RE: pix and e-mail problem [7:39643]
Mailguard on the PIX is "fixup". If you do have fixup protocol for mail, remove this. It is well know issue with Microsoft for the TAC :-))) I do have article from Microsoft about this, If you would like I can e-mail it to your later (I have it in bookmarks on another computer)... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 11:16 AM To: [EMAIL PROTECTED] Subject: pix and e-mail problem [7:39643] For the past months i been receiving multiple e-mails from the outside world. Im currently running mail gear from symantec as the primary e-mail server which is located behind the firewall (pix 520)this is map with a conduit statement to a real ip address. The weird thing is this setup has been working before, of course i have upgraded the ios of the pix to version 6.1 .Tech support told me that their were know issue with the pix and mail gear especially mail guard..what is mailguard? and how can i diable it .. any pointers are apreciated. I also running a packetshaper box and a caching server from dell behind the firewall. at the same time the issue began to happen? does anyone have a setup familiar to mine? thanks 57529# show version Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.1(2) Compiled on Tue 11-Sep-01 07:45 by morlee 57529 up 75 days 2 hours Hardware: AL440LX, 128 MB RAM, CPU Pentium II 233 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0090.2710.27df, irq 11 1: ethernet1: address is 0090.270d.c12c, irq 10 2: ethernet2: address is 0090.2710.46a2, irq 15 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39702&t=39643 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Crypto Map in Loopback interface [7:39744]
Yes, you can apply crypto may on the loopback, tunnel or Ethernet interfaces. Just make sure that routing is setup correctly and use "crypto map mymap local-address lo0". You can create tunnel between loopback interfaces or use on one router loopback interface and on another use physical interface for peers. --- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 28, 2002 7:43 AM To: [EMAIL PROTECTED] Subject: Crypto Map in Loopback interface [7:39744] Hi All, Can I apply a crypto map to loopback interface or Ethernet Interface...? (Currently the VPN tunnel is working fine with the crypto map applied to Serial interface of the internet edge router) IF yes, can I create a tunnel between loopback interfaces in peers...? Can I create a tunnel between physical interface and the loopback interface? Thiyagu This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39829&t=39744 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix and e-mail problem [7:39643]
Receiving Duplicate Inbound SMTP Messages (Q295725) http://support.microsoft.com/default.aspx?scid=kb;en-us;Q295725 SMTP The fixup smtp command inspects SMTP session and performs three primary tasks: (i) enforce the seven generic commands; (ii) track SMTP command-response sequence; (iii) generate audit trail. The port number defines the well known service port where the SMTP client initiated to connect to the SMTP server. This port is usually 25. However, a different and non-standard can be specified. Enforce the seven generic commands: The fixup smtp command enforces that only the generic seven RFC821 commands can be used during SMTP envelop exchange. These commands are HELO, RSET, NOOP, QUIT, MAIL, RCPT, and DATA. Track SMTP command-response sequence: Each command and response sequence is tracked for the following anomalous signatures: (1) truncated command; (2) incorrect command termination -- not terminated with carriage return and line feed; (3) invalid character, "|;`<>", embedded in mail address. (4) unexpected transition by the SMTP server. (5) TCP stream editing; (6) command pipelining. Generate audit trail: Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more info, see RFC821. -- Lidiya White -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 10:39 AM To: Lidiya White Subject: RE: pix and e-mail problem [7:39643] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lidiya White Sent: Wednesday, March 27, 2002 3:01 PM To: [EMAIL PROTECTED] Subject: RE: pix and e-mail problem [7:39643] Mailguard on the PIX is "fixup". If you do have fixup protocol for mail, remove this. It is well know issue with Microsoft for the TAC :-))) I do have article from Microsoft about this, If you would like I can e-mail it to your later (I have it in bookmarks on another computer)... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 11:16 AM To: [EMAIL PROTECTED] Subject: pix and e-mail problem [7:39643] For the past months i been receiving multiple e-mails from the outside world. Im currently running mail gear from symantec as the primary e-mail server which is located behind the firewall (pix 520)this is map with a conduit statement to a real ip address. The weird thing is this setup has been working before, of course i have upgraded the ios of the pix to version 6.1 .Tech support told me that their were know issue with the pix and mail gear especially mail guard..what is mailguard? and how can i diable it .. any pointers are apreciated. I also running a packetshaper box and a caching server from dell behind the firewall. at the same time the issue began to happen? does anyone have a setup familiar to mine? thanks 57529# show version Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.1(2) Compiled on Tue 11-Sep-01 07:45 by morlee 57529 up 75 days 2 hours Hardware: AL440LX, 128 MB RAM, CPU Pentium II 233 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0090.2710.27df, irq 11 1: ethernet1: address is 0090.270d.c12c, irq 10 2: ethernet2: address is 0090.2710.46a2, irq 15 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39835&t=39643 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Logging - terminal monitor not working [7:39957]
I would add "no ip route-cache" on that interface and make sure that you don't have "logging synchronous" under line con 0... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pierre-Alex Guanel Sent: Saturday, March 30, 2002 3:04 PM To: [EMAIL PROTECTED] Subject: Logging - terminal monitor not working [7:39957] Kind of a silly problem but can't figure it out ... I am connected to R1 via telnet. I have turned on debugging of ip packets I also have issued the command "terminal monitor" Yet I do not get anything logged when I ping the Ethernet interface of R1 Any ideas? Thanks R1#sh terminal Line 2, Location: "", Type: "ANSI" Length: 45 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600 Status: Ready, Active, No Exit Banner Capabilities: Receives Logging Output Modem state: Ready Group codes:0 Special Chars: Escape Hold Stop Start Disconnect Activation ^^xnone - - none Timeouts: Idle EXECIdle Session Modem Answer Session Dispatch never nevernone not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. Time since activation: 00:41:15 Editing is enabled. History is enabled, history size is 10. DNS resolution in show commands is enabled Full user help is disabled Allowed transports are lat pad v120 mop telnet rlogin nasi. Preferred is lat. No output characters are padded No special data dispatching characters R1#sh logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 102 messages logged Monitor logging: level debugging, 2 messages logged Logging to: vty2(0) Buffer logging: level debugging, 102 messages logged Trap logging: level informational, 47 message lines logged Log Buffer (4096 bytes): Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39964&t=39957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix questions [7:39986]
Activation key is something you can request from [EMAIL PROTECTED] They generate act keys based on your request. By default PIX doesn't come with all features enabled (unless you specifically asked for it when you were buying a PIX). So let's say if you decided to run IPSec, and want DES enabled, you need a new act key. Or if you want failover enabled - again a new act key. Those are feature based act keys. If you bought a PIX firewall with 100 user license, and in few months your company grew, you'll need a new activation key for more users (let's say 500 user license). This one is connection based act key. Activation keys are cut based on the serial number of the PIX Firewall, so if you'll be upgrading OS code, you don't need a new act key. But If you'll be replacing your PIX Firewall, you'll need to request a new activation key... --- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Green Sent: Sunday, March 31, 2002 11:26 AM To: [EMAIL PROTECTED] Subject: pix questions [7:39986] what is the difference between feature based and connection based activation key ? the activation key is generated by the pix itself or it gets loaded by factory settings when pix is sent to the customer ? how does this thing work ? what is inside the BIOS flash ? __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39990&t=39986 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: static translation how to ? [7:40044]
1)nat (inside) 1 10.10.10.2 255.255.255.255 nat (inside) 2 0 0 global (outside) 1 205.11.22.9 global (outside) 2 interface if you are using 205.11.22.9 as outside ip address of the PIX, then just: nat (inside) 1 0 0 global (outside) 1 interface 2) You have to have static, if connection is being initiated from the outside: static (inside,outside) tcp 205.11.22.9 80 10.10.10.2 80 netmask 255.255.255.255 3) Allow port 80 traffic from outside: conduit permit tcp host 205.11.22.9 eq 80 any or if you are using acl: access-list name permit tcp any host 205.11.22.9 eq 80 Port Redirection with Statics http://www.cisco.com/warp/public/707/28.html#port -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Green Sent: Monday, April 01, 2002 10:58 AM To: [EMAIL PROTECTED] Subject: pix: static translation how to ? [7:40044] INTERNET | | 205.11.22.9 PIX | 10.10.10.1 --- | | | | | | 10.10.10.2 10.10.10.3 10.10.10.4 WEB SERVER host host requirement : web server running at 10.10.10.2 at port 80 should be accessible by users on the internet, they connect to 205.11.22.9:80 instead. what should be the nat/global statements for such a scenario ? __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40114&t=40044 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN issues [7:40064]
Make sure that timeouts/sa lifetime for phase 1 and phase 2 are identical. Possibly Sonic firewall sa reaches its lifetime, but it's not notifying VPN 3000 that it's bringing the tunnel down. So when Sonic tries to re-negotiate a new sa, VPN 3000 ignores that request as it still has the old valid sa. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph Carr Sent: Monday, April 01, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: VPN issues [7:40064] Well, I am having some trouble with VPN sessions getting disconnected. I have a Cisco VPN 3005 at the main office that sits in the DMZ zone of a Cisco PIX-515-R and at the remote end I have a Sonicwall ProVX that VPNs into the VPN concentrator. We are using IPSec Lan-to-Lan IKE-3DES-MD5 for the tunnel and have no trouble establishing a connection. But after a few day the Sonicwall disconnects from the VPN and the only way to get it to reconnect is to logout the session on the VPN concentrator. Also the syslog output from the concentrator says key exchange is failing and on the log for the Sonicwall it indicates that it is not getting a response from the remote end. What can I do to prevent this from happening? Thanks, Joe Carr MCDBA, CCDA, CCNP, CCIE (written) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40116&t=40064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question on PIX [7:40146]
You'll never be able to ping outside ip address of the PIX from the inside, but you should be able to ping outside router. I think the rest of the questions were already answered... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Avi Sent: Tuesday, April 02, 2002 1:01 AM To: [EMAIL PROTECTED] Subject: Question on PIX [7:40146] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - Host: 216.6.24.189 ---R---PIX-- -R--- 216.6.24.175172.16.10.1/30 172.16.10.2/30 192.168.2.6/30 192.166.2.5/30 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.6 255.255.255.252 ip address inside 172.16.10.2 255.255.255.252 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default rip inside passive rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.5 1 PROBLEM Host 216.6.24.189 in the inside network can ping the internal interface of the PIX but can't ping the outside interface of the PIX nor any host in the outside network. Any host frm outside network can ping outside interface of the PIX, but can't ping the inside interface of the PIX or any host in the inside network. Sitting on PIX i am able to ping hosts in the inside as well as outside networks. Static routes have been defined on both the routers. Can someone pls help\guide me in solving this problem. Thanxs in advance. Rgds, Avtar. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40168&t=40146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS and Pix ... very wierd problem [7:40387]
First I would enable "logging buffer error" and check "sh log" from time to time. The real help would be the sniffer here. If you could install sniffer on the outside and inside of the PIX and capture DNS packets, that would be something that will probably give you an answer where the problem is. I had one issue another day where PIX was dropping SYN ACK packets, and there only way we found the problem is using the sniffer (SYN packet was apparently bypassing the PIX, when everybody swore that it could not). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Justin C Sent: Wednesday, April 03, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: DNS and Pix ... very wierd problem [7:40387] Group, The Pix 501 is running the default NAT/PAT configuration. Through it, I can check email using Outlook to talk to an Exchange Server, telnet and SSH to devices, and browse the web provided I type in the ip address of the web server. All requests for URL translation by a DNS server fail. The IP configuration (addresses, gateways, DNS servers) are correct. The Pix is direct to the cloud with only one PC behind it. Using Debug Packet, I have confirmed that requests for DNS translations go out and come back to the Pix (on the outside interface), but they do not seem to make it back to the host that originated the request. The code is 6.1(1), and I have contacted TAC. With SSH, TAC has inspected the box and cannot see a problem with the configuration. Nor can they explain why this is occuring. Before sending it back to Cisco for a replacement, I thought I would ask here to see if anyone has run across this. There are no access-lists or conduit statements, but Cisco (the Pix literature) and Cisco Press (Cisco Secure PIX Firewalls) say that they are unnecessary for this very simple setup. My thanks in advance for your time and input. Regards, Justin _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40404&t=40387 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: tftp [7:40403]
Cisco TFTP server is still a freeware: http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave W. Sent: Thursday, April 04, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: tftp [7:40403] Cisco 's TFTP server is no longer a freeware (I believe). Try 3Com's! It's much more fault-proof and that's free! :p http://support.3com.com/software/utilities_for_windows_32_bit.htm hktco >From: "Stanzin Takpa" >Reply-To: "Stanzin Takpa" >To: [EMAIL PROTECTED] >Subject: tftp [7:40403] >Date: Wed, 3 Apr 2002 17:51:47 -0500 > >Can someone forward me the cisco tftp server software ? >Thanks, > > >Takpa _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40457&t=40403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question !!! [7:40465]
In problems like this you have to enable "debug icmp trace" to help you to resolve this issue, rather then guessing what you missed. What this statement suppose to do: static (inside,outside) 192.168.2.13 216.6.24.129 ip address inside 216.6.24.129 255.255.255.192 route outside 0.0.0.0 0.0.0.0 192.168.2.13 You want that ip address of the inside interface will look like outside router??? I would use "clear static" and "clear xlate"... You'll never be able to ping 192.168.2.14 ip from the 216.6.24.130 host, but you should be able to ping .13. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Avi Sent: Thursday, April 04, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40522&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FIXUP PROTOCOL ON PIX 515 [7:40577]
Each fixup is different. Let's say fixup protocol smtp 25 is the mail guard that allows only generic seven RFC821 commands. Fixup protocol ftp 21 helps with active FTP allowing response back on port 20. Fixup exists for only few protocols/ports it was intended to work with, so you can't just put fixup protocol for any port you want. I'll attach document that describes all fixup protocols. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph Rago Sent: Friday, April 05, 2002 7:10 AM To: [EMAIL PROTECTED] Subject: RE: FIXUP PROTOCOL ON PIX 515 [7:40577] Hi can anyone tell me in non technical terms what the fixup protocol is used for on a pix 515. Do i need to specify a fixup protocol number for all applications used. Right now i am able to citrix into a server on my DMZ and i do not have a fixup protocol statement defined for citrix ports. Thanks Joe Rago [GroupStudy.com removed an attachment of type application/msword which had a name of PIX Fixup Protocols.doc] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40653&t=40577 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FIXUP PROTOCOL ON PIX 515 [7:40577]
My attachment (.doc file) didn't go through. It's 8-page document. If anybody interested, please reply to me directly... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Friday, April 05, 2002 7:25 PM To: [EMAIL PROTECTED] Subject: RE: FIXUP PROTOCOL ON PIX 515 [7:40577] Each fixup is different. Let's say fixup protocol smtp 25 is the mail guard that allows only generic seven RFC821 commands. Fixup protocol ftp 21 helps with active FTP allowing response back on port 20. Fixup exists for only few protocols/ports it was intended to work with, so you can't just put fixup protocol for any port you want. I'll attach document that describes all fixup protocols. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph Rago Sent: Friday, April 05, 2002 7:10 AM To: [EMAIL PROTECTED] Subject: RE: FIXUP PROTOCOL ON PIX 515 [7:40577] Hi can anyone tell me in non technical terms what the fixup protocol is used for on a pix 515. Do i need to specify a fixup protocol number for all applications used. Right now i am able to citrix into a server on my DMZ and i do not have a fixup protocol statement defined for citrix ports. Thanks Joe Rago [GroupStudy.com removed an attachment of type application/msword which had a name of PIX Fixup Protocols.doc] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40671&t=40577 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routing Question [7:40766]
>> In Scenario 2, how many segments are there? >> Is there anything wrong with routing router 1 to router 2 and not using a >> common segment? I just won't work, unless you'll use secondary ip addresses. -- Lidiya White Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40772&t=40766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routing Question [7:40766]
There may be another problem with the Scenario 3: How R1 int0 will talk to R2 int1 if they are on the same subnet? Are you going to bridge ip traffic? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 9:20 PM To: [EMAIL PROTECTED] Subject: RE: Routing Question [7:40766] Thanks a lot Priscilla. This is what I was looking for. I suppose my part 2 to the previous question would make more sense if I used live IPs like Scenario 3 Scenario 3 == ---int0-(R1)-int1 int0-(R2)-int1 --- Router 1 Int 0: 192.168.1.1 Int 1: 200.100.2.1 Router 2 Int 0: 200.100.2.2 Int 1: 192.168.1.1 So basically every router in the world would need to create a subnet? I suppose a company is on the same subnet as the ISP, then the ISP is on the same subnet as their teir 1 ISP then all the teir 1 ISPs are connected - between each AS using BGP. Is this right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40830&t=40766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40928]
You'll never be able to ping interface of the PIX that is not directly connected to you (like in your case). Not access-list, not icmp commands can enable that 'feature'. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of dk Sent: Tuesday, April 09, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: Re: PIX problem [7:40928] Thanks for the input, I have allowed the required icmp access ... To try and clarify ... I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through pix interface E0 (ip address 10.222.33.1) from my workstation (ip address 10.222.32.100) I can successfully ping the PIX E0 interface and any devices on the 10.222.62.0 network going through the PIX E1 interface. but when I try to ping the PIX E1 interface itself I get no response no error is logged and the conduit hitcount is not incremented. Is it a feature? - Original Message - From: "HORVATH TAMAS" To: Sent: Tuesday, April 09, 2002 4:04 PM Subject: Re: PIX problem [7:40928] > Hi! > > See http://www.cisco.com/warp/customer/110/31.html > > > According to this document "Inbound ICMP through the PIX is denied by > default; outbound ICMP is permitted, but the incoming reply is denied by > default." So you can ping every PIX interface from the PIX and from the > directly connected LAN, but can't ping through the pix. > > I think you should not ping through the PIX default, just from the PIX (from > Telnet console). > > According to this document: "In PIX Software versions 4.1(6) until 5.2.1, > ICMP traffic to the PIX's own interface is permitted; the PIX cannot be > configured to not respond. Beginning in PIX Software version 5.2.1, ICMP is > still permitted by default, but PIX ping responses from its own interfaces > can be disabled with the icmp command (that is, a "stealth PIX")" > > > By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40976&t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX upgrading? [7:41070]
Starting with 5.0 version access-lists were introduces for the PIX
Firewall. All codes do support conduits.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
x
Sent: Wednesday, April 10, 2002 1:46 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX upgrading? [7:41070]
Thanks, Patrick. I already have a des key.
I didn't know 5.3 supported acls and 6.x handles
conduits. I did a PIX upgrade a long time ago and I
remember it being a snap, I think the same box from
4.4 to 5.3.
--- Patrick Ramsey
wrote:
> we're not using frag guard but upgrading sftware is
> a snap...
>
> with failover config it is a couple'a more steps but
> with a single firewall, ther's nothing to it!
>
> The registration for des and 3des is tied to the
> serial number so a software upgrade should use the
> same key.
>
> watch wrap!
>
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/
upgrade.htm
>
>
> and if you are runnign 5.3, acl's are already
> used... (I think even 6.x still supports
> conduits..either way, you could use acl's on
> yoru current software.
>
> -Patrick
>
> >>> 04/10/02 02:44PM >>>
> I have some questions a few questions about
> upgrading
> my PIX.
>
> 1.) My boss did some research on IDS systems and got
> very interested in fragmented packet protection. I
> was looking at our PIX and found the command...
>
> sysopt security fragguard
>
> Has anyone used this? Are there any pitfalls like
> using the fixup commands? What version does this
> come
> in?
>
> 2.) I am running version 5.3(1). I know I should
> upgrade to 6.1. I have a PIX 520 with 128 MB RAM
> and
> 16 MB Flash. What are the selling points I can tell
> management?
>
> 3.) How smooth would it be to upgrade from 5.3 to
> 6.1?
>
> 4.) I have a vpn connection between our New York
> and
> London offices in a PIX to PIX vpn setup. If I
> upgrade one PIX will I lose the vpn?
>
> 5.) What version of the PIX switches to
> access-lists?
>
> __
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://taxes.yahoo.com/
> [EMAIL PROTECTED]
>
>
>
> >>>>>>>>>>>>> Confidentiality Disclaimer
> This email and any files transmitted with it may
> contain confidential and /or proprietary information
> in the possession of WellStar Health System, Inc.
> ("WellStar") and is intended only for the individual
> or entity to whom addressed. This email may contain
> information that is held to be privileged,
> confidential and exempt from disclosure under
> applicable law. If the reader of this message is not
> the intended recipient, you are hereby notified that
> any unauthorized access, dissemination, distribution
> or copying of any information from this email is
> strictly prohibited, and may subject you to criminal
> and/or civil liability. If you have received this
> email in error, please notify the sender by reply
> email and then delete this email and its attachments
> from your computer. Thank you.
>
>
>
>
>
>
__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41096&t=41070
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40928]
I didn't see a clear explanation regarding this icmp behavior on the PIX on CCO. But I do know for sure that there is not workaround for this. I guess you can just call it a "security feature" :-). -- Lidiya White -Original Message- From: dk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 2:17 AM To: Lidiya White Cc: [EMAIL PROTECTED] Subject: Re: PIX problem [7:40928] Could you explain why this is the case? You can do it with a router !! :-) - Original Message - From: "Lidiya White" To: Sent: Tuesday, April 09, 2002 11:53 PM Subject: RE: PIX problem [7:40928] > You'll never be able to ping interface of the PIX that is not directly > connected to you (like in your case). Not access-list, not icmp commands > can enable that 'feature'. > > > -- Lidiya White > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > dk > Sent: Tuesday, April 09, 2002 10:14 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX problem [7:40928] > > Thanks for the input, I have allowed the required icmp access ... > > To try and clarify ... > > I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through > pix > interface E0 (ip address 10.222.33.1) from my workstation (ip address > 10.222.32.100) I can successfully ping the PIX E0 interface and any > devices > on the 10.222.62.0 network going through the PIX E1 interface. but when > I > try to ping the PIX E1 interface itself I get no response no error is > logged > and the conduit hitcount is not incremented. > > Is it a feature? > > > > > > > - Original Message - > From: "HORVATH TAMAS" > To: > Sent: Tuesday, April 09, 2002 4:04 PM > Subject: Re: PIX problem [7:40928] > > > > Hi! > > > > See http://www.cisco.com/warp/customer/110/31.html > > > > > > According to this document "Inbound ICMP through the PIX is denied by > > default; outbound ICMP is permitted, but the incoming reply is denied > by > > default." So you can ping every PIX interface from the PIX and from > the > > directly connected LAN, but can't ping through the pix. > > > > I think you should not ping through the PIX default, just from the PIX > (from > > Telnet console). > > > > According to this document: "In PIX Software versions 4.1(6) until > 5.2.1, > > ICMP traffic to the PIX's own interface is permitted; the PIX cannot > be > > configured to not respond. Beginning in PIX Software version 5.2.1, > ICMP > is > > still permitted by default, but PIX ping responses from its own > interfaces > > can be disabled with the icmp command (that is, a "stealth PIX")" > > > > > > By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41099&t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN Connection to Linksys Router [7:41821]
It fails because PIX is trying to do config mode when Linksys connects over VPN (trying to assign ip address and so on as it would for a VPN client). isakmp key address 0.0.0.0 netmask 0.0.0.0 I believe the above statement is used for the Linksys only. If so, then add "no-xauth" at the end: isakmp key address 0.0.0.0 netmask 0.0.0.0 no-xauth http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/c ommands.htm#xtocid185911 Clear the tunnel and it should work like a charm :-). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Columbus Sent: Thursday, April 18, 2002 8:39 AM To: [EMAIL PROTECTED] Subject: PIX VPN Connection to Linksys Router [7:41821] Here's the deal: I've got a PIX that serves as a security gateway for a Cisco VPN Client 3.1. Settings are basically DES/MD5/ESP with pre-shared key. Part of the VPN3.1 client requires vpngroup name, as defined in the configuration on the PIX. I just bought one of the Linksys BEFVP41 VPN routers to test connectivity to the PIX. The Linksys doesn't understand vpngroup associations, so I need to configure the PIX to also allow the connection based solely on pre-shared key. I think I've got it configured properly, and VPN Client-to-PIX connections work fine, but negotiations break down at phase 2 when connecting with the Linksys. It's probably something simple that I'm missing because I've been staring at it too long. Anyone have any ideas? PIX relevant config (sanitized): access-list bypassingnat permit ip 10.0.0.0 255.0.0.0 192.168.100.0 255.255.255.0 ip local pool mypool 192.168.100.1-192.168.100.254 nat (inside) 0 access-list bypassingnat sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-des esp-md5-hmac crypto dynamic-map users 11 set transform-set strong crypto map remote 11 ipsec-isakmp dynamic users crypto map remote client configuration address initiate crypto map remote client configuration address respond crypto map remote interface outside isakmp enable outside isakmp key address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local mypool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn3000 address-pool mypool vpngroup vpn3000 dns-server 10.x.x.x vpngroup vpn3000 default-domain vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password Debug from PIX (sanitizedy.y.69.129 is the Linksys, x.x.67.2 is the public interface of the PIX): crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_QM exchange ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to y.y.69.129. ID = 3267015605 (0xc2bab3b 5) return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 Finally it just times out trying to retransmit phase 2. Thanks in advance! Craig Mess
RE: Alternatives to Cisco VPN client [7:42604]
If you want your VPN client to have Internet connectivity while VPN tunnel is up, the solutions is the split tunnel configuration. PIX will push an access-list to a client, so only traffic between your private networks will flow through the tunnel, but the rest will go out to the Internet unencrypted. I work with Microsoft, Cisco VPN and IRE clients, and I don't really know what security holes people were talking about. No matter what, when a computer has a connection to the Internet, it's already a "security hole" right there. I don't see how adding IPSec on the client, will make it less secure. As far as decreased security for the LAN behind the PIX, again, I don't see a major hole there. As far as Microsoft client goes, it doesn't have as strong encryption as Cisco client does. Example: http://www.cisco.com/warp/public/110/pix3000.html (search for "split"). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Odette II Sent: Friday, April 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] what's the security risk? (putting on learning cap now... :) ) Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Louie Belt Sent: Thursday, April 25, 2002 8:12 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] You are creating a security risk for the other end of the tunnel when you are using split-tunneling from your client. louieb -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 6:49 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] Thanks for the responses. I'm aware of split tunneling with a concentrator. That's not what I want. I'm looking for something that lets me connect to any IPSEC compliant endpoint, whether it's a PIX, a router, or a Linux box. In other words, the client shouldn't care what it's connecting to. It should only care whether the traffic has a destination within the remote network or not. If so, send through tunnel, if not, send to Internet. Hope this helps clarify. Thanks! Craig At 07:39 PM 4/25/2002 -0400, you wrote: >You can definitely do this using the Cisco VPN client. This is a policy push >from the concentrator. If you would like split-tunneling you need to enable >that on the concentrator to allow the clients to do that. > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/adm in_g d >/vca.pdf > >Tim >CCIE 9015 > > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Craig Columbus >Sent: Thursday, April 25, 2002 6:25 PM >To: [EMAIL PROTECTED] >Subject: Alternatives to Cisco VPN client [7:42604] > > >Let me preface this by saying that all of my VPN experience has been either >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please >ignore my ignorance if I've missed something obvious. > >I've got a major complaint with the Cisco VPN client. It's not smart >enough to differentiate local traffic/Internet traffic from VPN >traffic. Therefore, you can't browse the Internet and your VPN network at >the same time. >I'm looking for alternative software clients that are smart enough to say >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic >to be) goes to the tunnel. If the traffic has any destination other than >10.x.x.x, it's treated as if the tunnel weren't even present." This would >allow my client machine to easily browse the Internet and the VPN remote >network at the same time. >I've done some preliminary searches for third-party clients, but don't want >to waste time trying 50 clients that may not be any good. I've found some >for Mac OS X that'll do what I want, but I haven't found one for Win >9x/ME/NT/2K/XP. >There's got to be a decent client that does this. >Sorry for rambling :-) It's been a long day. > >As usual, thanks in advance to everyone. > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42694&t=42604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 501 and interface secondary IP [7:43986]
ip address outside 4.1.1.1 255.255.255.252 nat (inside) 1 0 0 global (outside) interface static (inside,outside) tcp 4.1.1.1 25 10.1.1.1 25 netmask 255.255.255.255 static (inside,outside) tcp 4.1.1.1 80 10.1.1.2 80 netmask 255.255.255.255 You can't have a secondary ip address on the PIX. Using example above, you have only One public ip address assigned to the outside interface and do a PAT and static nat for your servers... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Barkl Sent: Sunday, May 12, 2002 7:47 PM To: [EMAIL PROTECTED] Subject: PIX 501 and interface secondary IP [7:43986] I am trying to configure my new PIX 501 with a static IP address for translation to inside email and web servers. When I use the one static address assigned by the ISP, I can no longer use the PAT for outbound access. How can I configure the PIX to support inbound translation as well as outbound translation using one external static IP? Is there a method to assign a secondary address (static) on the external interface and then set the interface for DHCP as well? Your help is greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44028&t=43986 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515E routing issue [7:44746]
Check the default gateway of your PC. Enable "debug icmp trace" on the PIX to troubleshoot... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jablonski, Michael Sent: Wednesday, May 22, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: PIX 515E routing issue [7:44746] Just recently installed a PIX 515E. I can ping from the PIX to an outside address (and inside box to ethernet on PIX); but trying to ping through the PIX comes back as unreachable. Basic layout as follows: Netopia DSL Router -- PIX 515E-- LAN I'm using the default allow rule, along with the following access list... everything else is pretty much default for now. (just want to try and get connectivity) access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.6 255.255.255.252 ip address inside 192.168.200.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.5 1 timeout xlate 0:05:00 no sysopt route dnat I've tried running RIP on it; didn't solve the problem. Seems like the PIX doesn't understand the default route. I've cleared the arp table still no luck Any help is GREATLY appreciated thanx ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44756&t=44746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client software [7:45021]
VPN 1.1 client - yes (it's ire client). VPN Unity client (3.x) - no. It's using xauth. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of fahim Sent: Monday, May 27, 2002 8:40 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client software [7:45021] I dont think so, Cisco VPN Client can be used only with Cisco devices. fahim ""Santhanam, Thiyagarajan (Cognizant)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Can I use Cisco VPN client software to connect to NetScreen VPN server...? > > Thanks > Thiyagu > This e-mail and any files transmitted with it are for the sole use of the > intended recipient(s) and may contain confidential and privileged information. > If you are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > Any unauthorised review, use, disclosure, dissemination, forwarding, > printing or copying of this email or any action taken in reliance on this > e-mail is strictly > prohibited and may be unlawful. > > Visit us at http://www.cognizant.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45389&t=45021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX passing IPSEC traffic? [7:45197]
In most cases, no - that is not possible. But if you are terminating IPSec tunnel at the device that supports NAT transparency, then yes, you'll be able to pass IPSec through PAT. The issue here is that IPSec uses protocol ESP, that doesn't have ports. So how can you use PAT (port address translation) for a protocol that doesn't have ports? Let's say Cisco VPN Concentrators has a feature like IPSec over UPD or TCP. What is does is encapsulates esp in udp or tcp. So the answer to your question depends on can your VPN client and VPN device support IPSec over tcp or udp? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Edward Sohn Sent: Monday, May 27, 2002 9:56 PM To: [EMAIL PROTECTED] Subject: PIX passing IPSEC traffic? [7:45197] Hello, all... I have a PIX501 set up for PAT on one ip address through my cable modem. I have a client on my internal network that needs to connect to a corporate extranet via IPSEC, using it's own client software (Nortel). In other words, there is no network-to-network or cisco-to-cisco IPSEC connections. The PIX simply passes the traffic. The problem is that I cannot get the client to connect through the PIX. I believe it's because the client needs its own statically translated address on the PIX (because when I use my only ip address, I can make it connect). However, the challenge here is to make it so that I can make this VPN client work through the PIX while still using PAT. This way, it doesn't hose all my other computers on the inside. Is this possible? I was thinking of a port address mapping statement, but I wouldn't know which ports to use. Anyone have any experience with this? Thanks, Eddie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45391&t=45197 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 506 port translation with DHCP [7:45945]
>>> Having read the section in the book a
pix by default should allow internal users to ping out but not the other
way
around, is there a fix for this also?
That is not true.
Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/warp/public/110/31.html
Use "conduit permit icmp any any echo-reply".
Before you try to FTP, try to telnet on port 21. What is the default
gateway of the FTP server? Enable "logging buffer info" and check "sh
log" for the build or teardown messages for the FTP server's ip
address..
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Parmjit
Sent: Thursday, June 06, 2002 12:34 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX 506 port translation with DHCP [7:45945]
hi,
Thanks I tried "static (inside,outside) tcp interface ftp armada ftp
netmask
255.255.255.255 10 0" where armada is the name of the internal ftp
server, I
also used a conduit permit ip any any and I still can't ftp to it.
I should also mention there is another problem unless I use a conduit
permit
icmp any any I cannot ping out, if I prefix this with a "no" so I can't
ping, people on the net can still ping my pix, there is nothing in the
config in the way of access lists etc. Having read the section in the
book a
pix by default should allow internal users to ping out but not the other
way
around, is there a fix for this also?
thanks
""brian charles"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If you have version 6.0 or greater you can do port redirection with
the
> static command. Create an acl to allow the traffic
>
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref
/s.h
tm#xtocid20
>
>
> static
> Maps a local IP address to a global IP address (NAT) and supports TCP
and
> UDP port redirection (static PAT). (Configuration mode.)
>
> [no] static [(internal_if_name, external_if_name)] {tcp | udp}
{global_ip
|
> interface} global_port local_ip local_port [netmask mask] [max_conns
> [em_limit]] [norandomseq]
>
> show static
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45999&t=45945
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515 FO license [7:46075]
It'll reboot I believe every 24 hours. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sam Wong Sent: Friday, June 07, 2002 11:57 PM To: [EMAIL PROTECTED] Subject: PIX 515 FO license [7:46075] I've seen some PIX 515s on eBay lately that are PIX-515-FO (failover option). Can anyone tell me what would happen if you tried running it as a primary firewall and not a secondary? I don't recommend this, but one of my clients is asking about this and I've never tried to do it myself. Thanks, Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46126&t=46075 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall [7:46423]
You can even use "clear xlate local x.x.x.x", where x.x.x.x is the private ip address of the host on the inside. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of fahim Sent: Thursday, June 13, 2002 3:35 AM To: [EMAIL PROTECTED] Subject: Re: PIX Firewall [7:46423] Hi Tim use "clear xlate" command. fahim ""Tim Champion"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Does anyone know of a way to clear or tear-down individual connections on a > PIX Firewall? By using the "show conn" command I can see the connections I > want to clear but don't now how to. > > Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46541&t=46423 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 6.2 [7:46454]
By the way, PDM 2.0.1 is deferred now. Wait for 2.0.2... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roberts, Larry Sent: Thursday, June 13, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: RE: PIX 6.2 [7:46454] No, but 6.2(1) is :) PDM 2.0 is also available. Have both in my lab and they seem pretty stable so far. Thanks Larry -Original Message- From: Clayton Dukes [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: PIX 6.2 [7:46454] Howdy, Dows anyone know if the PIX 6.2 software is available yet? Clayton Dukes Cisco Info Center SE CCNA, CCDA, CCDP, CCNP, NCC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46543&t=46454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 1720 with Wic-1enet problems. [7:46479]
Try 12.2.8T. Main code line doesn't support WIN-1ENET= http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of JohnZ Sent: Thursday, June 13, 2002 12:57 PM To: [EMAIL PROTECTED] Subject: 1720 with Wic-1enet problems. [7:46479] Is Wic-1enet only supported in the 122-2.XJ releases. I tried using later releases like 122-6f and 122-10a but none of them recognize this WIC. I am worried if it will be supported in any future releases. Does any one else have the same experience. Thanks, JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46545&t=46479 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
IP Security Through Network Address Translation Support http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/827rl nts/820feat.htm I think Linksys just has an option for a checkmark on "IPSec through NAT". -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Lee Sent: Wednesday, June 26, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee ""Lidiya White"" wrote in message news:[EMAIL PROTECTED]... > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > It all depends on the device that is between your client and PIX, that > is doing PAT. > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > PAT (port address translation) for a protocol that doesn't understand > port concept? > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > So if the router/device that is doing PAT is IPSec aware, then you > should be able to pass IPSec through. If not, then you have to make sure > that one-to-one address translation happens for your VPN clients, not > one-to-many (PAT)... > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47529&t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
VPN traffic can pass through the PAT, if the device that does PAT is IPSec aware. Remember, that device will only see the encrypted/encapsulated traffic, so the ip header will have ip src: your client's public ip; dst: PIX's outside interface. Doesn't matter what your pool is configured for... It's not just in the theory. From my own experience, I had 3 VPN clients that were behind Cisco 806, that was configured for PAT, simultaneously connecting to the same PIX via VPN and pass traffic. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee ""Lidiya White"" wrote in message news:[EMAIL PROTECTED]... > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > It all depends on the device that is between your client and PIX, that > is doing PAT. > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > PAT (port address translation) for a protocol that doesn't understand > port concept? > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > So if the router/device that is doing PAT is IPSec aware, then you > should be able to pass IPSec through. If not, then you have to make sure > that one-to-one address translation happens for your VPN clients, not > one-to-many (PAT)... > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47530&t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] >> Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. >> So if I had my Main Office PIX, and a VPN Concentrator . could I >> succesfully connect from a remote office via a cable/adsl modem that does >> PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with "IPSec over TCP" option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White >> If so ... and if I had say ... 30 - 40 remote offices, potentially >> connecting simultaneously would a VPN 3000 be overkill ??? or would >> I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's >> over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: "Robertson, Douglas" To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] > In most cases the PIX does not support VPN's over PAT you need a static NAT > to establish a VPN tunnel. > Protocol 50 (Encapsulating Security Payload [ESP]) handles the > encrypted/encapsulated packets of IPSec. PAT devices > don't work with ESP since they have been programmed to work only with > Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and > Internet Control Message Protocol (ICMP). In addition, PAT devices are > unable to map multiple security parameter indexes (SPIs). An alternative is > implemented in some devices like the VPN 3000 Concentrator by encapsulating > ESP within UDP and sending it to a negotiated port. > > Doug > > -Original Message- > From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 11:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Cisco VPN client and NAT [7:47430] > > > Lidiya, > > On the pix when you configure Ipsec you configure a pool of addresses that > your Ipsec clients will use on your own network. For instance your inside > network will have the ip addressing scheme of 192.168.0.0 with a class c > subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C > subnet mask. Therefore when you your clients behind your firewall try to > talk to the 10.0.0.0 network they will hit the firewall and be passed to the > translation from the pool. You cannot have any devices in the middle which > pat (IE a router which pats the ip address of your pix if your pix is > establishing the tunnel) It must be a one to one translation from one end of > the tunnel to the other. Everyone feel free to correct me if I'm wrong > which I'm sure will be the case. > > Jason > > -Original Message- > From: Alex Lee [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco VPN client and NAT [7:47430] > > So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? > Thanks. > > Alex Lee > > ""Lidiya White"" wrote in message > news:[EMAIL PROTECTED]... > > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > > It all depends on the device that is between your client and PIX, that > > is doing PAT. > > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > > PAT (port address translation) for a protocol that doesn't understand > > port concept? > > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > > So if the router/device that is doing PAT is IPSec aware, then you > > should be able to pass IPSec through. If not, then you have to make sure > > that one-to-one address translation happens for your VPN clients, not > > one-to-many (PAT)... > > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47531&t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] >> Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. >> So if I had my Main Office PIX, and a VPN Concentrator . could I >> succesfully connect from a remote office via a cable/adsl modem that does >> PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with "IPSec over TCP" option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White >> If so ... and if I had say ... 30 - 40 remote offices, potentially >> connecting simultaneously would a VPN 3000 be overkill ??? or would >> I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's >> over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: "Robertson, Douglas" To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] > In most cases the PIX does not support VPN's over PAT you need a static NAT > to establish a VPN tunnel. > Protocol 50 (Encapsulating Security Payload [ESP]) handles the > encrypted/encapsulated packets of IPSec. PAT devices > don't work with ESP since they have been programmed to work only with > Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and > Internet Control Message Protocol (ICMP). In addition, PAT devices are > unable to map multiple security parameter indexes (SPIs). An alternative is > implemented in some devices like the VPN 3000 Concentrator by encapsulating > ESP within UDP and sending it to a negotiated port. > > Doug > > -Original Message- > From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 11:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Cisco VPN client and NAT [7:47430] > > > Lidiya, > > On the pix when you configure Ipsec you configure a pool of addresses that > your Ipsec clients will use on your own network. For instance your inside > network will have the ip addressing scheme of 192.168.0.0 with a class c > subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C > subnet mask. Therefore when you your clients behind your firewall try to > talk to the 10.0.0.0 network they will hit the firewall and be passed to the > translation from the pool. You cannot have any devices in the middle which > pat (IE a router which pats the ip address of your pix if your pix is > establishing the tunnel) It must be a one to one translation from one end of > the tunnel to the other. Everyone feel free to correct me if I'm wrong > which I'm sure will be the case. > > Jason > > -Original Message- > From: Alex Lee [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco VPN client and NAT [7:47430] > > So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? > Thanks. > > Alex Lee > > ""Lidiya White"" wrote in message > news:[EMAIL PROTECTED]... > > PIX doesn't support IPSec tran
RE: Need help on PIX [7:56965]
If you'll create another "outside" interface of security 0, those two outside interface will never be able to talk to each other. Usually people create another interface, like outside1, with security 5. PIX can't load balance, can't do policy routing. PIX routes only based on the destination, not source. You use PIX for security - router for routing. Just connect a router to the outside interface of the PIX and make it load balance, route based on destination and so on.. --Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 06, 2002 12:58 AM To: [EMAIL PROTECTED] Subject: Need help on PIX [7:56965] Hi, I must admit that i am not an expert on PIX...but i have a question..Can you have 2 outside interfaces on the PIX??? I have a PIX with an outside interface connected to a router with a link to an ISP. Can i have another outside interface ex.Outside1 which connects to another router with a link to another ISP??? I want to do loadbalancing to these 2 ISPs. Can i do loadbalancing using static routes??? Can i do policy routing on the PIX??? For example...i want traffic from some inside hosts to go out to one ISP and the traffic from remaining hosts to go via another ISP.Is this possible??? Would be of great help if someone could point out some documents where i can get the above info. Many thanx Simon Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56992&t=56965 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT overload vs. static [7:57420]
Static translations with ports: Example: ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25 Make a search on "ip nat inside source static tcp" - you'll find quite a few examples... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com] Sent: Wednesday, November 13, 2002 10:49 PM To: [EMAIL PROTECTED] Subject: NAT overload vs. static [7:57420] This is something that is easily done with most host based implementations of NAT. The objective is to use a single outside address. I want to NAT a network. However, there is a webserver on the inside which people on the outside need to be able to reach. I want to be able to redirect traffic sent to TCP port 80 on the outside address to the web server. I realise I can do this with a static mapping, but this would require an outside address dedicated to the web server and I want to do this without using more then one outside address. I've gone through the IOS docs on sections dealing with NAT and didn't find any way to do this. Does anybody have any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57424&t=57420 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Block MSN Messenger [7:57595]
Try to block the login servers: http://acronymsonline.com/im_ips.htm -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Josh Green Sent: Monday, November 18, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: RE: Block MSN Messenger [7:57595] It is possible, however Messenger uses so many different ports on so many different servers that it's not worth your time. -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:36 AM To: [EMAIL PROTECTED] Subject: Re: Block MSN Messenger [7:57595] no. don't waste your time. ""Ahed Naimi"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear All; > > Is there any way to block MSN Messenger by using the access-list statements > on an IOS Cisco router. > > Thanks All. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57621&t=57595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix vpn [7:57740]
PIX will support IPSec over UDP is ver 6.3 -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Deal Sent: Wednesday, November 20, 2002 12:09 PM To: [EMAIL PROTECTED] Subject: Re: pix vpn [7:57740] Ciaron, You know, I've been impatiently waiting for the same feature. When I teach classes that are remote for Boson, we use a 3002 and a router. I need to set up a GRE tunnel and then encrypt this tunnel. And because this stuff typically goes through a firewall, I need a TCP VPN connection. It would be great if Cisco's routers supported this feature; then I could get read of the 3002 and 3005 and just use two routers as the endpoints of the connection. If anyone knows if/when Cisco has plans for adding this feature to their routers and PIXs, I'm sure quite a few people would be interested in this information. Cheers -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. ""Ciaron Gogarty"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Does anybody know if the PIX will support the client side TCP encapsulation > of VPN traffic in the near future, or must you buy a VPN concentrator to get > this feature?? > > Thanks > > CG > > > ** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept for > the > presence of computer viruses. > > For more information contact [EMAIL PROTECTED] > > phone + 353 1 4093000 > > fax + 353 1 4093001 > ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57803&t=57740 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hub-Spoke VPN tunnel problem [7:58114]
Obviously the issue is on the Spoke router. Without the config I won't be able to tell what exactly is misconfigured. But I would check the access-list first, and if you have NAT configured, check the route-map. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Karaoghlanian, Hagop Sent: Tuesday, November 26, 2002 10:51 AM To: [EMAIL PROTECTED] Subject: Hub-Spoke VPN tunnel problem [7:58114] Hello gentelmen, Heres my problem. I have - Hub | | spoke | |-- ||LAN address 192.100.70.1 LAN address (above) 192.100.0.1 Thus far if I do an extended ping test from the Hub router's LAN to the spoke router's LAN, I get 0% success rate on the pings, however, when I do "show crypto engine connection active" I get from hub (4 encrypts but no decrypts) and I get 4 decrypts on the spoke router with 0 encrypts) any suggestions would be very appreciated. thanks HK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58121&t=58114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix quick help [7:49450]
PDM location commands have no functionality. Think of them as PDM build a map of networks/hosts around it based on the static, nat, global and route statements you have configured on your PIX. You can remove those commands if you wish, but next time you'll use PDM, they'll be back in your config. Just pay no attention to them. Again, they have no functionality; they do not allow or disallow anything... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 23, 2002 3:45 PM To: [EMAIL PROTECTED] Subject: Re: pix quick help [7:49450] I was under the impression that the PDM command is just a pain in the arse cosmetic addition for use only within PDM. I'm fairly certain it's nothing to do with access to PDM itself. I'll try deleting them next time I get chance and see what effect it has on PDM, and if PDM automatically puts them back (in the same way that it automatically put them there in the first place) As always...let me know if I'm talking rubbish. Gaz ""Mark W. Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I believe the answer is yes. > > The HTTP command specifies what node is allowed to hit the HTTP Server, > while the PDM command defines the host allowed to log into the PDM App. > > I'm sure someone will rightly correct me if I'm wrong. :) > > -Mark > > -Original Message- > From: John Green [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 23, 2002 11:35 AM > To: [EMAIL PROTECTED] > Subject: pix quick help [7:49450] > > to allow a workstation access so as to be able to use > and configure via the PDM, we give the command > http server enable > http 165.12.55.12 255.255.255.255 inside > > what is the purpose for the command > pdm location 165.12.55.12 255.255.255.255 inside > > do we need both the commands to allow the workstation > be able to access PDM GUI ?? > > > __ > Do You Yahoo!? > Yahoo! Health - Feel better, live better > http://health.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49483&t=49450 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN not connecting [7:50144]
Capture debugs on both ends at the same time. Should be more helpful. Make sure both ends have "isakmp identify address"... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 30, 2002 4:05 PM To: [EMAIL PROTECTED] Subject: RE: VPN not connecting [7:50144] The ACLs are mirrors of each other and the transform sets match Very frustrating -Original Message- From: Silju Pillai [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 2:29 PM To: [EMAIL PROTECTED] Subject: RE: VPN not connecting [7:50144] Hi, Pls check the interesting traffic configured (access list) configured at both ends. Your transform set parameters too. It should be same. As you are receiving IKMP_no_error your isakmp policies are working fine. regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50284&t=50144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix static mappings to the inside [7:50500]
If you have only one public ip address and it is used on the outside interface: static (inside,outside) tcp interface 25 inside_ip 25 netmask 255.255.255.255 conduit permit tcp host outside_ip eq 25 any -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Thursday, August 01, 2002 10:23 PM To: [EMAIL PROTECTED] Subject: Pix static mappings to the inside [7:50500] I have my pix 501 firewall working but I have yet to be able to get static mapping working. I try this Static "outside ip address" "inside ip address" Conduit permit tcp outside ip inside ip eq 25 any When I issue these commands I can get mail into my mail server behind the pix but it breaks my nat. I have read that it is not good to use your outside global ip address for static mapping but if you only have 1 static ip address how else can you do it. With me only having one static ip will this work? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50514&t=50500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN not connecting [7:50144]
His issue would not be caused by ISP. Phase 1 and phase 2 are both using udp500, so if he passes phase 1 then udp 500 is open. "sysopt connect permit-ipsec" will also not cause phase 2 to fail. If you are missing "sysopt connect permit-ipsec" then you'll see that the tunnel is up, but you are unable to pass traffic across of it. There is something else is going on in his case and debugs didn't show it. That's why I asked debugs from both ends at the same time... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ciaron Gogarty Sent: Friday, August 02, 2002 7:03 PM To: [EMAIL PROTECTED] Subject: Re: VPN not connecting [7:50144] Hi Silju, I would have to disagree with you one point, or perhaps modify your statement -- "Normally" ISP's don't filter IPSEC, but some do -- I know this from personal experience. Granted the ISP in question didn't know they were doing it (misconfigured access-list). I remember reading somewhere that some ISP's were going to actively filter IPSEC transiting their AS. This may or may not be true.. does anybody on the group know for sure??? Either way, it may be prudent to check with his upstream ISP!! Although your correct in saying that most VPN's terminate at secure or wholly trusted sites, this is not always the case. Suppose you wanted to also extend your VPN to a support company for a particular server app, your corporate policy may not like that fact that you cannot actively control what is sent through the tunnel. Sure you can make sure a reply will only go back to a destination address defined as "interesting" in your return access list.. but those packest are still coming from his side of the VPN and entering your network... so in that case, you could turn off the sysopt connect permit-ipsec and use access-lists on the outside to filter the traffic before it enters the network. I could be wrong, but that is my understanding of the pix implementation of IPSEC... does anybody know for sure?? cheers dude, Ciaron - Original Message - From: "Silju Pillai" To: Sent: Friday, August 02, 2002 10:18 PM Subject: RE: VPN not connecting [7:50144] > HI Ciaron, > > I totally agree with you that Phase-1 is completed in Mike's setup. > But I would like to discuss some points. The problem I think is in phase-2 > only. > > 1. Normally if your end-to-end traffic has to pass the ISP (public network) > then you create a VPN tunnel. ISPs doesnt block any traffic or ports (500,50 > or 51). If at all you are blocking these ports it will be at customer site. > > 2. You are right that "sysopt connection permit-ipsec" should be given on > PIX to allow the IPSec traffic. But I assume Mike might hvae already tried > that. Thanks a lot for this information as I never thought of turning it off > and testing it. I just had a look at the cisco site regarding this info. > Which is better? Turn it off and permit the specific ports or give this > command and let PIX do the rest. > > 3. You define interesting traffic only for those networks or machines where > you want to communicate using private network securely. So there is no point > in filtering the traffic. Configure access-list so that only specific > traffic is permitted. If the traffic doesnt match the crypto access list how > the packets will enter into the network? In my opinion they will get > dropped. Hope you get me. > > thanks once again, > regards > Silju Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50599&t=50144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:51095]
So you have: Server --- inside- PIX -outside --- Internet How would a server with the public ip address talk to the PIX inside interface, that has a private ip address? It's like having two PC's with different ip addresses and trying to make them talk through a hub. For two devices to talk on the same wire they have to be on the same subnet. So you either have to reconfigure the server to have a private ip address or use a router on the inside of the PIX. PIX doesn't support secondary ip addresses. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Zahid Hassan Sent: Friday, August 09, 2002 3:36 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:51095] Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51102&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52968&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
"icmp" command on the PIX allows/denies pinging interfaces of the PIX
itself. It has nothing to do with pining through the PIX...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, September 10, 2002 9:31 AM
To: [EMAIL PROTECTED]
Subject: RE: Internal Users ping through a PIX [7:52962]
You need to use the following global command to enable icmp:
icmp permit/deny ...
Here's the link for command reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/comm
ands.htm#xtocid33
Thanks...Nabil
"I have never let my schooling interfere with my education."
Lidiya
White
cc:
Sent by: Subject: RE: Internal Users
ping through a PIX [7:52962]
nobody@groupstudy
.com
09/09/2002
11:31
PM
Please respond
to
Lidiya
White
The access-list is correct. There is something else that is going on.
Use "debug icmp trace" to troubleshoot...
How do you test this access-list? What are you trying to ping?
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Elijah Savage III
Sent: Monday, September 09, 2002 7:33 PM
To: [EMAIL PROTECTED]
Subject: Internal Users ping through a PIX [7:52962]
Ok guys I am on my last leg with this one I seen a ton of examples but
can't seem to get it working what am I doing wrong here.
All I want is my internal users to be able to ping through the firewall
to the net, but external users not be able to ping.
Here is the last example I used that does not work.
http://www.cisco.com/warp/public/110/single-net.shtml
!--- Create an access-list to allow pings out and the return packets
back in.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
!--- Apply access-list 100 to the outside interface.
access-group 100 in interface outside
pixfirewall# sh version
Cisco PIX Firewall Version 6.1(3)
I appreciate your help.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52993&t=52962
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Upgrade [7:53747]
You don't need a new activation key for the upgrade. Act key is bound to a serial number, so unless you change your PIX, or require some new features enabled on the PIX, you don't need new act key. License key is software independent. 6.2.2 is very stable code. I don't see you having problem with it. It has quit a few new feature that are very useful. 6.3 code will not be available until 1st quarter 2003. And of course no need to go into a monitor mode :-). The OS upgrade on the PIX sounds pretty simple because it's just that simple... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roberts, Larry Sent: Friday, September 20, 2002 5:43 PM To: [EMAIL PROTECTED] Subject: RE: PIX Upgrade [7:53747] Uhmm,, no not true depending on version. I just upgraded from 6.1(4) to 6.2 and in fact used copy tftp flash: I went from 5.2(1) TO 5.2(5) via this method as well. Things to watch for though are version transitions. Going from 5.x to 6.x will require a new activation code. You can get a DES version key by sending your information to [EMAIL PROTECTED] and tell them what version you are going to. They need the serial number and I believe the current activation key. On older versions of code, you need to step-up one revision at a time. This is not the case with newer versions, however it is recommended if you are going more that a couple revisions ahead. Thanks Larry -Original Message- From: Symon Thurlow [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 4:07 PM To: [EMAIL PROTECTED] Subject: RE: PIX Upgrade [7:53747] No, you have to go to rom monitor to do it Break into rom monitor then addr ipaddressofpix serv ipaddressoftftpserver file pix622.bin tftp it will load then reboot. You should then upgrade PDM, which you do the traditional way. I just did this a couple of days ago and it worked fine. Symon -Original Message- From: Robert Edmonds [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 21:34 To: [EMAIL PROTECTED] Subject: PIX Upgrade [7:53747] To upgrade the PIX to a newer software version, do you just do copy tftp 172.16.6.100/pix622.bin flash and then reload? Sounds like I'm missing something. = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53779&t=53747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX questions [7:53953]
The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use "wr term" on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the "running-config" in PIX? I found whenever I made a change on PIX. I can't see the change when I issue "sh conf" command until I do "wr mem" What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53968&t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX questions [7:53953]
If you are using Dynamic NAT/PAT, connection from the outside can't be initiated. If you need the outside world to contact your server/host behind this pix, make sure that you have static Nat configured an access-list or conduit that will allow port for that application. Static Nat is used for permanent two way translation. Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 10.1.1.35 is the real ip address of the FTP server 192.168.1.35 is how outside world sees this FTP server (example probably would be more clear if they would use public ip address instead). Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX http://www.cisco.com/warp/public/707/28.html Make sure that you understand how, when and why static command is used on the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 9:48 PM To: [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] OK.. I think I roughly understand what is the problem now. Let me tell you our pix setup. We do a PAT for every outgoing packet so the source address to be translated to 192.168.5.200 before leaving the external interface of the PIX. So when the outside party tried to make connection to 192.168.5.200, it was considered outside as the routing table of the PIX show that the IP 192.168.5.200 should be routed out via external interface. Sound logical? But how to solve it, if I don't want this log 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168.5.200/58000 Another Question2 :) I saw a sentence on a book that I don't understand- The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0--(1) Conduit permit tcp host 192.168.1.35 eq ftp any--(2) I understand the second statement which mean it allow ftp traffic from any outside workstations to connect to 192.168.1.35 in the inside network But what is meaning of the first statement? What is 10.1.1.35 IP for? Why we need this? Thanks a lot Sim -Original Message----- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 1:39 AM To: Sim, CT (Chee Tong); [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use "wr term" on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the "running-config" in PIX? I found whenever I made a change on PIX. I can't see the change when I issue "sh conf" command until I do "wr mem" What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == ==
RE: PIX Scenerio [7:54824]
Just use "static (inside, outside) 172.16.20.0 172.16.20.0 netmask 255.255.255.0" and then create conduits for the type of traffic you want to allow from the outside to the inside. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Azhar Teza Sent: Thursday, October 03, 2002 1:27 PM To: [EMAIL PROTECTED] Subject: PIX Scenerio [7:54824] In this PIX Scenerio, What will be the best option. Note: PIX is being used between the two Private networks. I am just treating the outside interface as one of the users' subnets. I have 10 users on outside interface (Network 192.168.40.0) want to have an acess to the some resources in the inside (Network 172.16.20.0). Instead of statically mapping each IP address from the users to the inside resources, can I justdo this: static (inside, outside) 192.168.40.0 172.16.20.0 netmask 255.255.255.0, and then apply conduit For Example, conduit permit tcp host 192.168.40.5 (User's IP address) 172.16.20.5 (File Server) and so on, or will it be better to statically map each user ip address to the resource ip address, and then open the conduit static (inside, outside) 192.168.40.5(user's computer) 172.16.20.5 (File Server) netmaks 255.255.255.255. I think I can't statically map the actual user IP address. I am gonna have to use an unused IP address from the user's subnet (192.168.10.0). Please let me know. Thanks, Changed your e-mail? Keep your contacts! Use this free e-mail change of address service from Return Path. Register now! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54854&t=54824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT [7:54838]
it's on the router... Check 'nat on the stick' config examples. Traffic HAS to go through a 'ip nat inside' and 'ip nat outside' interfaces to be Natted. If it goes only through "ip nat inside" interface, Nat will not happen... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brett spunt Sent: Thursday, October 03, 2002 8:44 PM To: [EMAIL PROTECTED] Subject: RE: NAT [7:54838] Hosts files, or local dns server pointing to private ip address, or use a pix firewall with the following command "alias (inside) 255.255.255.255 which will doctor the dns reply for you. check out the following link... http://www.cisco.com/warp/public/110/alias.html Brett spunt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Middleton Sent: Thursday, October 03, 2002 5:23 PM To: [EMAIL PROTECTED] Subject: NAT [7:54838] Hi All, I am trying to set up NAT on a cisco 2600 router. Everything seems to be working except that I can not access resources on the inside using there public IP address from the inside. From the internet the router translates the public addresses to private addresses, but from the inside I have to use the private address to access any resource. How can I get the router to translate requests that originate from the inside? Any help would be greatly appreciated. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54855&t=54838 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall [7:55547]
That is the normal behavior of the PIX. You'll not be able to change it... If you want to test the connectivity through the PIX, do not ping the outside interface of the PIX from the inside, but ping the default gateway of the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Naomi James Sent: Monday, October 14, 2002 8:19 AM To: [EMAIL PROTECTED] Subject: Firewall [7:55547] I have a PIX 525. I am trying bring it up on my network. It is installed virtually betrween my router and my ISP's router. While testing, I noticed that from an inside host, I could ping my inside interface on the PIX, but not the outside interface. From the ISP, they could ping my outside interface but not my inside interface. From the PIX I can ping my outside interface and beyond. Any suggestions? Naomi James Computer Services and Information Technology Savannah State University 912-356-2509 [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelt.gif] [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelb.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55580&t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
