RE: PIXL: no client connectivity [7:28685]
Isn't there an implicit deny at the end of your access list? access-list acl_ping permit icmp any any Should you add the following to permit http traffic at least. You will probably need dns resolution as well. access-list acl_ping permit tcp 80 any any -Original Message- From: Pierre-Alex J. Guanel [mailto:[EMAIL PROTECTED]] Sent: Monday, December 10, 2001 2:23 PM To: [EMAIL PROTECTED] Subject: PIXL: no client connectivity [7:28685] >From a client (inside) I can ping the inside interface of the PIX . >From a client (outside) I can ping the outside interface of the PIX. However no (inside) client manages to ping or do any sort of traffic with hosts outside the PIX. I have the feeling that I have a Global or PAT issue. Do you spot where my problem is? Thank you!!! BTECHPIX# sh config : Saved : PIX Version 5.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname BTECHPIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list acl_ping permit icmp any any pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 209.152.115.123 255.255.255.0 ip address inside 192.168.3.1 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 209.152.115.125 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 209.152.115.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable isakmp identity hostname . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28739&t=28685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Searched the archives but didn't find this scenario.. [7:28114]
We have two remote offices that use Appletalk over a Frame-Relay line currently. I will be installing Pt-2-Pt lines in each office giving them each local ISP access to the Internet. I would like to use a Cisco PIX in each office to establish an IPSEC tunnel between the two. The clincher is how to get appletalk across that tunnel? Would tunneling appletalk at a seperate router behind the pix and then shoving IP over the IPSEC be the answer? So for each office I would need two routers and one pix? Thoughts? -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28114&t=28114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
Without split tunneling they will send all traffic back to your local network. It is up to you to setup DNS settings to be pushed to the client that they will use for resolution. These can be internal dns servers set to forward unknown requests or external dns servers. We use split tunneling to take advantage of the clients local ISP connection for unknown IP requests that are not in our split tunneling list. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:56 PM To: Gibb, Jake; [EMAIL PROTECTED] Subject: RE: VPN client, PIX, internet access [7:27870] I know but how do you make it so that the client using the VPN client can access the internet with netscape or whatever without doing a split tunnel. At 01:48 PM 11/30/2001 -0600, Gibb, Jake wrote: >Don't enable split tunneling on the concentrator for that grop when >using the Cisco VPN client or simply route all traffic through the VPN >tunnel. > >-Jake > >-Original Message- >From: John Chang [mailto:[EMAIL PROTECTED]] >Sent: Friday, November 30, 2001 1:29 PM >To: [EMAIL PROTECTED] >Subject: VPN client, PIX, internet access [7:27870] > > >Is there a way to configure a cisco PIX so that a user with a VPN >client > >connects to the internal network and can also connects to the internet >without doing a split tunnel on a windows 2000 professional? This >would in essence make the remote workstation part of the internal >network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27875&t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
Don't enable split tunneling on the concentrator for that grop when using the Cisco VPN client or simply route all traffic through the VPN tunnel. -Jake -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: VPN client, PIX, internet access [7:27870] Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27872&t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN back door [7:27736]
The new version 3.5 of Cisco VPN Client allows local LAN browsing access with split tunneling. I know there is a big debate over sending all of your traffic over the VPN just to get to a website that's up the street. We have multiple PIX firewalls in failover configuration at our head office and that is certainly more secure esp. if the client does not have any firewall protection whatsover. The new client 3.5 and concentrator IOS 3.4 is supposed to add the firewall option/mandatory to the client. I'll be testing it this month. -Jake -Original Message- From: Nat Heidler [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 3:46 PM To: '[EMAIL PROTECTED]' Cc: Gibb, Jake Subject: RE: VPN back door I recently installed a VPN at work (city goverment). You would be much better off disabling split-tunneling at the concentrator level rather than trying to push it out to each client. That will stop your back doors. And yes, it even cuts out all connections on a local network. I have 4 machines in a workgroup at home, with a shared music drive. When I VPN into work, that share are no longer available to other clients. Nat Somewhere in Kansas, USA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27736&t=27736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN is a Backdoor !!! [7:27725]
VPN could be considered a backdoor. If Joe User has a broadband connection at home with no firewall or local client firewall installed then when he/she connects to your VPN that is essentially a conduit for attackers to potentially compromise. This is an issue that I am dealing with now. Ciscos VPN client and Concentrator has a new feature that will push a policy on the client requiring they have a firewall installed like BlackIce etc.. If they don't it will enforce it's own basic firewall on the client while connected. I am working on the scripted install for my company now. -Jake -Original Message- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 2:37 PM To: [EMAIL PROTECTED] Subject: VPN is a Backdoor !!! [7:27725] Hi Guys; I wonder that VPN is a Backdoor? I really need answers. Please do it. thanks SentinuS Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27729&t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 6.1(1) SSH to outside [7:26502]
You can also do "ca zeroize rsa" to clear the key then do "ca gen rsa key 512" to generate a new one. Just make sure your souce IP your connecting from is correct. Try turning on debug like "debug crypto ipsec|isakmp|ca" to determine what is being rejected. -Jake -Original Message- From: Hansraj Patil [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 1:24 PM To: [EMAIL PROTECTED] Subject: RE: PIX 6.1(1) SSH to outside [7:26502] Maybe be PIX might have lost the RSA key. Regenerate the RSA key, do write mem & see if it works. I have seen the problem where PIX used to loose RSA key every time I reboot the PIX. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Russell Lusignan Sent: Friday, November 16, 2001 10:28 AM To: [EMAIL PROTECTED] Subject: Re: PIX 6.1(1) SSH to outside [7:26502] 0.0.0.0 0.0.0.0 specifies all ... but I have done x.x.x.x 255.255.255.255 outside and it still doesn't work. ""Hansraj Patil"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Don't to have specify client IP address in ssh command...? > > ssh (IP address & netmask) oustside > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Russell Lusignan > Sent: Friday, November 16, 2001 9:46 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX 6.1(1) SSH to outside [7:26502] > > > Yup, hostname and domain are configured, and show ca mypubkey shows > the key, > sorry, should have included that in the original post. Let me know if > you have any other ideas :) > > -Russ > > > ""Patrick Bass"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > did you configure a hostname and a domain-name? > > do a "show ca mypubkey rsa" from config mode to verify you have a > > key also reissue "ssh 0 0 outside" > > > > if it doesn't work, pls post config > > > > ""Russell Lusignan"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hey group, > > > > > > I have a PIX 525 in failover that I am trying to get SSH enabled > > > on. I > > have > > > done: > > > > > > password > > > ca generate rsa key 1024 > > > ssh outside > > > ca save all > > > > > > SSH doesn't respond in any way to my client (tried several). > > > Debug SSH > > > shows nothing, and Debug IP packet shows my client IP trying to > establish > > a > > > session on port 22 with the PIX, yet the PIX doesn't respond. The 525s > > are > > > working correctly (passing traffic etc.. ) > > > > > > Another set of 525's SSH config work fine, can't think of what I > > > am > > missing > > > here. > > > > > > Anyone have any ideas? > > > > > > -Russ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26527&t=26502 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 6.1(1) SSH to outside [7:26502]
For example ssh 1.1.1.1 255.255.255.255 outside That should do it. -Jake -Original Message- From: Hansraj Patil [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: PIX 6.1(1) SSH to outside [7:26502] Don't to have specify client IP address in ssh command...? ssh (IP address & netmask) oustside -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Russell Lusignan Sent: Friday, November 16, 2001 9:46 AM To: [EMAIL PROTECTED] Subject: Re: PIX 6.1(1) SSH to outside [7:26502] Yup, hostname and domain are configured, and show ca mypubkey shows the key, sorry, should have included that in the original post. Let me know if you have any other ideas :) -Russ ""Patrick Bass"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > did you configure a hostname and a domain-name? > do a "show ca mypubkey rsa" from config mode to verify you have a key > also reissue "ssh 0 0 outside" > > if it doesn't work, pls post config > > ""Russell Lusignan"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hey group, > > > > I have a PIX 525 in failover that I am trying to get SSH enabled on. > > I > have > > done: > > > > password > > ca generate rsa key 1024 > > ssh outside > > ca save all > > > > SSH doesn't respond in any way to my client (tried several). Debug > > SSH shows nothing, and Debug IP packet shows my client IP trying to establish > a > > session on port 22 with the PIX, yet the PIX doesn't respond. The > > 525s > are > > working correctly (passing traffic etc.. ) > > > > Another set of 525's SSH config work fine, can't think of what I am > missing > > here. > > > > Anyone have any ideas? > > > > -Russ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26515&t=26502 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN monitoring software [7:26235]
Has anyone used Ciscos VPN monitoring software? We have a handful of tunnels that we need remote management for.. -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26235&t=26235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Configuring hyperterminal to configure a Cisco router [7:24139]
Sorry... -Jake -Original Message- From: Stephane Wantou Siantou [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:50 PM To: [EMAIL PROTECTED] Subject: Configuring hyperterminal to configure a Cisco router [7:24133] Hi everybody, I have a Cisco router and a hyperterminal. Can anybody tell me how to configure a hyperterminal on my laptop or PC to be able to configure the router (step by step). Thanks a lot, Stephane Wantou Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24139&t=24139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP database application [7:24128]
Tried that. He heh ;) -Original Message- From: Ouellette, Tim [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 1:13 PM To: Gibb, Jake Cc: '[EMAIL PROTECTED]' Subject: RE: IP database application [7:24128] wordpad? Sorry, couldn't resist. > -Original Message----- > From: Gibb, Jake [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, October 25, 2001 1:17 PM > To: [EMAIL PROTECTED] > Subject: IP database application [7:24128] > > Does anyone have a good app for maintaining IP address information > besides excel or notepad? > > Jake Gibb > Kroll Senior Network Engineer > 615.345.9880 (Office) > 615.394.7887 (Cell) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24137&t=24128 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Configuring hyperterminal to configure a Cisco router [7:24135]
This should get you started. -Jake -Original Message- From: Stephane Wantou Siantou [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:50 PM To: [EMAIL PROTECTED] Subject: Configuring hyperterminal to configure a Cisco router [7:24133] Hi everybody, I have a Cisco router and a hyperterminal. Can anybody tell me how to configure a hyperterminal on my laptop or PC to be able to configure the router (step by step). Thanks a lot, Stephane Wantou Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24135&t=24135 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP database application [7:24128]
Does anyone have a good app for maintaining IP address information besides excel or notepad? Jake Gibb Kroll Senior Network Engineer 615.345.9880 (Office) 615.394.7887 (Cell) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24128&t=24128 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WIC-T1 crossover? [7:24095]
That's great! Thanks! -Jake -Original Message- From: Chris Theiss [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 9:17 AM To: Gibb, Jake Cc: [EMAIL PROTECTED] Subject: Re: WIC-T1 crossover? [7:24095] If you have the tools, you can make a T1 crossover cable pretty easily: http://www2.adtran.com/support/technotes/t1ddsadptxvr/ "Gibb, Jake" wrote: > Is it possible to take a WIC-T1 card used in a Cisco 1600 and somehow > make a crossover cable to connect to another 1600 with a WIC-T1 > simulating a serial link (PPP, Frame-Relay, etc.) > > -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24101&t=24095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WIC-T1 crossover? [7:24095]
Is it possible to take a WIC-T1 card used in a Cisco 1600 and somehow make a crossover cable to connect to another 1600 with a WIC-T1 simulating a serial link (PPP, Frame-Relay, etc.) -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24095&t=24095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
