RE: PIX 6.3 [7:69876]
yES -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manny Sent: Friday, May 30, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: PIX 6.3 [7:69876] Has anyone upgraded to 6.3? Will I still be able to use conduits and static's? I currently have a 515 running 6.1(2). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69887&t=69876 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy VPN [7:69804]
I am getting the following error 6d20h: %SYS-5-CONFIG_I: Configured from console !e 6d21h: EZVPN(hw2): Current State: READY 6d21h: EZVPN(hw2): Event: RESET 6d21h: EZVPN(hw2): ezvpn_close 6d21h: EZVPN(hw2): New State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Current State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Event: CONNECT 6d21h: EZVPN(hw2): ezvpn_connect_request 6d21h: EZVPN(hw2): New State: READY 6d21h: EZVPN(hw2): Current State: READY 6d21h: EZVPN(hw2): Event: CONN_DOWN 6d21h: EZVPN(hw2): ezvpn_close 6d21h: EZVPN(hw2): New State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Current State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Event: CONNECT 6d21h: EZVPN(hw2): ezvpn_connect_request 6d21h: EZVPN(hw2): New State: READY 6d21h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with pe er at 100.100.100.1 -Original Message- From: Greg Owens Jr [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 5:18 PM To: '[EMAIL PROTECTED]' Subject: Easy VPN Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69804&t=69804 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy VPN [7:69608]
I know it is the PIX. I really need a Server config. The Remote is simple. Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: Elijah Savage [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 8:00 PM To: Greg Owens Jr; [EMAIL PROTECTED] Subject: RE: Easy VPN [7:69608] I do not know which your having the problem with but I have used it with a Cisco 3030 concentrator. If you think the router config is a issue I can provide you with one I used with the concentrator. But I suspect it is the pix giving you issues :) -Original Message- From: Greg Owens Jr [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 5:18 PM To: [EMAIL PROTECTED] Subject: Easy VPN [7:69608] Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69618&t=69608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Easy VPN [7:69608]
Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69608&t=69608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN and IPSEC [7:64017]
The command isakmp key ** address 0.0.0.0 is for Vpn client 1.1 not 3.x. If you protect all traffic the user will not be able to browse the internet. If you configure, Sliptunnel users can vpn into your network and browse the internet using there ISP not your VPN Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 27, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: PIX VPN and IPSEC [7:64017] I have a question regarding the configuration of manual IPSEC. I have to create an access list to define the traffice to protect. I want to connect to my office network from home. I have a DHCP assigned address from my ISP so I can't specify a peer address. So I will use isakmp key ** address 0.0.0.0 for now. Now as far as the traffic goes. Should I specify protect all traffic or what? What happens when I have multiple remote users? I would like the PIX to be the end point so I can travel over my entire network (email, shares, printers, etc). I'm a little confused on this.. Thanks in advance... [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64026&t=64017 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 520 Xlate Problem [7:63087]
U may want to change your xlate timeout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Danial Morison Sent: Saturday, February 15, 2003 2:58 AM To: [EMAIL PROTECTED] Subject: PIX 520 Xlate Problem [7:63087] Hi group , Any idea where the problem is..thanks.. We have implemented PIX with the following configuration.We have a 3 inside networks mapped with 2 different public IP pools 203.125.152.0/26 and 203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet mask 255.255.128.0) is not able to go to internet after a certain period of time ( 2 or 3 days). Any idea where the problem is..thanks.. 172.0.0.0/8 10.0.0.0/8 10.0.0.0/17 Here are the details. pixfirewall# sh global global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192 global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128 global (outside) 2 203.125.152.244 netmask 255.255.255.192 global (outside) 3 203.125.152.248 netmask 255.255.255.192 global (outside) 1 203.125.152.193 netmask 255.255.255.192 global (outside) 4 203.125.150.249 netmask 255.255.255.128 global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0 global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0 global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0 global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0 global (dmz) 1 172.16.13.10 netmask 255.255.255.0 global (dmz) 2 172.16.13.9 netmask 255.255.255.0 global (dmz) 3 172.16.13.8 netmask 255.255.255.0 global (dmz) 4 172.16.13.6 netmask 255.255.255.0 pixfirewall# sh nat nat (inside) 2 172.16.1.115 255.255.255.255 0 0 nat (inside) 3 172.16.11.76 255.255.255.255 0 0 nat (inside) 3 172.16.11.80 255.255.255.255 0 0 nat (inside) 3 172.16.11.84 255.255.255.255 0 0 nat (inside) 2 172.16.11.224 255.255.255.240 0 0 nat (inside) 4 10.0.0.0 255.255.128.0 0 0 nat (inside) 1 10.0.0.0 255.0.0.0 0 0 nat (inside) 1 172.0.0.0 255.0.0.0 0 0 nat (dmz) 1 172.16.13.0 255.255.255.0 0 0 pixfirewall# sh xlate Global 203.125.152.220 Local 172.16.11.71 Global 203.125.152.221 Local 172.16.11.149 Global 172.16.13.11 Local 172.16.11.139 PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155) Global 203.125.152.222 Local 172.16.11.120 Global 203.125.152.223 Local 172.16.152.37 Global 203.125.152.216 Local 172.17.1.94 Global 203.125.152.217 Local 172.16.1.20 Global 203.125.152.218 Local 172.16.5.20 Global 172.16.13.12 Local 172.16.1.205 Global 203.125.152.219 Local 172.16.11.139 Global 172.16.13.13 Local 172.16.154.75 Global 203.125.152.212 Local 172.16.11.194 Global 203.125.152.213 Local 172.17.11.91 Global 203.125.152.214 Local 172.17.1.91 Global 203.125.152.215 Local 172.16.5.78 Global 203.125.152.208 Local 172.16.1.22 Global 203.125.152.209 Local 172.16.5.15 Global 203.125.152.210 Local 172.16.151.75 Global 203.125.152.211 Local 172.17.1.23 Global 203.125.152.204 Local 172.16.5.79 Global 203.125.152.205 Local 172.16.5.13 PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154) Global 203.125.152.206 Local 172.18.1.22 Global 203.125.152.207 Local 172.18.1.104 Global 203.125.152.200 Local 172.16.11.192 Global 203.125.152.201 Local 172.18.1.24 Global 203.125.152.203 Local 172.16.5.17 PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875) Global 203.125.152.203 Local 172.16.151.72 Global 203.125.152.196 Local 172.16.5.21 Global 203.125.152.197 Local 10.120.10.51 Global 172.16.13.19 Local 172.18.1.254 Global 203.125.152.198 Local 172.17.1.93 Global 203.125.152.199 Local 172.16.11.186 Global 203.125.150.193 Local 172.16.206.30 static PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493) PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480) Global 203.125.152.194 Local 172.16.5.18 Global 172.16.13.20 Local 172.17.1.110 Global 203.125.152.195 Local 172.16.5.14 Global 203.125.150.252 Local 172.16.1.40 static Global 203.125.152.252 Local 172.16.13.21 static Global 172.16.13.42 Local 172.18.1.22 static Global 172.16.13.43 Local 172.17.1.21 static PAT Global 203.125.152.193(52643) Local 172.16.11.57(1158) Global 172.16.13.40 Local 172.16.11.21 static Global 172.16.13.41 Local 172.16.206.21 static Global 203.125.150.249 Local 172.16.13.27 static Global 203.125.152.249 Local 172.16.13.23 static Global 172.16.13.47 Local 10.160.10.53 static Global 203.125.152.250 Local 172.16.1.41 static Global 203.125.150.250 Local 172.16.1.24 static PAT Global 172.16.13.6(43714) Local 10.0.12.140(14384) Global 172.16.13.44 Local 172.16.152.21 static Global 203.125.152.251 Local 172.16.13.22 static Global 172.16.13.45 Local 10.160.10.51 static Global 203.125.152.245 Local 10.160.10.51 static Global 203.125.152.246 Local 172.16.13.26 static Global 203.125.152.247 Local 172.16.13.25 static Global 203.125.152.240 Local 10.160.10.52 static Global 203.125.152.241 Local 172.16.18.51 static PAT Global 203.125.152.244(22080) Local 172.16.11.229(1026) PA
RE: IAS Authentication with Pix 515 [7:61023]
By default, it should authenticate to AD first if it is part of the domain and you have to enable the user object to have remote connective. I did it three months ago. Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick Matthews Sent: Tuesday, January 14, 2003 9:34 AM To: [EMAIL PROTECTED] Subject: Re: IAS Authentication with Pix 515 [7:61023] I used the following document and it worked great - Very easy. Logs all VPN access in both the IAS log files and on the Domain Controller running AD. The 3rd part of the document explains the Win2k/IAS portion of the config. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a00800b6099.shtml ""Kevin O'Gilvie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Does anyone know how to make IAS use Active directory to authenticate VPN > users.. > I have the sample from cisco but that only displays local authentication.. > > Thanks a bunch, > > Kevin [GroupStudy.com removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61050&t=61023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN dialup Outlook Exchange Do I need Help [7:60669]
Are u using MD5 or SHA because the higher the encryption the more over head you will have. Greg Owens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Thursday, January 09, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: VPN dialup Outlook Exchange Do I need Help [7:60669] Yes I have looked at that and the client says it is just to much work. -Original Message- From: cebuano [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 1:09 AM To: Elijah Savage III Cc: [EMAIL PROTECTED] Subject: RE: VPN dialup Outlook Exchange Do I need Help [7:60669] Elijah, Just in case you haven't read this, here's what I found... Dec 19, 2002, 6:03am PST Not sure if you still have a problem, but... Have you tried to changing the Outlook Client so that it does NOT use the Logon Network Security? (To check this, Right click the Outlook Icon and go to properties- Select the MS Exchange server and click the properties button. Then select the Advanced tab, and set the Logon Network Security to NONE.) This will prompt the Outlook client to provide the NT domain authentication info - username; domain; password - rather than trying to take it from the OS. I had this same problem and this is what I did to resolve it. There may be a more elegant solution, but I am unaware of it. Hope this helps... [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Wednesday, January 08, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: VPN dialup Outlook Exchange Do I need Help [7:60669] All, I need some serious help for a serious problem. We have implemented a vpn solution with 2 3030 concentrators. All work fine except for the dialin users, everything is terribly slow I used dialin tonight and had a 50.6 connection and it was creeping along like it was 9600 baud. I was getting dns resolution problems on web pages I knew were up like CCO. I have enabled LZS compression on both concentrators. I also have users complaining that they get exchange errors like can't contact server. Here is the confusing and tricky part. Now on the other hand broadband users just couldn't be happier. I have broadband at home also and all this crap I experienced tonight on dialup none of it has shown it's ugly head on broadband, no exchange error or anything. I have looked over CCO and looks like there was a few bugs for the vpn client but supposedly fixed and I am using the latest client. Also on the Network Professional news group on CCO there are just a TON of people complaining about VPN and outlook access in some form or another with no resolution. I called TAC and opened a case and the TAC engineer said yeah he knows about the errors and that is the nature of the VPN beast and said Cisco likes to recommend to custmers implementing VPN technology that they put a OWA(outlook Web Access) server in a dmz some place because web browsing is a much better experience over VPN. I just can't accept this as an answer I am out of ideas of what to try and there has to be someone out there in this big IT world that has happy dialup users using Outlook/Exchange through vpn concentrators. I did follow the recommendations on CCO about lowering the MTU settings on the client side but that does not fix it. If anyone has seen this and have a fix please let me know it would be greatly appreciated. Out of all honesty I am looking for any experience at all just to here what the general consensus is on this, so if you have a fix or not I would like to here about your overall experience. Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60697&t=60669 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: why lose connection after apply IDS on PIX [7:58960]
The Information in just for your information because those signature contain some normal data traffic, so you want to configure the information alarm as follow ip audit name outside-info info action alarm Greg Owens Jr -Original Message- From: Kenny Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:18 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: why lose connection after apply IDS on PIX [7:58960] Hi.. Greg. Thanks 4 your guide. By the way, Are you saying that we can drop the attack alarm not the informational alarm? >From: "Greg Owens" >Reply-To: "Greg Owens" >To: [EMAIL PROTECTED] >Subject: Re: why lose connection after apply IDS on PIX [7:58960] >Date: Wed, 11 Dec 2002 13:56:41 GMT > >I have implemented the same IDS on the PIX, however, I did not "and would >not" drop informational alarms. That why you are lose connectivity. Just >use the alarm option. > > > > > From: "Kenny Smith" > > Date: 2002/12/10 Tue PM 10:18:16 EST > > To: [EMAIL PROTECTED] > > Subject: why lose connection after apply IDS on PIX [7:58960] > > > > HI... Dear Friends, > > > > I want to implement IDS on my PIX outside interface which facing >internet. > > So that I can get alarm for external attack. Below is my interface >config > > and global ip audit name config > > > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > > > ip audit name outside-info info action alarm drop > > ip audit name outside-attack attack action alarm drop > > > > But I apply it on my outside interface as shown below..I immediately >lose > > connection with outside. Can't ping and connect to external network? >Why? > > > > PIX(config)#ip audit interface outside outside-info > > PIX(config)#ip audit interface outside outside-attack > > > > Thanks a lot > > > > > > > > > > > > _ > > Tired of spam? Get advanced junk mail protection with MSN 8. > > http://join.msn.com/?page=features/junkmail >Greg Owens >202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59031&t=58960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
All u need to do is create a static Private to Public address on the PIX. However, user in the inside will access the server via the Private address. Therefore, the packet will not leave the inside interface and come by in. Greg Owens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58632&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
have anyone had this IGMP problem [7:57126]
Some LAN Switches with IGMP Snooping Enabled Stop Forwarding Multicast Packets on RRAS Startup The information in this article applies to: * Microsoft Windows 2000 Advanced Server SUMMARY Routers connected to LAN switches configured with IGMP snooping may have problems when a Windows 2000 RRAS-capable server comes online or when OSPF or RIP version 2 is enabled. MORE INFORMATION Switches with IGMP snooping enabled have a feature that attempts to determine which ports connect to devices that belong to a particular multicast group. If the port does not connect to a device in the multicast group, the switch does not forward packets destined to the multicast group out that port. Some switches attempt to do this smart multicast forwarding for all multicast destinations, while others do this only for non-permanent groups (groups outside the range 224.0.0.1-224.0.0.255). Switches doing this for permanent groups, such as the all-routers group 224.0.0.2, the OSPF multicast groups 224.0.0.5 and 224.0.0.6, and the RIP 2 multicast group 224.0.0.9, could cause problems on the switched network. This behavior occurs if the switch has Cisco routers connected to it, running Hot Standby Routing Protocol, OSPF, or RIP 2, and a Windows 2000 server is connected to the switch and initialized. Other routers may be affected as well. Before the server is brought online, the routers are communicating through the switch using one or more of the above multicast addresses. The routers never send IGMP join packets for these groups so the switch never tries to parse which ports will receive the multicast packets. When the server with RRAS comes online, it sends an IGMP join packet for the all-routers multicast group (224.0.0.2), and for the OSPF and RIP 2 groups if the protocols are running. The switch sees the join message and sends a membership query out all its ports to determine which ports have devices that also belong to this group. The routers do not respond to membership queries for these multicast groups. The switch then stops sending packets destined to these multicast groups to the router's ports, and effectively disables the routing protocol communication between routers. Hewlett-Packard (HP) and Nortel Networks (formerly Bay) switches operate in this manner when IGMP snooping is enabled. Both switches have an option for defining filters that enable them to always forward multicast packets to all ports for specific groups. These filters must be enabled to assure that the routers will continue functioning. Other switches always forward all multicast packets for these groups to all ports without requiring filters be enabled. The IGMP join packets sent from the Windows 2000 server with RRAS can be observed by monitoring the data sent by the server when it first initializes. Without any RRAS configuration, the server sends the IGMP join for the all-routers group (224.0.0.2). When RRAS is started and OSPF is configured the server sends the join for the OSPF groups 224.0.0.5 and 224.0.0.6. When RIP 2 is configured, the server sends the join for the RIP 2 group 224.0.0.9. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57126&t=57126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]