Re: HELP!! PIX-PIX VPN config problem [7:69684]
Hi, Can you post your two configs (remove private info if required)? Regards Paul ""Mary Kvitashvili"" wrote in message news:[EMAIL PROTECTED] > Trying to config PIX 506 to PIX 515 for basic VPN/IPSEC/LAN/LAN > connectivity. Took the configs straight off the Cisco site but I cannot > establish my tunnel at the ISAKMP level. Trying to ping from LAN to LAN. > Getting the following error message from "debug crypto isakmp": > > HQ-PIX# > ISAKMP (0): beginning Main Mode exchange > ISAKMP (0): retransmitting phase 1... > ISAKMP (0): retransmitting phase 1... > ISAKMP (0): deleting SA: src 151.99.241.102, dst 192.168.1.2 > ISADB: reaper checking SA 0xfb053c, conn_id = 0 DELETE IT! > > VPN Peer:ISAKMP: Peer Info for 192.168.1.2/500 not found - peers:0 > > Doing all of the various show commands indicates all peer info is there. > > Any ideas? > > thanks, > Pixnewbie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69722&t=69684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: HELP!! PIX-PIX VPN config problem [7:69684]
Mary, Ok I see your configs. Can I ask how you have this set up? PIX's, routers etc and how they are connected. My initial concern is that some of your external ip's are private (192.168.1.2) on PIX506. Try this test first of all to ensure basic connectivity from the command line of each PIX >From the PIX515: ping outside 192.168.1.2 And from the PIX506: ping outside 151.99.241.102 Does it work both ways? If not then you are going to have difficulty getting a working tunnel. Regards Paul ""Mary Kvitashvili"" wrote in message news:[EMAIL PROTECTED] > > PIX 515 > > PIX Version 6.3(1) > interface ethernet0 10full > interface ethernet1 10full > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password 8Ry2YjIyt7RRXU24 encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname HQ-PIX > domain-name xxx.org > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > names > access-list 101 permit ip 10.11.41.0 255.255.255.0 10.11.34.0 255.255.255.0 > access-list 101 permit ip host 151.99.241.102 host 192.168.1.2 > access-list acl_outbound permit ip any any > access-list 100 permit icmp any any echo-reply > access-list 100 permit icmp any any time-exceeded > access-list 100 permit icmp any any unreachable > pager lines 24 > mtu outside 1500 > mtu inside 1500 > ip address outside 151.99.241.102 255.255.255.0 > ip address inside 10.11.41.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > no failover > failover timeout 0:00:00 > failover poll 15 > no failover ip address outside > no failover ip address inside > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list 101 > nat (inside) 1 10.11.41.0 255.255.255.0 0 0 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > access-group 100 in interface outside > access-group acl_outbound in interface inside > conduit permit icmp any any > route outside 0.0.0.0 0.0.0.0 151.99.241.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set hq-tset esp-des esp-md5-hmac > crypto map hq-map 1 ipsec-isakmp > crypto map hq-map 1 match address 101 > crypto map hq-map 1 set peer 192.168.1.2 > crypto map hq-map 1 set transform-set hq-tset > crypto map hq-map interface outside > isakmp enable outside > isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255 > isakmp identity address > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 1000 > telnet timeout 5 > ssh timeout 5 > console timeout 0 > terminal width 80 > Cryptochecksum:9f629d1ea9f9b89090de1e7d3ec467db > > > PIX 506 > > PIX Version 6.3(1) > interface ethernet0 10full > interface ethernet1 10full > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password 8Ry2YjIyt7RRXU24 encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname Other-PIX > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > names > access-list 101 permit ip 10.11.34.0 255.255.255.0 10.11.41.0 255.255.255.0 > access-list 101 permit ip host 192.168.1.2 host 151.99.241.102 > access-list acl_outbound permit ip any any > access-list 100 permit icmp any any echo-reply > access-list 100 permit icmp any any time-exceeded > access-list 100 permit icmp any any unreachable > pager lines 24 > mtu outside 1500 > mtu inside 1500 > ip address outside 192.168.1.2 255.255.255.0 > ip address inside 10.11.34.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > pdm logging informational 100 > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list 101 > nat (inside) 1 10.11.34.0 255.255.255.0 0 0 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > access-group 100 in interface outside > access-group acl_outbound in interface inside > conduit permit icmp any any > route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 > timeout xlate 0:05:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 si
Re: PDM for PIX [7:69852]
Hi, Do you have "http server enable" in your config? Regards Paul ""Kenan Ahmed Siddiqi"" wrote in message news:[EMAIL PROTECTED] > Hi there, > I have a PIX 515E. I am trying to use PDM on it. The configuration is IOS > version 6.0 and PDM version 1.0. The client is Windows 2000 with IE 6.0 and > all the service packs intalled. When I try connecting to the PIX via the > browser, somehow it just doesn't work. Everything else seems to be okay. PIX > is configured to accept PDM connections from the client. Any suggestions how > to fix it? Is there some encryption or something that needs to be > enabled/disabled? > > TIA, > > Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69947&t=69852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Network Analyzers [7:72346]
Dave, Ethereal also comes in a Windows flavour as well which is a little more versatile for installation options. I have used it quite a lot and its always done the job for me (and that has been some pretty obscure problems solved). I generally work on the basis of a potential theory to where the problem is and prove it, in the required scenarios a combination of Ethereal and Languard (from gfi.com - also free) do the trick 99% of the time. Justify it against potential revenue saved. How much are you losing through suspected network problems? Alternatively to get a feel of what you will be seeing Ethereal is good for a start. Also bear in mind the amount of time needed to learn how to properly use a network analyser, so the real cost is actually alot more than $2500 or $1. If its your LAN or WAN then get someone else to do it, it will work out cheaper than $10k (I hope!) Regards Paul ""Dave C."" wrote in message news:[EMAIL PROTECTED] > I work for a small growing business and am currently evaluating two types of > network analyzer software. EtherPeek NX and Sniffer Portable (Sniffer Pro). > > Since the versions that I have are not the full production versions (only > for evalutation purposes), I am limited to the functionality I can do with > each. > > I know there is an extensive difference in price (Etherpeek NX is somewhere > around $2000-2500 range, and Sniffer Portable (Pro) is somewhere greater > than $10,000. For a small growing company, it is hard to justify over > $10,000 for a piece of software, when I can get something comparable for > much less, especially when we are in a time where we have to justify our jobs. > > What I would like to know, if anyone has experience with both of these > applications, and what capabilities that Sniffer Pro offers, that Etherpeek > NX does not. > > I would also like to know if anyone has experience with Ethereal (for > Linux). I know it is free and it has much less functionality than Etherpeek > NX or Sniffer, but I would like an opinion on that to. > > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72351&t=72346 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
