enable password XXX encrypted
  passwd XXX encrypted
  hostname PIX
  domain-name XXX.com
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name XX.XX.XX.XX Secondary
  access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl deny udp any any eq 135
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
  access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
  pager lines 24
  logging on
  logging host inside XX.XX.XX.XX
  icmp permit any outside
  icmp permit any inside
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside XX.XX.XX.XX 255.255.255.248
  ip address inside XX.XX.XX.XX 255.255.255.0
  no ip address DMZ
  ip audit info action alarm
  ip audit attack action alarm
  pdm location XX.XX.XX.XX 255.255.255.255 inside
  pdm location XX.XX.XX.XX 255.255.0.0 outside
  pdm location XX.XX.XX.XX 255.255.255.0 outside
  pdm logging debugging 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
  route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
  timeout xlate 3:00:00
  timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  ntp authenticate
  ntp server XX.XX.XX.XX source outside prefer
  http server enable
  http XX.XX.XX.XX 255.255.0.0 outside
  http XX.XX.XX.XX 255.255.255.0 outside
  http XX.XX.XX.XX 255.255.255.255 inside
  snmp-server host inside XX.XX.XX.XX
  no snmp-server location
  no snmp-server contact
  snmp-server community XXX
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
  crypto map outside_map 10 ipsec-isakmp dynamic cola
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer XX.XX.XX.XX
  crypto map outside_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map 25 ipsec-isakmp
  crypto map outside_map 25 match address USER1
  crypto map outside_map 25 set peer XX.XX.XX.XX
  crypto map outside_map 25 set transform-set ESP-3DES-MD5
  crypto map outside_map 30 ipsec-isakmp
  crypto map outside_map 30 match address outside_cryptomap_30
  crypto map outside_map 30 set peer XX.XX.XX.XX
  crypto map outside_map 30 set transform-set ESP-3DES-MD5
  crypto map outside_map 40 ipsec-isakmp
  crypto map outside_map 40 match address outside_cryptomap_40
  crypto map outside_map 40 set peer XX.XX.XX.XX
  crypto map outside_map 40 set transform-set ESP-3DES-MD5
  crypto map outside_map 50 ipsec-isakmp
  crypto map outside_map 50 match address outside_cryptomap_50
  crypto map outside_map 50 set peer XX.XX.XX.XX
  crypto map outside_map 50 set transform-set ESP-3DES-MD5
  crypto map outside_map 60 ipsec-isakmp
  crypto map outside_map 60 match address outside_cryptomap_60
  crypto map outside_map 60 set peer XX.XX.XX.XX
  crypto map outside_map 60 set transform-set ESP-3DES-MD5
  crypto map outside_map 70 ipsec-isakmp
  crypto map outside_map 70 match address outside_cryptomap_70
  crypto map outside_map 70 set peer XX.XX.XX.XX
  crypto map outside_map 70 set transform-set ESP-3DES-MD5
  crypto map outside_map 75 ipsec-isakmp
  crypto map outside_map 75 match address USER4
  crypto map outside_map 75 set peer XX.XX.XX.XX
  crypto map outside_map 75 set transform-set ESP-3DES-MD5
  crypto map outside_map 80 ipsec-isakmp
  crypto map outside_map 80 match address USER2
  crypto map outside_map 80 set peer XX.XX.XX.XX
  crypto map outside_map 80 set transform-set ESP-3DES-MD5
  crypto map outside_map 90 ipsec-isakmp
  crypto map outside_map 90 match address USER3
  crypto map outside_map 90 set peer XX.XX.XX.XX
  crypto map outside_map 90 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet XX.XX.XX.XX 255.255.0.0 outside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet timeout 30
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh timeout 30
  management-access inside
  console timeout 0
  terminal width 80
  Cryptochecksum:XXX
  PIX(config)#

• Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

  crypto ipsec client ezvpn TEST
  connect auto
  group Cisco key cisco123
  mode client
  peer 172.1.1.1
  xauth userid mode interfactive
  interface FastEthernet4
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  ip nat outside
  crypto ipsec client ezvpn TEST
  Internet Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 out
  ip nat inside
  crypto ipsec client ezvpn TEST inside
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254
  ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
  access-list 100 permit ip any any
  access-list 101 permit ip any any
  access-list 103 permit ip 192.168.1.0 0.0.0.255 any
  route-map EzVPN1 permit 1
  match ip address 103
  These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
  Cisco IOS on 871W is 12.3(8)Y12

  1) Isn't your default route supposed to be pointing towards the external interface?
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
  2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
  Have a look at the following (I'm assuming you already have as your config seems to be similar):
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
  For old 6.x code on PIX, have a look at:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
  Regards
  Farrukh

• Latest IOS for PIX 515E

  What is the latest version of IOS for Cisco PIX 515E ? I want to update. What are the best practices to safly upgrade IOS in PIX? How to take backup copy of existing configuration? I have conf saved in .txt file. Any other way ?

  please see below URL which explain IOS upgrade on PIX and how to backup configuration
  http://www.cisco.com/warp/public/110/upgrade.shtml

• Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

  Hello,
  I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
  Thanks,
  Jeff Mateo
  PIX Version 6.3(4)
  interface ethernet0 100full
  interface ethernet1 100full
  interface ethernet2 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password GFO9OSBnaXE.n8af encrypted
  passwd GFO9OSBnaXE.n8af encrypted
  hostname morrow-pix-ct
  domain-name morrowco.com
  clock timezone EST -5
  clock summer-time EDT recurring
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 12.42.47.27 LI-PIX
  name 172.20.0.0 CT-NET
  name 172.23.0.0 LI-NET
  name 172.22.0.0 TX-NET
  name 172.25.0.0 NY-NET
  name 192.168.10.0 CT-DMZ-NET
  name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
  name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
  name 199.191.128.105 web-dns-1
  name 12.127.16.69 web-dns-2
  name 12.3.125.178 NY-PIX
  name 64.208.123.130 TX-PIX
  name 24.38.31.80 CT-PIX
  object-group network morrow-net
  network-object 12.42.47.24 255.255.255.248
  network-object NY-PIX 255.255.255.255
  network-object 64.208.123.128 255.255.255.224
  network-object 24.38.31.64 255.255.255.224
  network-object 24.38.35.192 255.255.255.248
  object-group service morrow-mgmt tcp
  port-object eq 3389
  port-object eq telnet
  port-object eq ssh
  object-group network web-dns
  network-object web-dns-1 255.255.255.255
  network-object web-dns-2 255.255.255.255
  access-list out1 permit icmp any any echo-reply
  access-list out1 permit icmp object-group morrow-net any
  access-list out1 permit tcp any host 12.193.192.132 eq ssh
  access-list out1 permit tcp any host CT-PIX eq ssh
  access-list out1 permit tcp any host 24.38.31.72 eq smtp
  access-list out1 permit tcp any host 24.38.31.72 eq https
  access-list out1 permit tcp any host 24.38.31.72 eq www
  access-list out1 permit tcp any host 24.38.31.70 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq https
  access-list out1 permit tcp any host 24.38.31.93 eq smtp
  access-list out1 permit tcp any host 24.38.31.93 eq ftp
  access-list out1 permit tcp any host 24.38.31.93 eq domain
  access-list out1 permit tcp any host 24.38.31.94 eq www
  access-list out1 permit tcp any host 24.38.31.94 eq https
  access-list out1 permit tcp any host 24.38.31.71 eq www
  access-list out1 permit tcp any host 24.38.31.71 eq 8080
  access-list out1 permit tcp any host 24.38.31.71 eq 8081
  access-list out1 permit tcp any host 24.38.31.71 eq 8090
  access-list out1 permit tcp any host 24.38.31.69 eq ssh
  access-list out1 permit tcp any host 24.38.31.94 eq ftp
  access-list out1 permit tcp any host 24.38.31.92 eq 8080
  access-list out1 permit tcp any host 24.38.31.92 eq www
  access-list out1 permit tcp any host 24.38.31.92 eq 8081
  access-list out1 permit tcp any host 24.38.31.92 eq 8090
  access-list out1 permit tcp any host 24.38.31.93 eq 3389
  access-list out1 permit tcp any host 24.38.31.92 eq https
  access-list out1 permit tcp any host 24.38.31.70 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq www
  access-list out1 permit tcp any host 24.38.31.74 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq smtp
  access-list out1 permit tcp any host 24.38.31.75 eq https
  access-list out1 permit tcp any host 24.38.31.75 eq www
  access-list out1 permit tcp any host 24.38.31.75 eq smtp
  access-list out1 permit tcp any host 24.38.31.70 eq smtp
  access-list out1 permit tcp any host 24.38.31.94 eq smtp
  access-list dmz1 permit icmp any any echo-reply
  access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
  access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
  access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
  access-list dmz1 permit ip any any
  access-list dmz1 deny ip any any
  access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
  access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
  access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
  .0
  access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
  55.255.0
  access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
  access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
  access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
  0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
  5.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
  0
  access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
  .248.0
  access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
  access-list in1 permit tcp host 172.20.1.21 any eq smtp
  access-list in1 permit tcp host 172.20.1.20 any eq smtp
  access-list in1 deny tcp any any eq smtp
  access-list in1 permit ip any any
  access-list in1 permit tcp any any eq smtp
  access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
  access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
  access-list in2 deny ip host 172.20.1.82 any
  access-list in2 deny ip host 172.20.1.83 any
  access-list in2 permit ip any any
  pager lines 43
  logging on
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging device-id hostname
  logging host inside 172.20.1.22
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside CT-PIX 255.255.255.224
  ip address inside 172.20.8.1 255.255.255.0
  ip address DMZ 192.168.10.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool ctpool 192.168.220.100-192.168.220.200
  ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
  pdm history enable
  arp timeout 14400
  global (outside) 1 24.38.31.81
  nat (inside) 0 access-list nat0
  nat (inside) 1 CT-NET 255.255.0.0 2000 10
  nat (DMZ) 0 access-list nat0-dmz
  static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
  static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
  static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
  static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
  static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
  access-group out1 in interface outside
  access-group dmz1 in interface DMZ
  route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
  route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
  route inside CT-NET 255.255.248.0 172.20.8.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ct-rad protocol radius
  aaa-server ct-rad max-failed-attempts 2
  aaa-server ct-rad deadtime 10
  aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 173.220.252.56 255.255.255.248 outside
  http 65.51.181.80 255.255.255.248 outside
  http 208.65.108.176 255.255.255.240 outside
  http CT-NET 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community m0rroW(0
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
  crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
  crypto dynamic-map dyn_map 20 match address vpn-dyn-match
  crypto dynamic-map dyn_map 20 set transform-set 3des-sha
  crypto map ct-crypto 10 ipsec-isakmp
  crypto map ct-crypto 10 match address vpn-ct-li-gre
  crypto map ct-crypto 10 set peer LI-PIX
  crypto map ct-crypto 10 set transform-set 3des-sha
  crypto map ct-crypto 15 ipsec-isakmp
  crypto map ct-crypto 15 match address vpn-ct-li
  crypto map ct-crypto 15 set peer LI-PIX
  crypto map ct-crypto 15 set transform-set 3des-sha
  crypto map ct-crypto 20 ipsec-isakmp
  crypto map ct-crypto 20 match address vpn-ct-ny
  crypto map ct-crypto 20 set peer NY-PIX
  crypto map ct-crypto 20 set transform-set 3des-sha
  crypto map ct-crypto 30 ipsec-isakmp
  crypto map ct-crypto 30 match address vpn-ct-tx
  crypto map ct-crypto 30 set peer TX-PIX
  crypto map ct-crypto 30 set transform-set 3des-sha
  crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
  crypto map ct-crypto client authentication ct-rad
  crypto map ct-crypto interface outside
  isakmp enable outside
  isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
  onfig-mode
  isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 1
  isakmp policy 30 lifetime 86400
  vpngroup remotectusers address-pool ctpool
  vpngroup remotectusers dns-server 172.20.1.5
  vpngroup remotectusers wins-server 172.20.1.5
  vpngroup remotectusers default-domain morrowny.com

  Amit,
  I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
  I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
  Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

• PIX-515E - Reason 412: the remote peer is no longer responding...

  Hi,
  I am unable to VPN to my network from outside using cisco VPN client to PIX-515E.
  When I try it say:
  Reason 412: the remote peer is no longer responding...
  From inside everything work ok, I can connect... (same computer, same settings...)
  Maybe the problem is not in PIX??
  Few days ago I upgrade FWSM from 3.1.x to
  FWSM Firewall Version 4.1(9)
  Device Manager Version 6.2(2)F
  Can this upgrade cause problem???
  I compare running conf: and I notice this new commands:
  service reset no-connection
  no service reset connection marked-for-deletion
  I try with opposite:
  no service reset no-connection
  service reset connection marked-for-deletion
  but still I cannot VPN....
  Any advice?
  THX,
  Ivan

  Problem solved...
  as usual I cause the problem instead of 8 i wrote 3... i was checking that IP address several time but didn't see
  now when I was preparing to put running config online and replacing ip address ... something jump into my eye....
  So thnx Jennifer :-)

• Oracle 8i through CISCO PIX Firewall

  HI all,
  I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
  The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
  =============================
  oracle error con 440
  unable to make connection oracle - 12514 tns.couldn't resolve service name
  the menu was not connectable with oracle. a menu is ended
  ==============================
  Many thanks for PIX and Oracle config.
  HATO

  Varun,
  Thank you for your help.
  I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
  Memory Requirements:
  If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
  What is the difference between the restricted Licenses and the Unrestricted Licenses?
  Thanks!

• Cisco PIX Device Manager Version 3.0(2)

  Hi
  I have a PIX 515E:
  Cisco PIX Firewall Version 6.3(4)
  Cisco PIX Device Manager Version 3.0(2)
  Compiled on Fri 02-Jul-04 00:07 by morlee
  CCP-Firewall001 up 2 years 65 days
  Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
  Flash E28F128J3 @ 0x300, 16MB
  BIOS Flash AM29F400B @ 0xfffd8000, 32KB
  0: ethernet0: address is 0012.80be.450d, irq 10
  1: ethernet1: address is 0012.80be.450e, irq 11
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Disabled
  Maximum Physical Interfaces: 3
  Maximum Interfaces: 5
  Cut-through Proxy: Enabled
  Guards: Enabled
  URL-filtering: Enabled
  Inside Hosts: Unlimited
  <--- More ---> Throughput: Unlimited
  IKE peers: Unlimited
  This PIX has a Restricted (R) license.
  Serial Number: 808480455 (0x30306ec7)
  Running Activation Key: 0xac646fed 0xf8b86795 0xc3951ec2 0xb32aed09
  It's operate with Java plug in 1.4.1 y I have a PC with IE 7 and Plug in 1.6.0 y doesn't download the PDM.
  Are there a solution for it?

  Try Disable Java on Internet Options. This issue oculd be releated to Java version also.

• Pix 515e vpn setup

  I currently have a pix 515e setup as a firewall and vpn terminator. We will be moving our network to a new isp that will provide the firewall service, but i need to keep the pix for the vpn functionality. The pix currently has a public IP for the vpn but the new ISP want to do nat for the pix, so I have to give it a private ip. here is what the ISP sent me.
  >Essentially - Customer needs
  >1. Internal Server IP address that >will arrive from customer to the f/w.
  >
  >2. The public address NAT that will >represent the customer internal server.
  >
  >3. The proper ports open to support >this request. UDP ? 10000 or 4500 ? >and 500.
  I'm new to VPN I would like some direction on where to find some documents on how to setup the cisco behind another router and without a public ip. Also can the pix have both interfaces on the same subnet?
  Thank you
  rene

  Rene -
  You can't have both the interfaces on the same subnet.
  3. Ports needed for VPN to work.
  UDP - 500 ==> which is ISAKMP
  UDP - 4500 ==> NAT-T
  UDP - 10000 ===> IPSec over UDP
  ESP protocol ==> which is protocol number 50.
  1 & 2. Your external (outside) IP address of the PIX.
  Does this answer your question.