RE: PIX questionIP addresses altered/censored for my own CYA ;)
207.207.77.x/24 is outside the PIX. I want something to get into =
207.207.93.x (inside) for syslog. As you can see I tried statics, =
conduits, and even tried another ACL #81 (which I removed). Nothing =
seemed to work.
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <censored> encrypted
passwd <censored> encrypted
hostname <censored>
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80<censored access-list for vpn. It was just the routes to =
other offices included in the vpn access list 80. Nothing was in here =
for the outside 207.207.77.254/24 range. Although I did TRY =
that...sigh>
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
logging host inside <censored>
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 207.207.77.254 255.255.255.0
ip address inside 207.207.93.129 255.255.255.192
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 207.207.93.133-207.207.93.190
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
<censored static addresses>
static (inside,outside) 207.207.77.57 207.207.93.148 netmask =
255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 207.207.77.253 eq 32802 any
conduit permit tcp host 207.207.93.190 host 161.58.218.96 eq 9100
conduit permit udp host 207.207.77.57 host 207.207.77.50 eq syslog
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 <censored> 1
<routes censored but not dealing with anything other than the WAN>
route outside <censored> 255.255.0.0 <censored> 1
route outside <censored> 255.255.255.0 <censored> 1
timeout xlate 3:00:00 conn 2:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside <censored> /var/tftp/px-confg
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map insync 10 ipsec-isakmp
crypto map insync 10 match address 80
crypto map insync 10 set peer <censored>
crypto map insync 10 set transform-set strong
crypto map insync interface outside
isakmp enable outside
isakmp key <censored> address <censored> netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
telnet <censored> inside
telnet timeout 15
terminal width 80
----- Original Message -----=20
From: Richie, Nathan=20
To: 'Allen May' ; [EMAIL PROTECTED]=20
Sent: Thursday, March 08, 2001 12:31 PM
Subject: RE: PIX question
If you can sho the configs (minus security information) it might be =
easier to help you figure out the problem. I am thinking it could be an =
access-list misconfiguration, or a conduit permit misconfiguration, but =
without the configs to look at, it is hard to advise.
-----Original Message-----=20
From: Allen May [mailto:[EMAIL PROTECTED]]=20
Sent: Wednesday, March 07, 2001 10:40 AM=20
To: [EMAIL PROTECTED]=20
Subject: Fw: PIX question=20
Crap..typo below. Box sitting outside the pix needs to log to the =
syslog=20
server inside the pix.=20
----- Original Message -----=20
From: "Allen May" <[EMAIL PROTECTED]>=20
To: <[EMAIL PROTECTED]>=20
Sent: Wednesday, March 07, 2001 9:17 AM=20
Subject: Fw: PIX question=20
> OK a little more info. We have a PIX-PIX VPN set up so encryption =
only=20
> pertains to connections between the two office locations over a =
dedicated=20
> connection. In our location, there is a network outside the PIX =
before it=20
> goes to the Router to the other location. The box sitting on the =
outside=20
> the pix but inside the router is the one that needs to have a port =
opened=20
to=20
> a syslog server on the inside interface of the PIX.=20
>=20
> Tried setting a static IP so the syslog server has an IP on the =
outside=20
> interface subnet.=20
> Opened a conduit for that VIP for syslog.=20
> Added to the ACL of the PIX-PIX VPN when the above 2 didn't work (& =
it=20
> should because the VPN is only for destined traffic between the 2 =
sites).=20
>=20
> Anything else? Ports I missed? I believe it was 514 but the PIX=20
translates=20
> it to syslog when you open that port.=20
>=20
>=20
> ----- Original Message -----=20
> From: "Allen May" <[EMAIL PROTECTED]>=20
> To: <[EMAIL PROTECTED]>=20
> Sent: Tuesday, March 06, 2001 4:23 PM=20
> Subject: PIX question=20
>=20
>=20
> > I have a PIX using IPSec for a VPN tunnel between 2 networks. On =
the=20
> > outside interface is a box using SYSLOG trying to write to a box =
on the=20
> > inside interface. I made an external static IP for the internal =
box,=20
> added=20
> > a conduit to permit udp-syslog...nothing. Tried adding =
access-list #=20
> permit=20
> > udp host <host-ip> host <statically assigned external ip> eq =
syslog.=20
> >=20
> > The access list is the one used in the IPSec VPN. Any ideas why I =
get=20
> > denied in logging?=20
> >=20
> >=20
> >=20
>=20
> _________________________________=20
> FAQ, list archives, and subscription info:=20
http://www.groupstudy.com/list/cisco.html=20
> Report misconduct and Nondisclosure violations to =
[EMAIL PROTECTED]=20
>=20
_________________________________=20
FAQ, list archives, and subscription info: =
http://www.groupstudy.com/list/cisco.html=20
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] =
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
