PIX question
I have a PIX using IPSec for a VPN tunnel between 2 networks. On the outside interface is a box using SYSLOG trying to write to a box on the inside interface. I made an external static IP for the internal box, added a conduit to permit udp-syslog...nothing. Tried adding access-list # permit udp host host eq syslog. The access list is the one used in the IPSec VPN. Any ideas why I get denied in logging? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question
Hi everyone, There is a web server on the inside of a firewall that is not implementing NAT and the IP address is transparent to the outside world and people accessing the server are using the IP address from browsing which is a security risk (hole). Authentication is through TACACS+ or application server. What is the way forward on this issue considering that the network is isolated from the internal network that has DNS Server, which can resolve the IP address to domain name? Is there a way to specify an alias on the PIX to resolve the IP address to a domain name? _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question
Hi Everyone, There is a web server on the inside of a firewall that is not implementing NAT and the IP address is transparent to the outside world and people accessing the server are using the IP address from browsing which is a security risk (hole). Authentication is through TACACS+ or application server. What is the way forward on this issue considering that the network is isolated from the internal network that has DNS Server, which can resolve the IP address to domain name? Is there a way to specify an alias on the PIX to resolve the IP address to a domain name _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question
Hi Everyone, There is a web server on the inside of a firewall that is not implementing NAT and the IP address is transparent to the outside world and people accessing the server are using the IP address from browsing which is a security risk (hole). Authentication is through TACACS+ or application server. What is the way forward on this issue considering that the network is isolated from the internal network that has DNS Server, which can resolve the IP address to domain name? Is there a way to specify an alias on the PIX to resolve the IP address to a domain name? Regards, Kemi. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question
Hi Everyone, There is a web server on the inside of a firewall that is not implementing NAT and the IP address is transparent to the outside world and people accessing the server are using the IP address from browsing which is a security risk (hole). Authentication is through TACACS+ or application server. What is the way forward on this issue considering that the network is isolated from the internal network that has DNS Server, which can resolve the IP address to domain name? Is there a way to specify an alias on the PIX to resolve the IP address to a domain name? Regards, Kemi. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question***************
In the PIX firewall I have to allow one internal address to access one external address on a specific port. I am using PIX Ver 4.4. And the outbound statement only allows either source or destination. Is there any way I can do it..? Thanks _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question
Hello, Is there any way to have outside users access an internal subnet? I see from CCO that you can only have ouside users access a particular internal host. Thanks in advance. Jim __ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question
Hi everybody, I have one PIX firewall running v 4.2(4). Based on the config, i've specified only a few user can go out to internet. But, my problem is when a user running on NT w/s or server, they can go out to internet while not for users running on win95. Anybody experienced the problem before??. Can you share with me?. Here is the config of firewall : PIX Version 4.2(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz1 security50 enable password mRF4kA2yGoAg24KE encrypted passwd mRF4kA2yGoAg24KE encrypted hostname PIX <--- More ---> fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 no fixup protocol smtp 25 names name 172.21.1.65 Adachi name 172.21.1.111 ECT name 172.21.1.78 Inagaki name 172.21.1.75 Kato name 172.21.1.201 Konishi name 172.21.1.92 Lim_Tiong_ name 172.21.1.113 TKL name 172.21.1.67 Taishi name 172.21.1.50 Kobayashi name 172.21.1.3 MY_NT5 name 172.21.1.6 MY_99 name 172.21.1.17 S1019 name 172.21.1.5 MY01 name 172.21.1.1 MY00 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 <--- More ---> failover ip address inside 0.0.0.0 failover ip address dmz1 0.0.0.0 pager lines 24 no logging console no logging monitor no logging buffered no logging trap logging facility 20 interface ethernet0 10baset interface ethernet1 10baset interface ethernet2 10baset ip address outside 202.x.x.x 255.255.255.248 ip address inside 172.21.1.12 255.255.255.0 ip address dmz1 172.21.253.101 255.255.255.0 arp timeout 14400 global (outside) 1 202.x.x.x nat (inside) 1 MY_NT5 255.255.255.0 0 0 nat (inside) 1 172.21.1.4 255.255.255.0 0 0 nat (inside) 1 MY_99 255.255.255.0 0 0 nat (inside) 1 Kobayashi 255.255.255.0 0 0 nat (inside) 1 Adachi 255.255.255.0 0 0 nat (inside) 1 Taishi 255.255.255.0 0 0 nat (inside) 1 Inagaki 255.255.255.0 0 0 nat (inside) 1 Lim_Tiong_ 255.255.255.0 0 0 <--- More ---> nat (inside) 1 ECT 255.255.255.0 0 0 nat (inside) 1 TKL 255.255.255.0 0 0 nat (inside) 1 Konishi 255.255.255.0 0 0 static (inside,outside) 202.x.x.x MY_99 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.17 S1019 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.5 MY01 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.1 MY00 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 202.x.x.x eq smtp any conduit permit ip host 172.21.253.17 any conduit permit ip host 172.21.253.5 any conduit permit ip host 172.21.253.1 any no rip outside passive no rip outside default no rip inside passive no rip inside default no rip dmz1 passive no rip dmz1 default route outside 0.0.0.0 0.0.0.0 202.x.x.x 1 route dmz1 172.21.252.0 255.255.255.0 172.21.253.102 1 route dmz1 192.168.42.0 255.255.255.0 172.21.253.102 1 route dmz1 172.21.254.0 255.255.255.0 172.21.253.102 1 timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 <--- More ---> timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet 172.21.1.116 255.255.255.255 telnet 172.21.1.12 255.255.255.255 telnet ECTan 255.255.255.255 telnet timeout 5 mtu outside 1500 mtu inside 1500 mtu dmz1 1500 floodguard 1 Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX QUESTION********
I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to access an Internet address on a particular port. I am using outbound statement with except to do this. But it is not working. Can anyone put some light on that. Here is what I am doing: A user from 10.6.x.x subnet needs to access internet address 200.121.x.x on port 1222. outbound 102 permit 200.121.x.x 255.255.255.255 1222 tcp outbound 102 except 10.6.x.x 255.255.255.255 0 0 apply (inside) 102 outgoing_dest _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question
In regards to a pix, I have the following question. When I'm trying to restrict access from the inside to the dmz, how would I do that and can you give some examples. For example, do I use an access list or an outbound command and what are the differences between the two. In addition, is there a book out there that teaches us PIX configuration? Is there a Cisco PIX certification at the present time? Thanks. Scott _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question
Hello, I'm trying to study PIX. Is 506 good enough? Thanks in advance. Jim __ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fw: PIX question
OK a little more info. We have a PIX-PIX VPN set up so encryption only pertains to connections between the two office locations over a dedicated connection. In our location, there is a network outside the PIX before it goes to the Router to the other location. The box sitting on the outside the pix but inside the router is the one that needs to have a port opened to a syslog server on the inside interface of the PIX. Tried setting a static IP so the syslog server has an IP on the outside interface subnet. Opened a conduit for that VIP for syslog. Added to the ACL of the PIX-PIX VPN when the above 2 didn't work (& it should because the VPN is only for destined traffic between the 2 sites). Anything else? Ports I missed? I believe it was 514 but the PIX translates it to syslog when you open that port. - Original Message - From: "Allen May" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 06, 2001 4:23 PM Subject: PIX question > I have a PIX using IPSec for a VPN tunnel between 2 networks. On the > outside interface is a box using SYSLOG trying to write to a box on the > inside interface. I made an external static IP for the internal box, added > a conduit to permit udp-syslog...nothing. Tried adding access-list # permit > udp host host eq syslog. > > The access list is the one used in the IPSec VPN. Any ideas why I get > denied in logging? > > > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fw: PIX question
Crap..typo below. Box sitting outside the pix needs to log to the syslog server inside the pix. - Original Message - From: "Allen May" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 07, 2001 9:17 AM Subject: Fw: PIX question > OK a little more info. We have a PIX-PIX VPN set up so encryption only > pertains to connections between the two office locations over a dedicated > connection. In our location, there is a network outside the PIX before it > goes to the Router to the other location. The box sitting on the outside > the pix but inside the router is the one that needs to have a port opened to > a syslog server on the inside interface of the PIX. > > Tried setting a static IP so the syslog server has an IP on the outside > interface subnet. > Opened a conduit for that VIP for syslog. > Added to the ACL of the PIX-PIX VPN when the above 2 didn't work (& it > should because the VPN is only for destined traffic between the 2 sites). > > Anything else? Ports I missed? I believe it was 514 but the PIX translates > it to syslog when you open that port. > > > - Original Message - > From: "Allen May" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 06, 2001 4:23 PM > Subject: PIX question > > > > I have a PIX using IPSec for a VPN tunnel between 2 networks. On the > > outside interface is a box using SYSLOG trying to write to a box on the > > inside interface. I made an external static IP for the internal box, > added > > a conduit to permit udp-syslog...nothing. Tried adding access-list # > permit > > udp host host eq syslog. > > > > The access list is the one used in the IPSec VPN. Any ideas why I get > > denied in logging? > > > > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question
If you can sho the configs (minus security information) it might be easier to help you figure out the problem. I am thinking it could be an access-list misconfiguration, or a conduit permit misconfiguration, but without the configs to look at, it is hard to advise. -Original Message- From: Allen May [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 07, 2001 10:40 AM To: [EMAIL PROTECTED] Subject: Fw: PIX question Crap..typo below. Box sitting outside the pix needs to log to the syslog server inside the pix. - Original Message - From: "Allen May" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 07, 2001 9:17 AM Subject: Fw: PIX question > OK a little more info. We have a PIX-PIX VPN set up so encryption only > pertains to connections between the two office locations over a dedicated > connection. In our location, there is a network outside the PIX before it > goes to the Router to the other location. The box sitting on the outside > the pix but inside the router is the one that needs to have a port opened to > a syslog server on the inside interface of the PIX. > > Tried setting a static IP so the syslog server has an IP on the outside > interface subnet. > Opened a conduit for that VIP for syslog. > Added to the ACL of the PIX-PIX VPN when the above 2 didn't work (& it > should because the VPN is only for destined traffic between the 2 sites). > > Anything else? Ports I missed? I believe it was 514 but the PIX translates > it to syslog when you open that port. > > > - Original Message - > From: "Allen May" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 06, 2001 4:23 PM > Subject: PIX question > > > > I have a PIX using IPSec for a VPN tunnel between 2 networks. On the > > outside interface is a box using SYSLOG trying to write to a box on the > > inside interface. I made an external static IP for the internal box, > added > > a conduit to permit udp-syslog...nothing. Tried adding access-list # > permit > > udp host host eq syslog. > > > > The access list is the one used in the IPSec VPN. Any ideas why I get > > denied in logging? > > > > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question
RE: PIX questionIP addresses altered/censored for my own CYA ;) 207.207.77.x/24 is outside the PIX. I want something to get into = 207.207.93.x (inside) for syslog. As you can see I tried statics, = conduits, and even tried another ACL #81 (which I removed). Nothing = seemed to work. : Saved : PIX Version 5.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 80 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor logging buffered debugging no logging trap no logging history logging facility 20 logging queue 512 logging host inside interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 207.207.77.254 255.255.255.0 ip address inside 207.207.93.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 207.207.93.133-207.207.93.190 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 207.207.77.57 207.207.93.148 netmask = 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 207.207.77.253 eq 32802 any conduit permit tcp host 207.207.93.190 host 161.58.218.96 eq 9100 conduit permit udp host 207.207.77.57 host 207.207.77.50 eq syslog rip outside passive version 1 rip inside default version 1 route outside 0.0.0.0 0.0.0.0 1 route outside 255.255.0.0 1 route outside 255.255.255.0 1 timeout xlate 3:00:00 conn 2:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server outside /var/tftp/px-confg floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible crypto ipsec transform-set strong esp-des esp-sha-hmac crypto map insync 10 ipsec-isakmp crypto map insync 10 match address 80 crypto map insync 10 set peer crypto map insync 10 set transform-set strong crypto map insync interface outside isakmp enable outside isakmp key address netmask 255.255.255.255 isakmp identity address isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash sha isakmp policy 8 group 1 isakmp policy 8 lifetime 86400 telnet inside telnet timeout 15 terminal width 80 - Original Message -=20 From: Richie, Nathan=20 To: 'Allen May' ; [EMAIL PROTECTED]=20 Sent: Thursday, March 08, 2001 12:31 PM Subject: RE: PIX question If you can sho the configs (minus security information) it might be = easier to help you figure out the problem. I am thinking it could be an = access-list misconfiguration, or a conduit permit misconfiguration, but = without the configs to look at, it is hard to advise. -Original Message-=20 From: Allen May [mailto:[EMAIL PROTECTED]]=20 Sent: Wednesday, March 07, 2001 10:40 AM=20 To: [EMAIL PROTECTED]=20 Subject: Fw: PIX question=20 Crap..typo below. Box sitting outside the pix needs to log to the = syslog=20 server inside the pix.=20 - Original Message -=20 From: "Allen May" <[EMAIL PROTECTED]>=20 To: <[EMAIL PROTECTED]>=20 Sent: Wednesday, March 07, 2001 9:17 AM=20 Subject: Fw: PIX question=20 > OK a little more info. We have a PIX-PIX VPN set up so encryption = only=20 > pertains to connections between the two office locations over a = dedicated=20 > connection. In our location, there is a network outside the PIX = before it=20 > goes to the Router to the other location. The box sitting on the = outside=20 > the pix but inside the router is the one that needs to have a port = opened=20 to=20 > a syslog server on the inside interface of the PIX.=20 >=20 > Tried setting a static IP so the syslog server has an IP on the = outside=20 > interface subnet.=20 > Opened a conduit for that VIP for syslog.=20 > Added to the ACL of the PIX-PIX VPN when the above 2 didn't work (& = it=20 > should because the VPN is only for destined traffic between the 2 = sites).=20 >=20 > Anything else? Ports I missed? I believe it was 514 but the PIX=20 translates=20 > it to syslog when you open that port.=20 >=20 >=20 > - Original Message -=20 > From: "Allen May" <[EMAIL PROTECTED]>=20 > To: <[EMAIL PROTECTED]>=20 > Sent: Tuesday, March 06, 2001 4:23 PM=20 > Subject: PIX question=20 >=20 >=20 > > I have a PIX using IPSec for a VPN tunnel between 2 networks. On = the=20 > > outside interface is a box usin
Re: PIX Question
I'm not sure I understand what you're trying to do. It sounds like reverse dns, but I'm not sure why you'd want to do a reverse fix-up. Why not just implement the reverse entry in your DNS server? and don't worry about the PIX. I suspect what you want is: 'www.mydomain.com' to resolve to 12.x.x.x for the internet (the outside) and 192.168.x.x for your local LAN (the inside). Check out the ALIAS command. It is for this exact purpose. Rodgers Moore, CCDP, CCNP-Security Design and Security Consultant Data Processsing Sciences, Corp. ""oluwakemi ojo"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi everyone, > > There is a web server on the inside of a firewall that is not implementing > NAT and the IP address is transparent to the outside world and people > accessing the server are using the IP address from browsing which is a > security risk (hole). Authentication is through TACACS+ or application > server. > > What is the way forward on this issue considering that the network is > isolated from the internal network that has DNS Server, which can resolve > the IP address to domain name? > > > Is there a way to specify an alias on the PIX to resolve the IP address to a > domain name? > > > > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question***************
Use an outbound access-list. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/p ix44cfg.htm Hope this helps, Evan Francen -Original Message- From: Peter Gray [mailto:[EMAIL PROTECTED]] Sent: Friday, October 20, 2000 5:13 PM To: [EMAIL PROTECTED] Subject: PIX question*** In the PIX firewall I have to allow one internal address to access one external address on a specific port. I am using PIX Ver 4.4. And the outbound statement only allows either source or destination. Is there any way I can do it..? Thanks _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question***************
Hello: The PIX allows by default, everything going from a higher security level, (Inside=100, DMZ=50, Outside=0), to a lower security. Unless you have changed this then your outbound packets are probably fine but when that one external address tries to respond to the internal address on a high port# it can't. If this is the case make sure you have a conduit allowing access from the external address to the internal address on whatever port the application requires. Regards Bob G Evan Francen <[EMAIL PROTECTED]> wrote in message E580CB8FBC72D211A94A00A0C9B57292020A503C@EXCHANGE_SERVER">news:E580CB8FBC72D211A94A00A0C9B57292020A503C@EXCHANGE_SERVER... > Use an outbound access-list. > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/p > ix44cfg.htm > > Hope this helps, > Evan Francen > > -Original Message- > From: Peter Gray [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 20, 2000 5:13 PM > To: [EMAIL PROTECTED] > Subject: PIX question*** > > > In the PIX firewall I have to allow one internal address to access one > external address on a specific port. I am using PIX Ver 4.4. And the > outbound statement only allows either source or destination. Is there any > way I can do it..? > Thanks > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question
If you have enough external IP addresses, then yes, you can have an entire subnet be accessible from the outside world. If you check the static (inside,outside) command, there is a way to specify a network address and subnet mask for the translation. However, if you only have a few addresses then no, it isn't possible. If you think about it... if you have 200 web servers, and only 10 external addresses... if a request comes in on one of those 10 external addresses, how would the PIX know which server to send it to? Travis - Original Message - From: "Jim Bond" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, October 28, 2000 2:44 PM Subject: PIX question > Hello, > > Is there any way to have outside users access an > internal subnet? I see from CCO that you can only have > ouside users access a particular internal host. > > Thanks in advance. > > > Jim > > __ > Do You Yahoo!? > Yahoo! Messenger - Talk while you surf! It's FREE. > http://im.yahoo.com/ > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question
If you want to control who gets out try using an outbound access list and apply it to your outside interface -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 31, 2000 8:40 PM To: [EMAIL PROTECTED] Subject: PIX question Hi everybody, I have one PIX firewall running v 4.2(4). Based on the config, i've specified only a few user can go out to internet. But, my problem is when a user running on NT w/s or server, they can go out to internet while not for users running on win95. Anybody experienced the problem before??. Can you share with me?. Here is the config of firewall : PIX Version 4.2(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz1 security50 enable password mRF4kA2yGoAg24KE encrypted passwd mRF4kA2yGoAg24KE encrypted hostname PIX <--- More ---> fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 no fixup protocol smtp 25 names name 172.21.1.65 Adachi name 172.21.1.111 ECT name 172.21.1.78 Inagaki name 172.21.1.75 Kato name 172.21.1.201 Konishi name 172.21.1.92 Lim_Tiong_ name 172.21.1.113 TKL name 172.21.1.67 Taishi name 172.21.1.50 Kobayashi name 172.21.1.3 MY_NT5 name 172.21.1.6 MY_99 name 172.21.1.17 S1019 name 172.21.1.5 MY01 name 172.21.1.1 MY00 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 <--- More ---> failover ip address inside 0.0.0.0 failover ip address dmz1 0.0.0.0 pager lines 24 no logging console no logging monitor no logging buffered no logging trap logging facility 20 interface ethernet0 10baset interface ethernet1 10baset interface ethernet2 10baset ip address outside 202.x.x.x 255.255.255.248 ip address inside 172.21.1.12 255.255.255.0 ip address dmz1 172.21.253.101 255.255.255.0 arp timeout 14400 global (outside) 1 202.x.x.x nat (inside) 1 MY_NT5 255.255.255.0 0 0 nat (inside) 1 172.21.1.4 255.255.255.0 0 0 nat (inside) 1 MY_99 255.255.255.0 0 0 nat (inside) 1 Kobayashi 255.255.255.0 0 0 nat (inside) 1 Adachi 255.255.255.0 0 0 nat (inside) 1 Taishi 255.255.255.0 0 0 nat (inside) 1 Inagaki 255.255.255.0 0 0 nat (inside) 1 Lim_Tiong_ 255.255.255.0 0 0 <--- More ---> nat (inside) 1 ECT 255.255.255.0 0 0 nat (inside) 1 TKL 255.255.255.0 0 0 nat (inside) 1 Konishi 255.255.255.0 0 0 static (inside,outside) 202.x.x.x MY_99 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.17 S1019 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.5 MY01 netmask 255.255.255.255 0 0 static (inside,dmz1) 172.21.253.1 MY00 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 202.x.x.x eq smtp any conduit permit ip host 172.21.253.17 any conduit permit ip host 172.21.253.5 any conduit permit ip host 172.21.253.1 any no rip outside passive no rip outside default no rip inside passive no rip inside default no rip dmz1 passive no rip dmz1 default route outside 0.0.0.0 0.0.0.0 202.x.x.x 1 route dmz1 172.21.252.0 255.255.255.0 172.21.253.102 1 route dmz1 192.168.42.0 255.255.255.0 172.21.253.102 1 route dmz1 172.21.254.0 255.255.255.0 172.21.253.102 1 timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 <--- More ---> timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet 172.21.1.116 255.255.255.255 telnet 172.21.1.12 255.255.255.255 telnet ECTan 255.255.255.255 telnet timeout 5 mtu outside 1500 mtu inside 1500 mtu dmz1 1500 floodguard 1 Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question
Can your 95 users ping the gateway by IP address and hostname? - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 31, 2000 6:40 PM Subject: PIX question > Hi everybody, > > I have one PIX firewall running v 4.2(4). Based on the config, i've specified only a few user can go > out to internet. > > But, my problem is when a user running on NT w/s or server, they can go out to internet while not > for users running on win95. > > Anybody experienced the problem before??. Can you share with me?. > > Here is the config of firewall : > > PIX Version 4.2(4) > > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz1 security50 > enable password mRF4kA2yGoAg24KE encrypted > passwd mRF4kA2yGoAg24KE encrypted > hostname PIX > <--- More ---> > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol sqlnet 1521 > no fixup protocol smtp 25 > names > name 172.21.1.65 Adachi > name 172.21.1.111 ECT > name 172.21.1.78 Inagaki > name 172.21.1.75 Kato > name 172.21.1.201 Konishi > name 172.21.1.92 Lim_Tiong_ > name 172.21.1.113 TKL > name 172.21.1.67 Taishi > name 172.21.1.50 Kobayashi > name 172.21.1.3 MY_NT5 > name 172.21.1.6 MY_99 > name 172.21.1.17 S1019 > name 172.21.1.5 MY01 > name 172.21.1.1 MY00 > no failover > failover timeout 0:00:00 > failover ip address outside 0.0.0.0 > <--- More ---> > failover ip address inside 0.0.0.0 > failover ip address dmz1 0.0.0.0 > pager lines 24 > no logging console > no logging monitor > no logging buffered > no logging trap > logging facility 20 > interface ethernet0 10baset > interface ethernet1 10baset > interface ethernet2 10baset > ip address outside 202.x.x.x 255.255.255.248 > ip address inside 172.21.1.12 255.255.255.0 > ip address dmz1 172.21.253.101 255.255.255.0 > arp timeout 14400 > global (outside) 1 202.x.x.x > nat (inside) 1 MY_NT5 255.255.255.0 0 0 > nat (inside) 1 172.21.1.4 255.255.255.0 0 0 > nat (inside) 1 MY_99 255.255.255.0 0 0 > nat (inside) 1 Kobayashi 255.255.255.0 0 0 > nat (inside) 1 Adachi 255.255.255.0 0 0 > nat (inside) 1 Taishi 255.255.255.0 0 0 > nat (inside) 1 Inagaki 255.255.255.0 0 0 > nat (inside) 1 Lim_Tiong_ 255.255.255.0 0 0 > <--- More ---> > nat (inside) 1 ECT 255.255.255.0 0 0 > nat (inside) 1 TKL 255.255.255.0 0 0 > nat (inside) 1 Konishi 255.255.255.0 0 0 > static (inside,outside) 202.x.x.x MY_99 netmask 255.255.255.255 0 0 > static (inside,dmz1) 172.21.253.17 S1019 netmask 255.255.255.255 0 0 > static (inside,dmz1) 172.21.253.5 MY01 netmask 255.255.255.255 0 0 > static (inside,dmz1) 172.21.253.1 MY00 netmask 255.255.255.255 0 0 > conduit permit icmp any any > conduit permit tcp host 202.x.x.x eq smtp any > conduit permit ip host 172.21.253.17 any > conduit permit ip host 172.21.253.5 any > conduit permit ip host 172.21.253.1 any > no rip outside passive > no rip outside default > no rip inside passive > no rip inside default > no rip dmz1 passive > no rip dmz1 default > route outside 0.0.0.0 0.0.0.0 202.x.x.x 1 > route dmz1 172.21.252.0 255.255.255.0 172.21.253.102 1 > route dmz1 192.168.42.0 255.255.255.0 172.21.253.102 1 > route dmz1 172.21.254.0 255.255.255.0 172.21.253.102 1 > timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 > timeout rpc 0:10:00 h323 0:05:00 > <--- More ---> > timeout uauth 0:05:00 absolute > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > telnet 172.21.1.116 255.255.255.255 > telnet 172.21.1.12 255.255.255.255 > telnet ECTan 255.255.255.255 > telnet timeout 5 > mtu outside 1500 > mtu inside 1500 > mtu dmz1 1500 > floodguard 1 > > Thanks. > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fwd: PIX QUESTION********
I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to access an Internet address on a particular port. I am using outbound statement with except to do this. But it is not working. Can anyone put some light on that. Here is what I am doing: A user from 10.6.x.x subnet needs to access internet address 200.121.x.x on port 1222. outbound 102 permit 200.121.x.x 255.255.255.255 1222 tcp outbound 102 except 10.6.x.x 255.255.255.255 0 0 apply (inside) 102 outgoing_dest _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX QUESTION********
Peter, I believe that the correct configuration would be to deny 10.6.x.x access to any outside addresses: outbound 102 deny 10.6.x.x 255.255.255.255 0 0 and then to allow access to the 200.121.x.x server on port 1222 with an except statement: outbound 102 except 200.121.x.x 255.255.255.255 1222 tcp Please let me know if that worked for you. Regards, Eric Sineath CCIE (R/S) #4504 CCIE (Design) Passed, but no number yet Senior Consultant SBC DataComm -Original Message- From: Peter Gray [mailto:[EMAIL PROTECTED]] Sent: Friday, November 10, 2000 7:27 PM To: [EMAIL PROTECTED] Subject: Fwd: PIX QUESTION I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to access an Internet address on a particular port. I am using outbound statement with except to do this. But it is not working. Can anyone put some light on that. Here is what I am doing: A user from 10.6.x.x subnet needs to access internet address 200.121.x.x on port 1222. outbound 102 permit 200.121.x.x 255.255.255.255 1222 tcp outbound 102 except 10.6.x.x 255.255.255.255 0 0 apply (inside) 102 outgoing_dest _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Simple PIX question
I hate to ask this but how do I put a secondary ip address on the inside interface of a PIX 515? I could not find it on CCO and there doesn't appear to be a secondary command. Thanks, Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question
It's fine for software config. The PIX 506 is not hardware upgradable, so if you just plan on using it learn the IOS then it should do nicely. Hope that helps Russ.. "Jim Bond" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I'm trying to study PIX. Is 506 good enough? > Thanks in advance. > > Jim > > __ > Do You Yahoo!? > Get Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question on VPNs
Hi everyone, I have a question on the operation of VPNs when using a PIX and connecting via PPTP from a Win2K client. Suppose I have a PIX that is setup to accept PPTP connections and dynamically assign the client an IP address from a LAN subnet after they've been authenticated on the PIX. After the VPN tunnel is established, is it possible to go to a website while the tunnel is active? The NAT (inside) 0 command is used on the PIX. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:2061]
Hello all, I am trying to decide which PIX model to purchase; the 520 or the 515. I am bringing in a 256k pipe. The telco is supplying the router, I do not know which model at this point. The PIX will need to be licensed for 150 users max, can go much less if licensing is based on concurrent sessions. I have my quotes but, having no first hand knowledge of the product, I am a little mystified by some of the specs and figures. I will certainly research, and talk to the sales rep, but would like to get some feedback from the experts. While there may be cheaper, and easier (though probably less effective), firewall options, I am looking at this as both a practical and educational purchase. While the 520 chassis is significantly larger than the 515, I cannot discern added hardware or functionality that accounts for the differences. More RAM in the 520, but that doesn't account for the bulk. Can anyone shed light on this? I am also concerned that the 515 must be booted via tftp. I am not comfortable with single options, and in fact have never configured tftp on either end. Though I imagine it isn't too difficult. Some particulars: PIX-515: PIX-515 Chassis only: $1630.00(the "only" does not refer to price) PIX-515, 8x8NBD Svc, Pix-515 Chassis. Add service for S/W Lic: $900.00 Ok, the above is confusing. Is it simply saying the licensing is $900? The mention of the chassis again is what throws me off. And I understand that would be for unlimited users, as that is the only licensing mode for the 515? But then we have: Software license for redundant PIX 515: $326.00 So, does that mean if I'm purchasing the box for a backup role to an existing, I'm getting a deal on the license? PIX-520: PIX 520 Chassis only: $2347.20 PIX 520 8x5xNBD Svc, PIX Firewall 520 Chassis: $1500.00 Now, notice the two lines above could, on first glance, be mistaken as identical to the first two specs for the 515, but they are actually telling me different things. I'm not understanding the distinction. And then I again have the line item "software license for redundant PIX 520". So, I'm a little confused. Could someone take a moment to shed some light on what is being offered, what considerations I should be making related to our needs, any general advice? Oh, and a good book on configuring and working with the PIX box ;-) Thank you! * If you wish to reply via email, please remove spam block from my address. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2061&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question... [7:5248]
Hey all, is it possible to translate public IP addresses (outside) to private IP addresses (inside) on a PIX firewall. Basically the exact opposite of what's usually performed on a firewall. We are going to have users dial in to our internet router and receive a Public IP address. They have to get through our firewall to gain access to our LAN. Is there a way to translate the Public IP address they will obtain into a private IP address used by our LAN so they can access it? I thank you for your help... -Rizzo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5248&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:33933]
The recommended design for PIX to have your Webserver in a private network segment hanging off at the dmz port, and then statically map private IP address to public IP address. In this design before customer decided to have PIX for security they were running their webserver with atleast 25 virtual IP addresses (All Public) spanning two different network segments. Obviously PIX could only respond to an IP address assigned to the PIX's dmz port from one of the two network segments. Customer decided to add one more NIC card into a webserver and then attach it to another dmz port for the second network segment. I believe, I will have to disable NAT into a PIX because webserver will still be using public IP addresses, and there will be no natting. The other approach I could take to use static mapping and conduit with the same IP address. For example, If one of the web addresses is mapped to public IP address 63.83.198.21, I could statically map to the same address. static (dmz, outside) 63.83.198.21 63.83.198.21 255.255.255.255 conduit permit tcp host 63.83.198.21 eq www any. Will both approach work? Which one will be better because I am talking about atleast 25 addresses. Another question, Customer purchased one more public block with 6 IP addresses for their media server. 208.21.233.48/29. The want to use 2 out of 6 IP addresses for the media server which will be on another dmz port, and again they will actually assign public ip addresses to the boxes itself, so again there will be no natting, or I could use the same technique which I mentioned above which is statically map with the same IP addresses. The question is that the customer wants to use the last 4 addresses for the internal users to browse the network. So, I will have to create a global pool and PAT (if necessary). Will PIX be able to differentiate among 6 addresses 2 coming out from dmz and the rest of them will be used for the users coming out from the internal network. Logically, it will work, but I need input from the forum experts. Regards, AA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33933&t=33933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:34630]
Hi group, I want to know what is Long Distance State Sharing (LDSS) and for what reason it's supported by the stateful failover? Also why the PIX does not transfer HTTP (port 80) session in stateful failover? Thank you. Rock . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34630&t=34630 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:36500]
I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36500&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:37893]
I have just installed a PIX firewall with three interfaces. The Inside network is 192.168.1.0 and the DMZ network is 192.168.2.0. There are a few webservers on a dmz network that need to have an access to all the servers on the inside network. Technically I am going to have to statically map each server on the inside netowork to an unused address on the dmz network and then open the conduit permission. For example, I have a NT server running on 192.168.1.12. In order for webserver to connect to this box I will have to to Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. I will be very tedious and I will waste so many address on a dmz network in an order to create mapping entry for all the servers on inside network. Is there any smaller way of doing it? Can I map the whole dmz network to inside network instead of mapping each unused address to inside address? Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II NextiraOne, LLC Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37893&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:39560]
whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39560&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question !!! [7:40465]
Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40465&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:15518]
I have many devices on the inside (most secure) interface of my PIX that I need to allow telnet and ftp access to users from the outside (least secure) interface of the PIX. I know that I can create a static map to the inside IP addresses, but I dont have enough outside IP addresses to support all of the devices on the inside. I am using PAT to allow users from the inside (most secure) interface to get access to the outside (less secure) interface. Can I use PAT the same way to allow outside users to access the inside servers on one address or is there a way to open the PIX up for all users from the outside to get in on a temporary basis? Bruce Williams 215-275-2723 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15518&t=15518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix question [7:26832]
1) I got a pix in test(all internal) environment (configured as outside,inside and DMZ).Do I need to use NAT to connect to the outside segment from inside or vice versa.Since Pix can act as a router ,will enabling routing solve this purpose without use of NAT.Applying access list later for security. 2)I want to open all the ports of TCP connection for a particular host.How do I go about? cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26832&t=26832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:63892]
does someone know what the equivalent of "clear counters" is on the PIX? i don't know why, but i can't find a thing... thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63892&t=63892 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:64289]
e0(outside)64.5.5.1 (internet IP) e2(dmz)172.16.1.50 I issued this command static (dmz,outside) 64.5.5.10 172.16.1.50 1) This means that outside hosts would be able to telnet to 64.5.5.10 and they would in-turn be actually accessing 172.16.1.50. Of course i would have the access list configured. 2) Does it also mean that when 172.16.1.50 accesses websites, would the websites log the ip 64.5.5.10 or 172.16.1.50 When I tried out the above, Condition 1 above is working fine. Condition 2 doesn't seem to work. The hosts are actually logging the actual IP 172.16.1.50 while I was under the impression that the IP logged would be 64.5.5.10 Any ideas? Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64289&t=64289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:64518]
Hi How could I back up a PIX IOS with TFTP ? Seems that its not as easy as router or Switch IOS BACKUP Regards joupin www.joupin.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64518&t=64518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:65095]
I ran into a situation today where we had a machine that was trying to FTP through the firewall. We allow FTP outbound. The problem that came up was that the user had no idea that an FTP client was setup on his machine. The FTP client (spyware) kept trying to connect to a server (ispynow.com) using the incorrect user name and password. For every attempt an xlate entry was created. It created about 7000 entries in a matter of minutes. The firewall was paralyzed. I had to console in and look at the xlate table. Even through the console I had a hard time viewing the table. Is there any way to prevent this from happening again?This is the second time this year an incident of this nature with the xlate table has occurred. How can I monitor the xlate table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65095&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:65769]
Hey there Mostly, firewall design includes a dmz. In most companies, within this DMZ, is it more likely to see the servers directly being given registered public IP's, OR Is it more likely to see the servers being given private IP's and then a nat translation created for internet users to access the servers. Also, what are the pros and cons for the above two situations? thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65769&t=65769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:44532]
Does Cisco sell a PIX global management system, so that if you have 100 remote sites with a PIX each you can manage them from a central location? If so, a link to a description would be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44532&t=44532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:45639]
Hi all, I appreciate any feedback to my question: I am setting up a lab environment and intially trying to configure a router and a pix behind it. my router's outside interface is connected to a cable modem and have a live ip address assigned to it. cable modempix> inside hosts. the router's inside interface has a private ip add. of 172.16.1.1 /24 and the pix' outside interface is 172.161.1.2 /24. the inside interface of the pix has an ip address of 10.1.1.1 /24 and all inside hosts have that as the default gateway. securities are set up correctly on the inside and outside interfaces. I am using a global pat address, different from the one on the router's interface connected to the cable modem (no statics going on in the pix). i am unable to reach the internet even when I use the statement: "conduit permit ip any any" and no packets are able to reach the 172.16.1.0 network from the inside hosts not even the 172.16.1.2 address which belongs to the pix's outside interface. I have a "route outside 0 0 172.16.1.2" statement as well. from the router I can ping inside hosts, with the correct route statement. hope this is enough information. please help! thanks Tony __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45639&t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:45658]
Hi All, Does the PIX fw support secondary ip address option for the interface, as which is carried out on router ethernet interface? Thanks in Advance. Regards.. Anil __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45658&t=45658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:47556]
I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47556&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix question [7:57869]
Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 interface ethernet0 10baset interface ethernet1 10baset interface ethernet0 100basetx ip address outside 209.165.201.2 255.255.255.248 ip address inside 192.168.7.0 255.255.255.0 ip address dmz 172.16.1.0 255.255.255.0 hostname pixfirewall arp timeout 14400 no failover names pager lines 24 logging buffered debugging access-list acl_out permit tcp any host 209.165.201.19 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 access-list ping_acl permit icmp any any access-group ping_acl in interface inside access-group ping_acl in interface dmz access-list acl_out permit icmp any any timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 My question is ,can my systems from inside initiate connection to dmz with the above configuration?.meaning can the Pix act as a router?Since i read inside can initiate connection to dmz or outside by default _ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57869&t=57869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:58623]
If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host´s on the internet to access. that´s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58623&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:60941]
Hi Can anyone please tell me what the point of the following command is static (inside,outside) 157.157.146.13 157.157.146.13 netmask 255.255.255.255 0 0 Same IP address on the inside and the outside, I have seen this used on production networks, but can not figure out why, can anyone please explain. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60941&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:51095]
Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51095&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:53832]
Basic configuration issue. I have a very simple configuration. I have a PIX Firewall with 2 Interfaces (Inside,outside). I have an internal network, 192.168.0.0/16. The outside interface is x.x.17.35 - I have one additional IP Address x.x.17.34 that everyone has to nat out. The address (.34) also will handle all incoming mail, web and FTP requests and redirect it to a server in the 192.168.0.0/16 network. I am confused on the the Static, global and NAT commands for this configuration... any help would be appreciated. tom Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53832&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question on VPNs
Yep. You can also have a pool of IPs on a different subnet and a separate NAT pool for them if you ever want to set up any kind of security to allow VPN users access to only certain areas on the internal network... - Original Message - From: "Vijay Ramcharan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 15, 2001 10:33 AM Subject: PIX Question on VPNs > Hi everyone, > I have a question on the operation of VPNs when using a PIX and connecting > via PPTP from a Win2K client. > > Suppose I have a PIX that is setup to accept PPTP connections and > dynamically assign the client an IP address from a LAN subnet after they've > been authenticated on the PIX. > After the VPN tunnel is established, is it possible to go to a website while > the tunnel is active? > The NAT (inside) 0 command is used on the PIX. > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:2061]
Hi The 520 is on end of life. See in: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/1302_pp.htm Sammi wrote: > > Hello all, > I am trying to decide which PIX model to purchase; the 520 or the 515. > I am bringing in a 256k pipe. The telco is supplying the router, I do > not know which model at this point. > The PIX will need to be licensed for 150 users max, can go much less > if licensing is based on concurrent sessions. > I have my quotes but, having no first hand knowledge of the product, I > am a little mystified by some of the specs and figures. I will > certainly research, and talk to the sales rep, but would like to get > some feedback from the experts. > While there may be cheaper, and easier (though probably less > effective), firewall options, I am looking at this as both a practical > and educational purchase. > > While the 520 chassis is significantly larger than the 515, I cannot > discern added hardware or functionality that accounts for the > differences. More RAM in the 520, but that doesn't account for the > bulk. Can anyone shed light on this? > I am also concerned that the 515 must be booted via tftp. I am not > comfortable with single options, and in fact have never configured > tftp on either end. Though I imagine it isn't too difficult. > > Some particulars: > > PIX-515: > > PIX-515 Chassis only: $1630.00(the "only" does not refer to price) > PIX-515, 8x8NBD Svc, Pix-515 Chassis. Add service for S/W Lic: $900.00 > > Ok, the above is confusing. Is it simply saying the licensing is $900? > The mention of the chassis again is what throws me off. And I > understand that would be for unlimited users, as that is the only > licensing mode for the 515? > But then we have: > Software license for redundant PIX 515: $326.00 > So, does that mean if I'm purchasing the box for a backup role to an > existing, I'm getting a deal on the license? > > PIX-520: > > PIX 520 Chassis only: $2347.20 > PIX 520 8x5xNBD Svc, PIX Firewall 520 Chassis: $1500.00 > > Now, notice the two lines above could, on first glance, be mistaken as > identical to the first two specs for the 515, but they are actually > telling me different things. I'm not understanding the distinction. > And then I again have the line item "software license for redundant > PIX 520". > > So, I'm a little confused. Could someone take a moment to shed some > light on what is being offered, what considerations I should be making > related to our needs, any general advice? > > Oh, and a good book on configuring and working with the PIX box ;-) > > Thank you! > > * > If you wish to reply via email, please remove spam block from my > address. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- --- Javier Contreras Albesa Professional Trainer PRO IN Training S.L. PROfessional Information Networks World Trade Center, Moll de Barcelona S/N Edif Sur, Planta 4 Phone: (+34) 93-5088850 E-mail: [EMAIL PROTECTED] Fax: (+34) 93-5088860 Internet: http://www.proin.com SHAPING THE FUTURE - BE PART OF IT! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2068&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:2061]
Sammi wrote: > > > While the 520 chassis is significantly larger than the 515, I cannot > discern added hardware or functionality that accounts for the > differences. Probably the same reason that the NetRanger is shipped in a 4U case. Legacy from the Wheel Group. Small company, 4U cases are alot cheaper than 2U or 1U cases, and easier to construct. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2087&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:2061]
525 has a 600MHz processor and yes...520 is going away soon. http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/1302_pp.htm The 525 is very fast but very pricey too. 515 has 200MHz processor. Although it is slower, personally I think it'll work for networks as long as you don't get too many people on it. I would keep the encryption level down lower than 1024 for sure tho ;) http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.htm One neat thing they just added to the 515R (restricted) is that you can purchase a software license that allows for a 3rd interface with or without failover. The 515R with the additional license and extra NIC is significantly cheaper than buying a 515U (unrestricted). Hope that helps in your decision. It comes down to price vs kick-butt speed ;) Allen May - Original Message - From: "Ian Stong" To: Sent: Thursday, April 26, 2001 9:16 AM Subject: Re: PIX Question [7:2061] > The 520 has a faster cpu for one thing. (515 is a 200mhz while 520 is a 300 > or 333 mhz cpu). Also I believe you get more slots to put interfaces in > with the 520. > > But I wouldn't buy either one - buy a 525. The 515 is too slow if you are > going to do any IPSEC/VPN stuff - even for a small 20 user office. As for > the 520 since it's end of life soon and since it only has a 300+ mhz cpu - > I'd go with something that would last for a few years - a 525 with 600+ mhz > cpu, etc.. > > Ian > > - Original Message - > From: "simonis" > To: > Sent: Thursday, April 26, 2001 9:11 AM > Subject: Re: PIX Question [7:2061] > > > > Sammi wrote: > > > > > > > > > While the 520 chassis is significantly larger than the 515, I cannot > > > discern added hardware or functionality that accounts for the > > > differences. > > > > Probably the same reason that the NetRanger is shipped in a > > 4U case. Legacy from the Wheel Group. Small company, 4U cases > > are alot cheaper than 2U or 1U cases, and easier to construct. > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2111&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:2061]
OK so I'm going thru emails backwards today ;) Comments inline. - Original Message - From: "Sammi" To: Sent: Thursday, April 26, 2001 3:00 AM Subject: PIX Question [7:2061] > Hello all, > I am trying to decide which PIX model to purchase; the 520 or the 515. > I am bringing in a 256k pipe. The telco is supplying the router, I do 515 can handle 256K of IPSec traffic easily in my opinion. I didn't see the pipe bandwidth in the last message. > not know which model at this point. > The PIX will need to be licensed for 150 users max, can go much less > if licensing is based on concurrent sessions. > I have my quotes but, having no first hand knowledge of the product, I > am a little mystified by some of the specs and figures. I will > certainly research, and talk to the sales rep, but would like to get > some feedback from the experts. > While there may be cheaper, and easier (though probably less > effective), firewall options, I am looking at this as both a practical > and educational purchase. > > While the 520 chassis is significantly larger than the 515, I cannot > discern added hardware or functionality that accounts for the > differences. More RAM in the 520, but that doesn't account for the > bulk. Can anyone shed light on this? > I am also concerned that the 515 must be booted via tftp. I am not > comfortable with single options, and in fact have never configured > tftp on either end. Though I imagine it isn't too difficult. tftp is easy. ;) > > Some particulars: > > PIX-515: > > PIX-515 Chassis only: $1630.00(the "only" does not refer to price) > PIX-515, 8x8NBD Svc, Pix-515 Chassis. Add service for S/W Lic: $900.00 > > Ok, the above is confusing. Is it simply saying the licensing is $900? Yep > The mention of the chassis again is what throws me off. And I > understand that would be for unlimited users, as that is the only > licensing mode for the 515? > But then we have: > Software license for redundant PIX 515: $326.00 > So, does that mean if I'm purchasing the box for a backup role to an > existing, I'm getting a deal on the license? You're getting a deal because the failover is just sitting there idle until the primary PIX fails. It's not active licenses. > > PIX-520: > > PIX 520 Chassis only: $2347.20 > PIX 520 8x5xNBD Svc, PIX Firewall 520 Chassis: $1500.00 > > Now, notice the two lines above could, on first glance, be mistaken as > identical to the first two specs for the 515, but they are actually > telling me different things. I'm not understanding the distinction. Service contract > And then I again have the line item "software license for redundant > PIX 520". > > So, I'm a little confused. Could someone take a moment to shed some > light on what is being offered, what considerations I should be making > related to our needs, any general advice? 1) You need the chassis (515R is cheaper because you can purchase the extra software to add a 3rd interface. You have to choose failover or using it as a DMZ type interface tho). 2) You need the software license for # users, # interfaces 3) Service contract optional but recommended. One final note, check prices on pricewatch.com and cdw.com before you sign anything with a vendor ;) You might find a better deal on the same part #'s. > > Oh, and a good book on configuring and working with the PIX box ;-) Tons of online free docs on cisco.com. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/ > > Thank you! > > > * > If you wish to reply via email, please remove spam block from my > address. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2117&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fw: PIX Question [7:2061]
haha...got filtered for s exu al content ;) Not sure where... - Original Message - From: "Allen May" To: Sent: Thursday, April 26, 2001 10:16 AM Subject: Re: PIX Question [7:2061] > 525 has a 600MHz processor and yes...520 is going away soon. > http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/1302_pp.htm > The 525 is very fast but very pricey too. > > 515 has 200MHz processor. Although it is slower, personally I think it'll > work for networks as long as you don't get too many people on it. I would > keep the encryption level down lower than 1024 for sure tho ;) > http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.htm > One neat thing they just added to the 515R (restricted) is that you can > purchase a software license that allows for a 3rd interface with or without > failover. The 515R with the additional license and extra NIC is > significantly cheaper than buying a 515U (unrestricted). > > Hope that helps in your decision. It comes down to price vs kick-but* speed > ;) > > Allen May > > > - Original Message - > From: "Ian Stong" > To: > Sent: Thursday, April 26, 2001 9:16 AM > Subject: Re: PIX Question [7:2061] > > > > The 520 has a faster cpu for one thing. (515 is a 200mhz while 520 is a > 300 > > or 333 mhz cpu). Also I believe you get more slots to put interfaces in > > with the 520. > > > > But I wouldn't buy either one - buy a 525. The 515 is too slow if you are > > going to do any IPSEC/VPN stuff - even for a small 20 user office. As > for > > the 520 since it's end of life soon and since it only has a 300+ mhz cpu - > > I'd go with something that would last for a few years - a 525 with 600+ > mhz > > cpu, etc.. > > > > Ian > > > > - Original Message - > > From: "simonis" > > To: > > Sent: Thursday, April 26, 2001 9:11 AM > > Subject: Re: PIX Question [7:2061] > > > > > > > Sammi wrote: > > > > > > > > > > > > While the 520 chassis is significantly larger than the 515, I cannot > > > > discern added hardware or functionality that accounts for the > > > > differences. > > > > > > Probably the same reason that the NetRanger is shipped in a > > > 4U case. Legacy from the Wheel Group. Small company, 4U cases > > > are alot cheaper than 2U or 1U cases, and easier to construct. > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2121&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:2061]
The 520 has a faster cpu for one thing. (515 is a 200mhz while 520 is a 300 or 333 mhz cpu). Also I believe you get more slots to put interfaces in with the 520. But I wouldn't buy either one - buy a 525. The 515 is too slow if you are going to do any IPSEC/VPN stuff - even for a small 20 user office. As for the 520 since it's end of life soon and since it only has a 300+ mhz cpu - I'd go with something that would last for a few years - a 525 with 600+ mhz cpu, etc.. Ian - Original Message - From: "simonis" To: Sent: Thursday, April 26, 2001 9:11 AM Subject: Re: PIX Question [7:2061] > Sammi wrote: > > > > > > While the 520 chassis is significantly larger than the 515, I cannot > > discern added hardware or functionality that accounts for the > > differences. > > Probably the same reason that the NetRanger is shipped in a > 4U case. Legacy from the Wheel Group. Small company, 4U cases > are alot cheaper than 2U or 1U cases, and easier to construct. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=2099&t=2061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Pix Question [7:4729]
Here are the following concerns my client has in regards to thier configuration. Please give me your thoughts on this situation. -- Here are a few of the Questions we have in relation to the PIX 515 Firewall. We are using IOS 5.2 on the PIX just so you know. We need to Re-IP the Crypto Map used in the PIX to Connect to a Router in Sweden. I know certain statements like the one below will disappear when the Access-List for the VPN is changed. We need to make sure there are no other statements that do something along the same lines. crypto map mymap 5 match address 100 We also want to check that the statements that effect the VPN Tunnel's Lifetime and Bit Size are correct and Reasonable, we have noticed lagging effect on the VPN Tunnel and this could be due to misconfigurations, or just general Internet traffic. This is a experience Question, because these are based on Traffic Flow, the size of the company, the pipe to the Internet, the General Traffic Are all concerns to make when setting these numbers. We use a Full T1 and don't host any Public Services Like DNS, WWW, or FTP for anyone outside of our company. My feeling is these numbers are based off the books and not nessarily based on our Company, therefore they could be incorrect. So I wish to have someone tell me thier feelings on these settings we are currently using. crypto ipsec security-association lifetime seconds 86400 crypto map mymap 5 set security-association lifetime seconds 9600 kilobytes 4608000 There are also Statements that dictate the lifetime of Translations, again we wish to make sure they are reasonable. timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4729&t=4729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question... [7:5248]
Scary, use VPN >>> "Rizzo Damian" 05/21 10:15 AM >>> Hey all, is it possible to translate public IP addresses (outside) to private IP addresses (inside) on a PIX firewall. Basically the exact opposite of what's usually performed on a firewall. We are going to have users dial in to our internet router and receive a Public IP address. They have to get through our firewall to gain access to our LAN. Is there a way to translate the Public IP address they will obtain into a private IP address used by our LAN so they can access it? I thank you for your help... -Rizzo FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5254&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question... [7:5248]
Sounds like a VPN is your best bet. Should you decide to implement the VPN, you may want to consider whether you still need to maintain the modem pool on the Internet router. Reducing this cost could help justify the cost of implementing a VPN solution. A properly authenticated VPN user should be able to use any dial-up Internet connection to reach your LAN. Craig At 10:15 AM 5/21/2001 -0400, you wrote: >Hey all, is it possible to translate public IP addresses (outside) to >private IP addresses (inside) on a PIX firewall. Basically the exact >opposite of what's usually performed on a firewall. We are going to have >users dial in to our internet router and receive a Public IP address. They >have to get through our firewall to gain access to our LAN. Is there a way >to translate the Public IP address they will obtain into a private IP >address used by our LAN so they can access it? I thank you for your help... > > > -Rizzo >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5260&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
We are aware of the VPN solution and that is our long term goal. However, for the moment, all I need to know is if it is possible to NAT from an outside (not trusted) interface to an inside (trusted) interface. Thank you! -Rizzo -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 11:44 AM To: Rizzo Damian Cc: [EMAIL PROTECTED] Subject: Re: PIX question... [7:5248] Sounds like a VPN is your best bet. Should you decide to implement the VPN, you may want to consider whether you still need to maintain the modem pool on the Internet router. Reducing this cost could help justify the cost of implementing a VPN solution. A properly authenticated VPN user should be able to use any dial-up Internet connection to reach your LAN. Craig At 10:15 AM 5/21/2001 -0400, you wrote: >Hey all, is it possible to translate public IP addresses (outside) to >private IP addresses (inside) on a PIX firewall. Basically the exact >opposite of what's usually performed on a firewall. We are going to have >users dial in to our internet router and receive a Public IP address. They >have to get through our firewall to gain access to our LAN. Is there a way >to translate the Public IP address they will obtain into a private IP >address used by our LAN so they can access it? I thank you for your help... > > > -Rizzo >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5265&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question... [7:5248]
Yeah. It's called static NAT. And then you create an access-list to open services to that host. ""Rizzo Damian"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > We are aware of the VPN solution and that is our long term goal. However, > for the moment, all I need to know is if it is possible to NAT from an > outside (not trusted) interface to an inside (trusted) interface. > > Thank you! > > -Rizzo > > > > > -Original Message- > From: Craig Columbus [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 11:44 AM > To: Rizzo Damian > Cc: [EMAIL PROTECTED] > Subject: Re: PIX question... [7:5248] > > Sounds like a VPN is your best bet. > Should you decide to implement the VPN, you may want to consider whether > you still need to maintain the modem pool on the Internet router. Reducing > this cost could help justify the cost of implementing a VPN solution. A > properly authenticated VPN user should be able to use any dial-up Internet > connection to reach your LAN. > > Craig > > At 10:15 AM 5/21/2001 -0400, you wrote: > >Hey all, is it possible to translate public IP addresses (outside) to > >private IP addresses (inside) on a PIX firewall. Basically the exact > >opposite of what's usually performed on a firewall. We are going to have > >users dial in to our internet router and receive a Public IP address. They > >have to get through our firewall to gain access to our LAN. Is there a way > >to translate the Public IP address they will obtain into a private IP > >address used by our LAN so they can access it? I thank you for your > help... > > > > > > -Rizzo > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5268&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
I'm not clear on what you're asking. Are you asking if the PIX can take a public IP and make it appear as a private IP on the internal network? The answer is yes, although you certainly want to be careful with this and I can't say that this is a recommended config. You'll need a config similar to the one below: nat (outside) 1 0 0 static (inside,outside) netmask 255.255.255.255 access-list permit ip any host For more info, reference http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#xtocid274896 Thanks, Craig At 12:14 PM 5/21/2001 -0400, you wrote: >We are aware of the VPN solution and that is our long term goal. However, >for the moment, all I need to know is if it is possible to NAT from an >outside (not trusted) interface to an inside (trusted) interface. > > Thank you! > > -Rizzo > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 11:44 AM >To: Rizzo Damian >Cc: [EMAIL PROTECTED] >Subject: Re: PIX question... [7:5248] > >Sounds like a VPN is your best bet. >Should you decide to implement the VPN, you may want to consider whether >you still need to maintain the modem pool on the Internet router. Reducing >this cost could help justify the cost of implementing a VPN solution. A >properly authenticated VPN user should be able to use any dial-up Internet >connection to reach your LAN. > >Craig > >At 10:15 AM 5/21/2001 -0400, you wrote: > >Hey all, is it possible to translate public IP addresses (outside) to > >private IP addresses (inside) on a PIX firewall. Basically the exact > >opposite of what's usually performed on a firewall. We are going to have > >users dial in to our internet router and receive a Public IP address. They > >have to get through our firewall to gain access to our LAN. Is there a way > >to translate the Public IP address they will obtain into a private IP > >address used by our LAN so they can access it? I thank you for your >help... > > > > > > -Rizzo > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5274&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
Actually it seems as if you understand exactly what I'm asking. Your idea is very similar to mine. However it didn't work unfortunately. Let me ask this another way, if you don't mind...You have an internet router which is directly connected to the external (un-trusted) interface of your PIX firewall. Basically I want to be able to access my internal LAN with private IP addresses from the Internet router with Public IP addresses. So I should be able to telnet onto my internet router and ping my privately held LAN. Forget about Security, I just want to know if it can be done. The static mapping doesn't seem to work. Probably because it require a one-to-one mapping no? Thanks for any help in advance! -Rizzo -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 1:12 PM To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] I'm not clear on what you're asking. Are you asking if the PIX can take a public IP and make it appear as a private IP on the internal network? The answer is yes, although you certainly want to be careful with this and I can't say that this is a recommended config. You'll need a config similar to the one below: nat (outside) 1 0 0 static (inside,outside) netmask 255.255.255.255 access-list permit ip any host For more info, reference http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/exa mples.htm#xtocid274896 Thanks, Craig At 12:14 PM 5/21/2001 -0400, you wrote: >We are aware of the VPN solution and that is our long term goal. However, >for the moment, all I need to know is if it is possible to NAT from an >outside (not trusted) interface to an inside (trusted) interface. > > Thank you! > > -Rizzo > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 11:44 AM >To: Rizzo Damian >Cc: [EMAIL PROTECTED] >Subject: Re: PIX question... [7:5248] > >Sounds like a VPN is your best bet. >Should you decide to implement the VPN, you may want to consider whether >you still need to maintain the modem pool on the Internet router. Reducing >this cost could help justify the cost of implementing a VPN solution. A >properly authenticated VPN user should be able to use any dial-up Internet >connection to reach your LAN. > >Craig > >At 10:15 AM 5/21/2001 -0400, you wrote: > >Hey all, is it possible to translate public IP addresses (outside) to > >private IP addresses (inside) on a PIX firewall. Basically the exact > >opposite of what's usually performed on a firewall. We are going to have > >users dial in to our internet router and receive a Public IP address. They > >have to get through our firewall to gain access to our LAN. Is there a way > >to translate the Public IP address they will obtain into a private IP > >address used by our LAN so they can access it? I thank you for your >help... > > > > > > -Rizzo > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5279&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
I just realized that the config I sent through to the list didn't come through as I typed it. Probably because the filter is set to take out certain characters. Rizzo, hopefully you got the correct config in the message I sent you directly. Using the static command should work, provided that it's coupled with the appropriate NAT command (to tell the router where to NAT and in what direction) and the correct access-list command (needed to tell the router to pass traffic from the particular public IP identified in the static config). In your particular case, you'll need to setup a static command and access-list for each IP address in your modem pool. Refer again to the URL I sent in the previous message. It has specific configuration commands to do exactly what you're trying to do. Thanks, Craig At 01:32 PM 5/21/2001 -0400, you wrote: >Actually it seems as if you understand exactly what I'm asking. Your idea is >very similar to mine. However it didn't work unfortunately. Let me ask this >another way, if you don't mind...You have an internet router which is >directly connected to the external (un-trusted) interface of your PIX >firewall. Basically I want to be able to access my internal LAN with private >IP addresses from the Internet router with Public IP addresses. So I should >be able to telnet onto my internet router and ping my privately held LAN. >Forget about Security, I just want to know if it can be done. The static >mapping doesn't seem to work. Probably because it require a one-to-one >mapping no? Thanks for any help in advance! > > > > -Rizzo > > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 1:12 PM >To: [EMAIL PROTECTED] >Subject: RE: PIX question... [7:5248] > >I'm not clear on what you're asking. Are you asking if the PIX can take a >public IP and make it appear as a private IP on the internal network? The >answer is yes, although you certainly want to be careful with this and I >can't say that this is a recommended config. You'll need a config similar >to the one below: > >nat (outside) 1 0 0 >static (inside,outside) > netmask 255.255.255.255 >access-list permit ip any host > >For more info, reference >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/exa >mples.htm#xtocid274896 > >Thanks, >Craig > >At 12:14 PM 5/21/2001 -0400, you wrote: > >We are aware of the VPN solution and that is our long term goal. However, > >for the moment, all I need to know is if it is possible to NAT from an > >outside (not trusted) interface to an inside (trusted) interface. > > > > Thank you! > > > > -Rizzo > > > > > > > > > >-Original Message- > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 21, 2001 11:44 AM > >To: Rizzo Damian > >Cc: [EMAIL PROTECTED] > >Subject: Re: PIX question... [7:5248] > > > >Sounds like a VPN is your best bet. > >Should you decide to implement the VPN, you may want to consider whether > >you still need to maintain the modem pool on the Internet router. Reducing > >this cost could help justify the cost of implementing a VPN solution. A > >properly authenticated VPN user should be able to use any dial-up Internet > >connection to reach your LAN. > > > >Craig > > > >At 10:15 AM 5/21/2001 -0400, you wrote: > > >Hey all, is it possible to translate public IP addresses (outside) to > > >private IP addresses (inside) on a PIX firewall. Basically the exact > > >opposite of what's usually performed on a firewall. We are going to have > > >users dial in to our internet router and receive a Public IP address. >They > > >have to get through our firewall to gain access to our LAN. Is there a >way > > >to translate the Public IP address they will obtain into a private IP > > >address used by our LAN so they can access it? I thank you for your > >help... > > > > > > > > > -Rizzo > > >FAQ, list archives, and subscription info: > > >http://www.groupstudy.com/list/cisco.html > > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5290&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
Correct- It can be done, but it does require a static mapping. One question to verify what you are asking: You want to ping from the internet to you lan like so: Ping from x.x.x.x to y.y.y.y, where x.x.x.x is an internet routable address, and y.y.y.y is a static translation of your private addresses, and not the private address themselves? andras -Original Message- From: Rizzo Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 10:50 AM To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] Actually it seems as if you understand exactly what I'm asking. Your idea is very similar to mine. However it didn't work unfortunately. Let me ask this another way, if you don't mind...You have an internet router which is directly connected to the external (un-trusted) interface of your PIX firewall. Basically I want to be able to access my internal LAN with private IP addresses from the Internet router with Public IP addresses. So I should be able to telnet onto my internet router and ping my privately held LAN. Forget about Security, I just want to know if it can be done. The static mapping doesn't seem to work. Probably because it require a one-to-one mapping no? Thanks for any help in advance! -Rizzo -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 1:12 PM To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] I'm not clear on what you're asking. Are you asking if the PIX can take a public IP and make it appear as a private IP on the internal network? The answer is yes, although you certainly want to be careful with this and I can't say that this is a recommended config. You'll need a config similar to the one below: nat (outside) 1 0 0 static (inside,outside) netmask 255.255.255.255 access-list permit ip any host For more info, reference http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/exa mples.htm#xtocid274896 Thanks, Craig At 12:14 PM 5/21/2001 -0400, you wrote: >We are aware of the VPN solution and that is our long term goal. However, >for the moment, all I need to know is if it is possible to NAT from an >outside (not trusted) interface to an inside (trusted) interface. > > Thank you! > > -Rizzo > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 11:44 AM >To: Rizzo Damian >Cc: [EMAIL PROTECTED] >Subject: Re: PIX question... [7:5248] > >Sounds like a VPN is your best bet. >Should you decide to implement the VPN, you may want to consider whether >you still need to maintain the modem pool on the Internet router. Reducing >this cost could help justify the cost of implementing a VPN solution. A >properly authenticated VPN user should be able to use any dial-up Internet >connection to reach your LAN. > >Craig > >At 10:15 AM 5/21/2001 -0400, you wrote: > >Hey all, is it possible to translate public IP addresses (outside) to > >private IP addresses (inside) on a PIX firewall. Basically the exact > >opposite of what's usually performed on a firewall. We are going to have > >users dial in to our internet router and receive a Public IP address. They > >have to get through our firewall to gain access to our LAN. Is there a way > >to translate the Public IP address they will obtain into a private IP > >address used by our LAN so they can access it? I thank you for your >help... > > > > > > -Rizzo > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5296&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
How about conduit statements allowing the outside addresses access to the inside addresses. (Or access lists for the newer OS versions.) You could run it wide open or be specific to addresses and ports. > -Original Message- > From: Rizzo Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 12:50 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX question... [7:5248] > > > Actually it seems as if you understand exactly what I'm > asking. Your idea is > very similar to mine. However it didn't work unfortunately. > Let me ask this > another way, if you don't mind...You have an internet router which is > directly connected to the external (un-trusted) interface of your PIX > firewall. Basically I want to be able to access my internal > LAN with private > IP addresses from the Internet router with Public IP > addresses. So I should > be able to telnet onto my internet router and ping my > privately held LAN. > Forget about Security, I just want to know if it can be done. > The static > mapping doesn't seem to work. Probably because it require a one-to-one > mapping no? Thanks for any help in advance! > > > > -Rizzo > > > > > > -Original Message- > From: Craig Columbus [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 1:12 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX question... [7:5248] > > I'm not clear on what you're asking. Are you asking if the > PIX can take a > public IP and make it appear as a private IP on the internal > network? The > answer is yes, although you certainly want to be careful with > this and I > can't say that this is a recommended config. You'll need a > config similar > to the one below: > > nat (outside) 1 0 0 > static (inside,outside) > netmask 255.255.255.255 > access-list permit ip any host > > For more info, reference > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_ > v52/config/exa > mples.htm#xtocid274896 > > Thanks, > Craig > > At 12:14 PM 5/21/2001 -0400, you wrote: > >We are aware of the VPN solution and that is our long term > goal. However, > >for the moment, all I need to know is if it is possible to > NAT from an > >outside (not trusted) interface to an inside (trusted) interface. > > > > Thank you! > > > > -Rizzo > > > > > > > > > >-Original Message- > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 21, 2001 11:44 AM > >To: Rizzo Damian > >Cc: [EMAIL PROTECTED] > >Subject: Re: PIX question... [7:5248] > > > >Sounds like a VPN is your best bet. > >Should you decide to implement the VPN, you may want to > consider whether > >you still need to maintain the modem pool on the Internet > router. Reducing > >this cost could help justify the cost of implementing a VPN > solution. A > >properly authenticated VPN user should be able to use any > dial-up Internet > >connection to reach your LAN. > > > >Craig > > > >At 10:15 AM 5/21/2001 -0400, you wrote: > > >Hey all, is it possible to translate public IP addresses > (outside) to > > >private IP addresses (inside) on a PIX firewall. Basically > the exact > > >opposite of what's usually performed on a firewall. We are > going to have > > >users dial in to our internet router and receive a Public > IP address. > They > > >have to get through our firewall to gain access to our > LAN. Is there a > way > > >to translate the Public IP address they will obtain into a > private IP > > >address used by our LAN so they can access it? I thank > you for your > >help... > > > > > > > > > -Rizzo > > >FAQ, list archives, and subscription info: > > >http://www.groupstudy.com/list/cisco.html > > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5304&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
OK kids. Allowing packets from a lower security level interface to a higher security level interface requires a conduit or access list. So yes, it can be done. I wouldn't forget about security though. ;^) D. At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: >Actually it seems as if you understand exactly what I'm asking. Your idea is >very similar to mine. However it didn't work unfortunately. Let me ask this >another way, if you don't mind...You have an internet router which is >directly connected to the external (un-trusted) interface of your PIX >firewall. Basically I want to be able to access my internal LAN with private >IP addresses from the Internet router with Public IP addresses. So I should >be able to telnet onto my internet router and ping my privately held LAN. >Forget about Security, I just want to know if it can be done. The static >mapping doesn't seem to work. Probably because it require a one-to-one >mapping no? Thanks for any help in advance! > > > > -Rizzo > > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 1:12 PM >To: [EMAIL PROTECTED] >Subject: RE: PIX question... [7:5248] > >I'm not clear on what you're asking. Are you asking if the PIX can take a >public IP and make it appear as a private IP on the internal network? The >answer is yes, although you certainly want to be careful with this and I >can't say that this is a recommended config. You'll need a config similar >to the one below: > >nat (outside) 1 0 0 >static (inside,outside) > netmask 255.255.255.255 >access-list permit ip any host > >For more info, reference >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/exa >mples.htm#xtocid274896 > >Thanks, >Craig > >At 12:14 PM 5/21/2001 -0400, you wrote: >>We are aware of the VPN solution and that is our long term goal. However, >>for the moment, all I need to know is if it is possible to NAT from an >>outside (not trusted) interface to an inside (trusted) interface. >> >> Thank you! >> >> -Rizzo >> >> >> >> >>-Original Message- >>From: Craig Columbus [mailto:[EMAIL PROTECTED]] >>Sent: Monday, May 21, 2001 11:44 AM >>To: Rizzo Damian >>Cc: [EMAIL PROTECTED] >>Subject: Re: PIX question... [7:5248] >> >>Sounds like a VPN is your best bet. >>Should you decide to implement the VPN, you may want to consider whether >>you still need to maintain the modem pool on the Internet router. Reducing >>this cost could help justify the cost of implementing a VPN solution. A >>properly authenticated VPN user should be able to use any dial-up Internet >>connection to reach your LAN. >> >>Craig >> >>At 10:15 AM 5/21/2001 -0400, you wrote: >> >Hey all, is it possible to translate public IP addresses (outside) to >> >private IP addresses (inside) on a PIX firewall. Basically the exact >> >opposite of what's usually performed on a firewall. We are going to have >> >users dial in to our internet router and receive a Public IP address. >They >> >have to get through our firewall to gain access to our LAN. Is there a >way >> >to translate the Public IP address they will obtain into a private IP >> >address used by our LAN so they can access it? I thank you for your >>help... >> > >> > >> > -Rizzo >> >FAQ, list archives, and subscription info: >> >http://www.groupstudy.com/list/cisco.html >> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >>FAQ, list archives, and subscription info: >>http://www.groupstudy.com/list/cisco.html >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] *** Darren S. Crawford Lucent Technologies Worldwide Services 2377 Gold Meadow WayPhone: (916) 859-5200 x310 Suite 230 Fax: (916) 859-5201 Sacramento, CA 95670Pager: (800) 467-1467 Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED] http://www.lucent.com Network Systems Consultant - CCNA, CCIE Written "Providing the Power Operable Networks." *** "Ham and Eggs - A day's work for a chicken; A lifetime commitment for a pig." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5322&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
I beg to differ. I do not believe this can be done. When the PIX translates (either dynamically or statically), it takes a private IP address (inside interface) and translates it to a Public IP address (outside). Then the outside interface will process ALL packets for that Public IP address and direct them to the internal source (private IP address). So if you have a static NAT, say for like this static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 and on the router you have assigned the 99.99.99.99 to the dialup user, then you have 2 devices on the LAN that are assigned the 99.99.99.99 address (the router and the PIX) You translate an IP address from a more secure network to the less secure network, in this case from the inside network to the outside network. So you would have to reverse the security settings, effectively opening up your LAN to the world. You could do a couple of other solutions: 1) VPN between router & PIX 2) Terminate clients inside the PIX 3) Create an IP pool on the router and allow full access with an access-list (for this range of IP addresses) on the outside interface of the PIX. This is my understanding of how the PIX and NAT translations work, but I have not tested this to disprove it, so if I am in error and some has tested this and I am wrong, please let me know. Hope this helps. Nathan -Original Message- From: Darren Crawford [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 4:01 PM To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] OK kids. Allowing packets from a lower security level interface to a higher security level interface requires a conduit or access list. So yes, it can be done. I wouldn't forget about security though. ;^) D. At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: >Actually it seems as if you understand exactly what I'm asking. Your idea is >very similar to mine. However it didn't work unfortunately. Let me ask this >another way, if you don't mind...You have an internet router which is >directly connected to the external (un-trusted) interface of your PIX >firewall. Basically I want to be able to access my internal LAN with private >IP addresses from the Internet router with Public IP addresses. So I should >be able to telnet onto my internet router and ping my privately held LAN. >Forget about Security, I just want to know if it can be done. The static >mapping doesn't seem to work. Probably because it require a one-to-one >mapping no? Thanks for any help in advance! > > > > -Rizzo > > > > > >-Original Message- >From: Craig Columbus [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 21, 2001 1:12 PM >To: [EMAIL PROTECTED] >Subject: RE: PIX question... [7:5248] > >I'm not clear on what you're asking. Are you asking if the PIX can take a >public IP and make it appear as a private IP on the internal network? The >answer is yes, although you certainly want to be careful with this and I >can't say that this is a recommended config. You'll need a config similar >to the one below: > >nat (outside) 1 0 0 >static (inside,outside) > netmask 255.255.255.255 >access-list permit ip any host > >For more info, reference >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/ex a >mples.htm#xtocid274896 > >Thanks, >Craig > >At 12:14 PM 5/21/2001 -0400, you wrote: >>We are aware of the VPN solution and that is our long term goal. However, >>for the moment, all I need to know is if it is possible to NAT from an >>outside (not trusted) interface to an inside (trusted) interface. >> >> Thank you! >> >> -Rizzo >> >> >> >> >>-Original Message- >>From: Craig Columbus [mailto:[EMAIL PROTECTED]] >>Sent: Monday, May 21, 2001 11:44 AM >>To: Rizzo Damian >>Cc: [EMAIL PROTECTED] >>Subject: Re: PIX question... [7:5248] >> >>Sounds like a VPN is your best bet. >>Should you decide to implement the VPN, you may want to consider whether >>you still need to maintain the modem pool on the Internet router. Reducing >>this cost could help justify the cost of implementing a VPN solution. A >>properly authenticated VPN user should be able to use any dial-up Internet >>connection to reach your LAN. >> >>Craig >> >>At 10:15 AM 5/21/2001 -0400, you wrote: >> >Hey all, is it possible to translate public IP addresses (outside) to >> >private IP addresses (inside) on a PIX firewall. Basically the exact >> >opposite of what's usually performed on a firewall. We are going to have >> >users dial in to our internet router and receive a Public IP address. >They >> >have to get through our firewal
Re: PIX question... [7:5248]
hi Rizzo! You can not even telnet into your PIx from the outside interface, nor you can telnet into it without VPN or SSH. Making the PIX work the way you want (in contrary to the usual way of NATing high security to Low security) won't work; It's how PIXs are made & can not be modified to suite every needs. You might be looking at other routers to get your idea to work . but not PIX. Any ideas, suggestions, corrects & comments; I would like to hear from you guys! Syson Suy If Life is a Game, These are the Rules: Experience is a hard teacher. She give the test first and the lessons afterwards. - Original Message - From: "Richie, Nathan" To: Sent: Monday, May 21, 2001 5:05 PM Subject: RE: PIX question... [7:5248] > I beg to differ. I do not believe this can be done. When the PIX > translates (either dynamically or statically), it takes a private IP address > (inside interface) and translates it to a Public IP address (outside). Then > the outside interface will process ALL packets for that Public IP address > and direct them to the internal source (private IP address). So if you have > a static NAT, say for like this > > static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 > > and on the router you have assigned the 99.99.99.99 to the dialup user, then > you have 2 devices on the LAN that are assigned the 99.99.99.99 address (the > router and the PIX) > > You translate an IP address from a more secure network to the less secure > network, in this case from the inside network to the outside network. So > you would have to reverse the security settings, effectively opening up your > LAN to the world. > > You could do a couple of other solutions: > > 1) VPN between router & PIX > 2) Terminate clients inside the PIX > 3) Create an IP pool on the router and allow full access with an > access-list (for this range of IP addresses) on the outside interface of the > PIX. > > This is my understanding of how the PIX and NAT translations work, but I > have not tested this to disprove it, so if I am in error and some has tested > this and I am wrong, please let me know. > > Hope this helps. > > Nathan > > -Original Message- > From: Darren Crawford [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 4:01 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX question... [7:5248] > > > OK kids. Allowing packets from a lower security level interface to a higher > security level interface requires a conduit or access list. So yes, it can > be > done. I wouldn't forget about security though. ;^) > > D. > > At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: > >Actually it seems as if you understand exactly what I'm asking. Your idea > is > >very similar to mine. However it didn't work unfortunately. Let me ask this > >another way, if you don't mind...You have an internet router which is > >directly connected to the external (un-trusted) interface of your PIX > >firewall. Basically I want to be able to access my internal LAN with > private > >IP addresses from the Internet router with Public IP addresses. So I should > >be able to telnet onto my internet router and ping my privately held LAN. > >Forget about Security, I just want to know if it can be done. The static > >mapping doesn't seem to work. Probably because it require a one-to-one > >mapping no? Thanks for any help in advance! > > > > > > > > -Rizzo > > > > > > > > > > > >-Original Message- > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 21, 2001 1:12 PM > >To: [EMAIL PROTECTED] > >Subject: RE: PIX question... [7:5248] > > > >I'm not clear on what you're asking. Are you asking if the PIX can take a > >public IP and make it appear as a private IP on the internal network? The > >answer is yes, although you certainly want to be careful with this and I > >can't say that this is a recommended config. You'll need a config similar > >to the one below: > > > >nat (outside) 1 0 0 > >static (inside,outside) > > netmask 255.255.255.255 > >access-list permit ip any host > > > >For more info, reference > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/ex > a > >mples.htm#xtocid274896 > > > >Thanks, > >Craig > > > >At 12:14 PM 5/21/2001 -0400, you wrote: > >>We are aware of the VPN solution and that is our long term goal. However, > >>for the moment, all I need to know is if it is possible to NAT from an > >>outside (not trusted) interface to an insi
RE: PIX question... [7:5248]
I believe you may create a static nat to an inside address, and so long as your access-lists permit, you can telnet to the outside address of that static nat to an inside device. From there you can telnet back into the pix box. Public_sidePIX--inside_network Public_IPprivate_ip Static_nat Can't find my reference configs, but if memory serves, I used to do that, before I got religion about security. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of syson Sent: Monday, May 21, 2001 5:14 PM To: [EMAIL PROTECTED] Subject: Re: PIX question... [7:5248] hi Rizzo! You can not even telnet into your PIx from the outside interface, nor you can telnet into it without VPN or SSH. Making the PIX work the way you want (in contrary to the usual way of NATing high security to Low security) won't work; It's how PIXs are made & can not be modified to suite every needs. You might be looking at other routers to get your idea to work . but not PIX. Any ideas, suggestions, corrects & comments; I would like to hear from you guys! Syson Suy If Life is a Game, These are the Rules: Experience is a hard teacher. She give the test first and the lessons afterwards. - Original Message - From: "Richie, Nathan" To: Sent: Monday, May 21, 2001 5:05 PM Subject: RE: PIX question... [7:5248] > I beg to differ. I do not believe this can be done. When the PIX > translates (either dynamically or statically), it takes a private IP address > (inside interface) and translates it to a Public IP address (outside). Then > the outside interface will process ALL packets for that Public IP address > and direct them to the internal source (private IP address). So if you have > a static NAT, say for like this > > static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 > > and on the router you have assigned the 99.99.99.99 to the dialup user, then > you have 2 devices on the LAN that are assigned the 99.99.99.99 address (the > router and the PIX) > > You translate an IP address from a more secure network to the less secure > network, in this case from the inside network to the outside network. So > you would have to reverse the security settings, effectively opening up your > LAN to the world. > > You could do a couple of other solutions: > > 1) VPN between router & PIX > 2) Terminate clients inside the PIX > 3) Create an IP pool on the router and allow full access with an > access-list (for this range of IP addresses) on the outside interface of the > PIX. > > This is my understanding of how the PIX and NAT translations work, but I > have not tested this to disprove it, so if I am in error and some has tested > this and I am wrong, please let me know. > > Hope this helps. > > Nathan > > -Original Message----- > From: Darren Crawford [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 4:01 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX question... [7:5248] > > > OK kids. Allowing packets from a lower security level interface to a higher > security level interface requires a conduit or access list. So yes, it can > be > done. I wouldn't forget about security though. ;^) > > D. > > At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: > >Actually it seems as if you understand exactly what I'm asking. Your idea > is > >very similar to mine. However it didn't work unfortunately. Let me ask this > >another way, if you don't mind...You have an internet router which is > >directly connected to the external (un-trusted) interface of your PIX > >firewall. Basically I want to be able to access my internal LAN with > private > >IP addresses from the Internet router with Public IP addresses. So I should > >be able to telnet onto my internet router and ping my privately held LAN. > >Forget about Security, I just want to know if it can be done. The static > >mapping doesn't seem to work. Probably because it require a one-to-one > >mapping no? Thanks for any help in advance! > > > > > > > > -Rizzo > > > > > > > > > > > >-Original Message- > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 21, 2001 1:12 PM > >To: [EMAIL PROTECTED] > >Subject: RE: PIX question... [7:5248] > > > >I'm not clear on what you're asking. Are you asking if the PIX can take a > >public IP and make it appear as a private IP on the internal network? The > >answer is yes, although you certainly want to be careful with this and I > >can't say that this is a recommended config. You'll need a config similar >
RE: PIX question... [7:5248]
I believe that you can telnet into a pix from the outside, in the newer versions of the os, but it isn't on by default. Who knows why you'd want to, but you can do it. NAT can be done high security to low, but once again, it's something that you have to consider carefully. andras -Original Message- From: syson [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 5:14 PM To: [EMAIL PROTECTED] Subject: Re: PIX question... [7:5248] hi Rizzo! You can not even telnet into your PIx from the outside interface, nor you can telnet into it without VPN or SSH. Making the PIX work the way you want (in contrary to the usual way of NATing high security to Low security) won't work; It's how PIXs are made & can not be modified to suite every needs. You might be looking at other routers to get your idea to work . but not PIX. Any ideas, suggestions, corrects & comments; I would like to hear from you guys! Syson Suy If Life is a Game, These are the Rules: Experience is a hard teacher. She give the test first and the lessons afterwards. - Original Message - From: "Richie, Nathan" To: Sent: Monday, May 21, 2001 5:05 PM Subject: RE: PIX question... [7:5248] > I beg to differ. I do not believe this can be done. When the PIX > translates (either dynamically or statically), it takes a private IP address > (inside interface) and translates it to a Public IP address (outside). Then > the outside interface will process ALL packets for that Public IP address > and direct them to the internal source (private IP address). So if you have > a static NAT, say for like this > > static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 > > and on the router you have assigned the 99.99.99.99 to the dialup user, then > you have 2 devices on the LAN that are assigned the 99.99.99.99 address (the > router and the PIX) > > You translate an IP address from a more secure network to the less secure > network, in this case from the inside network to the outside network. So > you would have to reverse the security settings, effectively opening up your > LAN to the world. > > You could do a couple of other solutions: > > 1) VPN between router & PIX > 2) Terminate clients inside the PIX > 3) Create an IP pool on the router and allow full access with an > access-list (for this range of IP addresses) on the outside interface of the > PIX. > > This is my understanding of how the PIX and NAT translations work, but I > have not tested this to disprove it, so if I am in error and some has tested > this and I am wrong, please let me know. > > Hope this helps. > > Nathan > > -----Original Message- > From: Darren Crawford [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 4:01 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX question... [7:5248] > > > OK kids. Allowing packets from a lower security level interface to a higher > security level interface requires a conduit or access list. So yes, it can > be > done. I wouldn't forget about security though. ;^) > > D. > > At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: > >Actually it seems as if you understand exactly what I'm asking. Your idea > is > >very similar to mine. However it didn't work unfortunately. Let me ask this > >another way, if you don't mind...You have an internet router which is > >directly connected to the external (un-trusted) interface of your PIX > >firewall. Basically I want to be able to access my internal LAN with > private > >IP addresses from the Internet router with Public IP addresses. So I should > >be able to telnet onto my internet router and ping my privately held LAN. > >Forget about Security, I just want to know if it can be done. The static > >mapping doesn't seem to work. Probably because it require a one-to-one > >mapping no? Thanks for any help in advance! > > > > > > > > -Rizzo > > > > > > > > > > > >-Original Message- > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 21, 2001 1:12 PM > >To: [EMAIL PROTECTED] > >Subject: RE: PIX question... [7:5248] > > > >I'm not clear on what you're asking. Are you asking if the PIX can take a > >public IP and make it appear as a private IP on the internal network? The > >answer is yes, although you certainly want to be careful with this and I > >can't say that this is a recommended config. You'll need a config similar > >to the one below: > > > >nat (outside) 1 0 0 > >static (inside,outside) > > netmask 255.255.255.255 > >access-list permit ip any host > > > >F
Re: PIX question... [7:5248]
He said telnet into the Internet router and ping through the PIX. Not telnet into it. Rizzo - If you have total control of you Internet router, you may need to NAT there also towards the PIX in order to get your desired affect. I was recently at a client that used the private 10.0.0.0 network internally and the private 172.19.0.0 for their DMZ connections to partner companies. Some of their partners would not accept the 172.19.0.0 scheme and supplied the company with some registered address space. To make the connection we NAT'd on the partner end (router owned by my client) and on the "home" end of the connection in the PIX. This provide FTP and TN3270 connectivity to my client's site from the partner company's network. I know it's not exactly your scenario but it worked. HTH D. At 08:14 PM 05/21/2001 -0400, syson wrote: >hi Rizzo! > >You can not even telnet into your PIx from the outside interface, nor you >can telnet into it without VPN or SSH. Making the PIX work the way you want >(in contrary to the usual way of NATing high security to Low security) won't >work; It's how PIXs are made & can not be modified to suite every needs. >You might be looking at other routers to get your idea to work . but not >PIX. Any ideas, suggestions, corrects & comments; I would like to hear from >you guys! > >Syson Suy > >If Life is a Game, These are the Rules: >Experience is a hard teacher. >She give the test first and the lessons afterwards. >- Original Message ----- >From: "Richie, Nathan" >To: >Sent: Monday, May 21, 2001 5:05 PM >Subject: RE: PIX question... [7:5248] > > >> I beg to differ. I do not believe this can be done. When the PIX >> translates (either dynamically or statically), it takes a private IP >address >> (inside interface) and translates it to a Public IP address (outside). >Then >> the outside interface will process ALL packets for that Public IP address >> and direct them to the internal source (private IP address). So if you >have >> a static NAT, say for like this >> >> static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 >> >> and on the router you have assigned the 99.99.99.99 to the dialup user, >then >> you have 2 devices on the LAN that are assigned the 99.99.99.99 address >(the >> router and the PIX) >> >> You translate an IP address from a more secure network to the less secure >> network, in this case from the inside network to the outside network. So >> you would have to reverse the security settings, effectively opening up >your >> LAN to the world. >> >> You could do a couple of other solutions: >> >> 1) VPN between router & PIX >> 2) Terminate clients inside the PIX >> 3) Create an IP pool on the router and allow full access with an >> access-list (for this range of IP addresses) on the outside interface of >the >> PIX. >> >> This is my understanding of how the PIX and NAT translations work, but I >> have not tested this to disprove it, so if I am in error and some has >tested >> this and I am wrong, please let me know. >> >> Hope this helps. >> >> Nathan >> >> -Original Message- >> From: Darren Crawford [mailto:[EMAIL PROTECTED]] >> Sent: Monday, May 21, 2001 4:01 PM >> To: [EMAIL PROTECTED] >> Subject: RE: PIX question... [7:5248] >> >> >> OK kids. Allowing packets from a lower security level interface to a >higher >> security level interface requires a conduit or access list. So yes, it >can >> be >> done. I wouldn't forget about security though. ;^) >> >> D. >> >> At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: >> >Actually it seems as if you understand exactly what I'm asking. Your idea >> is >> >very similar to mine. However it didn't work unfortunately. Let me ask >this >> >another way, if you don't mind...You have an internet router which is >> >directly connected to the external (un-trusted) interface of your PIX >> >firewall. Basically I want to be able to access my internal LAN with >> private >> >IP addresses from the Internet router with Public IP addresses. So I >should >> >be able to telnet onto my internet router and ping my privately held LAN. >> >Forget about Security, I just want to know if it can be done. The static >> >mapping doesn't seem to work. Probably because it require a one-to-one >> >mapping no? Thanks for any help in advance! >> > >> > >> > >> > -Rizzo >> > >>
Re: PIX question... [7:5248]
Hi Can we do the above thing by opening conduits from the ip's that the dial-up users will be using for giving them the access. just curious Regards Arun Sharma ""Darren Crawford"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > He said telnet into the Internet router and ping through the PIX. Not telnet > into it. > > Rizzo - If you have total control of you Internet router, you may need to NAT > there also towards the PIX in order to get your desired affect. > > I was recently at a client that used the private 10.0.0.0 network internally > and the private 172.19.0.0 for their DMZ connections to partner companies. > Some of their partners would not accept the 172.19.0.0 scheme and supplied > the > company with some registered address space. To make the connection we NAT'd > on > the partner end (router owned by my client) and on the "home" end of the > connection in the PIX. This provide FTP and TN3270 connectivity to my > client's > site from the partner company's network. > > I know it's not exactly your scenario but it worked. > > HTH > > D. > > At 08:14 PM 05/21/2001 -0400, syson wrote: > >hi Rizzo! > > > >You can not even telnet into your PIx from the outside interface, nor you > >can telnet into it without VPN or SSH. Making the PIX work the way you want > >(in contrary to the usual way of NATing high security to Low security) won't > >work; It's how PIXs are made & can not be modified to suite every needs. > >You might be looking at other routers to get your idea to work . but not > >PIX. Any ideas, suggestions, corrects & comments; I would like to hear from > >you guys! > > > >Syson Suy > > > >If Life is a Game, These are the Rules: > >Experience is a hard teacher. > >She give the test first and the lessons afterwards. > >- Original Message - > >From: "Richie, Nathan" > >To: > >Sent: Monday, May 21, 2001 5:05 PM > >Subject: RE: PIX question... [7:5248] > > > > > >> I beg to differ. I do not believe this can be done. When the PIX > >> translates (either dynamically or statically), it takes a private IP > >address > >> (inside interface) and translates it to a Public IP address (outside). > >Then > >> the outside interface will process ALL packets for that Public IP address > >> and direct them to the internal source (private IP address). So if you > >have > >> a static NAT, say for like this > >> > >> static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 > >> > >> and on the router you have assigned the 99.99.99.99 to the dialup user, > >then > >> you have 2 devices on the LAN that are assigned the 99.99.99.99 address > >(the > >> router and the PIX) > >> > >> You translate an IP address from a more secure network to the less secure > >> network, in this case from the inside network to the outside network. So > >> you would have to reverse the security settings, effectively opening up > >your > >> LAN to the world. > >> > >> You could do a couple of other solutions: > >> > >> 1) VPN between router & PIX > >> 2) Terminate clients inside the PIX > >> 3) Create an IP pool on the router and allow full access with an > >> access-list (for this range of IP addresses) on the outside interface of > >the > >> PIX. > >> > >> This is my understanding of how the PIX and NAT translations work, but I > >> have not tested this to disprove it, so if I am in error and some has > >tested > >> this and I am wrong, please let me know. > >> > >> Hope this helps. > >> > >> Nathan > >> > >> -Original Message- > >> From: Darren Crawford [mailto:[EMAIL PROTECTED]] > >> Sent: Monday, May 21, 2001 4:01 PM > >> To: [EMAIL PROTECTED] > >> Subject: RE: PIX question... [7:5248] > >> > >> > >> OK kids. Allowing packets from a lower security level interface to a > >higher > >> security level interface requires a conduit or access list. So yes, it > >can > >> be > >> done. I wouldn't forget about security though. ;^) > >> > >> D. > >> > >> At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: > >> >Actually it seems as if you understand exactly what I'm asking. Your idea > >> is > >> >very similar to mine. However it
RE: PIX question... [7:5248]
OK basic PIX stuff High to Low: use NAT and Global command Low to High: use Static and Conduits (or ACLs) Now... You want people to access your internal boxes using external IPs OK First way.. Statically assign external addresses to the internal hosts that need to be accessed and have the users acccess them with external addresses instead of the real ones... These "external address" could be actual routable addresses provided by your ISP and you can make this secure by constraining your conduit (or ACL) to only allow your pool of dial-up IPs to access these particular services. Or you can introduce a private address pool (lets say 172.16.1.0/24) on the perimeter. Statically assign these with a blanket (net to net) static statement and use the appropriate conduits. Add a route statement in the router to send 172.16.1.0/24 --> your PIXs external interface IP. This would solve some security issues since no one on the NET can access these IPs. These two methods can cause DNS issues. You can get around this one of two ways... Create a new DNS server and have the DHCP from teh dial-up pool map to this (this could be easy since your first 3 octets change when you do a net to net static) or you could use NAT 0, but this would limit Internet access to inside hosts, but with some tricky configs this may also work... You could run a sub-interface on your router There are many other things you could do to get around your issue. As for the guy who said to not use the PIX. That only shows his ability to read and implement. He needs a GUI... Well stick to Check-point, run it on a UNIX box... The PIX is very capable in capable hands... Not morons... Moe. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5405&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
Hi all, Just configure the outside interface as you would configure the inside interface (nat on the outside with a global pool on the inside). Regards, = Panayiotis PsihoyiosSyNET S.A. CCNP (Security, ATM), CCDP, MCP 118 B, Agias Eleoussis Street Network EngineerGR 151 25 Maroussi email: [EMAIL PROTECTED] Athens - Greece Tel:++ 301 61 29 500Fax: ++ 301 61 25 313 = > -Original Message- > From: Rizzo Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 5:16 PM > To: [EMAIL PROTECTED] > Subject: PIX question... [7:5248] > > > Hey all, is it possible to translate public IP addresses (outside) to > private IP addresses (inside) on a PIX firewall. Basically the exact > opposite of what's usually performed on a firewall. We are > going to have > users dial in to our internet router and receive a Public IP > address. They > have to get through our firewall to gain access to our LAN. > Is there a way > to translate the Public IP address they will obtain into a private IP > address used by our LAN so they can access it? I thank you > for your help... > > > -Rizzo > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5408&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
Hi, Firstly, I haven't tested this but - I think that a solution consisting of external addresses being nat'd into internal private address simply won't work. Even if it did Cisco would not support it. I checked the TAC and they state quite clearly that NAT is (on the PIX) designed in the direction of internal to external. The only reliable, secure and supported solution is a static/conduit setup. Hope this helps -Original Message- From: PSIHOYIOS PANAYIOTIS [mailto:[EMAIL PROTECTED]] Sent: 22 May 2001 11:11 To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] Hi all, Just configure the outside interface as you would configure the inside interface (nat on the outside with a global pool on the inside). Regards, = Panayiotis PsihoyiosSyNET S.A. CCNP (Security, ATM), CCDP, MCP 118 B, Agias Eleoussis Street Network EngineerGR 151 25 Maroussi email: [EMAIL PROTECTED] Athens - Greece Tel:++ 301 61 29 500Fax: ++ 301 61 25 313 = > -Original Message- > From: Rizzo Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 5:16 PM > To: [EMAIL PROTECTED] > Subject: PIX question... [7:5248] > > > Hey all, is it possible to translate public IP addresses (outside) to > private IP addresses (inside) on a PIX firewall. Basically the exact > opposite of what's usually performed on a firewall. We are > going to have > users dial in to our internet router and receive a Public IP > address. They > have to get through our firewall to gain access to our LAN. > Is there a way > to translate the Public IP address they will obtain into a private IP > address used by our LAN so they can access it? I thank you > for your help... > > > -Rizzo > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** This communication is confidential and is intended only for the person to whom it is addressed. If you are not that person you are not permitted to make use of the information and you are requested to notify mailto:[EMAIL PROTECTED] immediately that you have received it and then destroy the copy in your possession. comdirect ltd is regulated by the SFA and is a member of the LSE. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5410&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question... [7:5248]
Global pools on the inside doesn't solve the issues associated with actually trying to do useful work. The only way to do anything on the inside is to map the addresses that you want to access on the inside to an outside address. You'll also have the possibility of ending up with name resolution issues from outside to inside. As an addition, if you are going to expose (however minimal the exposure) your inside address to your outside addresses, I'd like to suggest using a seperate tacacs server to authenticate people coming through the firewall. All in all, a better solution is to use the pix to terminate connections from a VPN client of some sort, and not deal with allowing any type of un-encrypted or un-tunnelled access across the firewall, at least to none-dmz machines. Hope this is a theoretical exercise - letting folks come into your network deeper than a dmz is never a good idea, no matter how you do it. Anyone who's worked with IDS at all will be able to vouch for that one. Andras -Original Message- From: PSIHOYIOS PANAYIOTIS [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 22, 2001 3:11 AM To: [EMAIL PROTECTED] Subject: RE: PIX question... [7:5248] Hi all, Just configure the outside interface as you would configure the inside interface (nat on the outside with a global pool on the inside). Regards, = Panayiotis PsihoyiosSyNET S.A. CCNP (Security, ATM), CCDP, MCP 118 B, Agias Eleoussis Street Network EngineerGR 151 25 Maroussi email: [EMAIL PROTECTED] Athens - Greece Tel:++ 301 61 29 500Fax: ++ 301 61 25 313 = > -Original Message- > From: Rizzo Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 21, 2001 5:16 PM > To: [EMAIL PROTECTED] > Subject: PIX question... [7:5248] > > > Hey all, is it possible to translate public IP addresses (outside) to > private IP addresses (inside) on a PIX firewall. Basically the exact > opposite of what's usually performed on a firewall. We are > going to have > users dial in to our internet router and receive a Public IP > address. They > have to get through our firewall to gain access to our LAN. > Is there a way > to translate the Public IP address they will obtain into a private IP > address used by our LAN so they can access it? I thank you > for your help... > > > -Rizzo > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=5411&t=5248 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question... [7:5248]
Actually, this can and does work. I've set up at least one box this way during a network transition (not that it's a good idea, mind you). In addition, the instructions, direct from Cisco, may be found in the URL that I previously posted. Remember, the PIX passes what it's told to pass; if the conf tells it to pass traffic, it passes traffic. Thanks, Craig At 08:14 PM 5/21/2001 -0400, you wrote: >hi Rizzo! > >You can not even telnet into your PIx from the outside interface, nor you >can telnet into it without VPN or SSH. Making the PIX work the way you want >(in contrary to the usual way of NATing high security to Low security) won't >work; It's how PIXs are made & can not be modified to suite every needs. >You might be looking at other routers to get your idea to work . but not >PIX. Any ideas, suggestions, corrects & comments; I would like to hear from >you guys! > >Syson Suy > >If Life is a Game, These are the Rules: >Experience is a hard teacher. >She give the test first and the lessons afterwards. >- Original Message - >From: "Richie, Nathan" >To: >Sent: Monday, May 21, 2001 5:05 PM >Subject: RE: PIX question... [7:5248] > > > > I beg to differ. I do not believe this can be done. When the PIX > > translates (either dynamically or statically), it takes a private IP >address > > (inside interface) and translates it to a Public IP address (outside). >Then > > the outside interface will process ALL packets for that Public IP address > > and direct them to the internal source (private IP address). So if you >have > > a static NAT, say for like this > > > > static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255 > > > > and on the router you have assigned the 99.99.99.99 to the dialup user, >then > > you have 2 devices on the LAN that are assigned the 99.99.99.99 address >(the > > router and the PIX) > > > > You translate an IP address from a more secure network to the less secure > > network, in this case from the inside network to the outside network. So > > you would have to reverse the security settings, effectively opening up >your > > LAN to the world. > > > > You could do a couple of other solutions: > > > > 1) VPN between router & PIX > > 2) Terminate clients inside the PIX > > 3) Create an IP pool on the router and allow full access with an > > access-list (for this range of IP addresses) on the outside interface of >the > > PIX. > > > > This is my understanding of how the PIX and NAT translations work, but I > > have not tested this to disprove it, so if I am in error and some has >tested > > this and I am wrong, please let me know. > > > > Hope this helps. > > > > Nathan > > > > -Original Message- > > From: Darren Crawford [mailto:[EMAIL PROTECTED]] > > Sent: Monday, May 21, 2001 4:01 PM > > To: [EMAIL PROTECTED] > > Subject: RE: PIX question... [7:5248] > > > > > > OK kids. Allowing packets from a lower security level interface to a >higher > > security level interface requires a conduit or access list. So yes, it >can > > be > > done. I wouldn't forget about security though. ;^) > > > > D. > > > > At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote: > > >Actually it seems as if you understand exactly what I'm asking. Your idea > > is > > >very similar to mine. However it didn't work unfortunately. Let me ask >this > > >another way, if you don't mind...You have an internet router which is > > >directly connected to the external (un-trusted) interface of your PIX > > >firewall. Basically I want to be able to access my internal LAN with > > private > > >IP addresses from the Internet router with Public IP addresses. So I >should > > >be able to telnet onto my internet router and ping my privately held LAN. > > >Forget about Security, I just want to know if it can be done. The static > > >mapping doesn't seem to work. Probably because it require a one-to-one > > >mapping no? Thanks for any help in advance! > > > > > > > > > > > > -Rizzo > > > > > > > > > > > > > > > > > >-Original Message- > > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > > >Sent: Monday, May 21, 2001 1:12 PM > > >To: [EMAIL PROTECTED] > > >Subject: RE: PIX question... [7:5248] > > > > > >I'm not clear on what you're asking. Are you asking if
Re: PIX question [7:34630]
I'm guessing that Long Distance State Sharing is the use of firewalls with stateful failover which are separated by a long distance. As you may or may not know, the Pix Failover cable limits the distance between Pix's at the moment (unless something's changed recently). Can't remember how long it is exactly (guessing 10 feet). Don't know the reason for lack of support for stateful http. Possibly large amount of work for little benefit. Gaz ""BASSOLE Rock"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi group, > > > I want to know what is Long Distance State Sharing (LDSS) and for what > reason it's supported by the stateful failover? > Also why the PIX does not transfer HTTP (port 80) session in stateful > failover? > > Thank you. > > Rock . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34641&t=34630 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
I didn't realize it didn't support http
I really don't think there is need for http statefull failover though...
I mean logically... with every link you can start a new session...if the
page is sitting in front of you, why keep state?
-Patrick
>>> Gaz 02/06/02 11:27AM >>>
I'm guessing that Long Distance State Sharing is the use of firewalls with
stateful failover which are separated by a long distance.
As you may or may not know, the Pix Failover cable limits the distance
between Pix's at the moment (unless something's changed recently). Can't
remember how long it is exactly (guessing 10 feet).
Don't know the reason for lack of support for stateful http. Possibly large
amount of work for little benefit.
Gaz
""BASSOLE Rock"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi group,
>
>
> I want to know what is Long Distance State Sharing (LDSS) and for what
> reason it's supported by the stateful failover?
> Also why the PIX does not transfer HTTP (port 80) session in stateful
> failover?
>
> Thank you.
>
> Rock .
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34642&t=34630
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
State sharing for HTTP can be enabled on the PIX, but by default is does
not. Most connections are less then the time it takes to transfer the
information. But if you are doing large file transfers via HTTP this can
change.
In the 6.2 code LDSS (or whatever Cisco is calling it) will be supported
over an Ethernet connection instead of requiring the Failover Cable.
David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
- Original Message -
From: "Patrick Ramsey"
To:
Sent: Wednesday, February 06, 2002 11:38 AM
Subject: Re: PIX question [7:34630]
> I didn't realize it didn't support http
>
> I really don't think there is need for http statefull failover though...
>
> I mean logically... with every link you can start a new session...if the
> page is sitting in front of you, why keep state?
>
> -Patrick
>
> >>> Gaz 02/06/02 11:27AM >>>
> I'm guessing that Long Distance State Sharing is the use of firewalls with
> stateful failover which are separated by a long distance.
> As you may or may not know, the Pix Failover cable limits the distance
> between Pix's at the moment (unless something's changed recently). Can't
> remember how long it is exactly (guessing 10 feet).
>
> Don't know the reason for lack of support for stateful http. Possibly
large
> amount of work for little benefit.
>
> Gaz
>
> ""BASSOLE Rock"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi group,
> >
> >
> > I want to know what is Long Distance State Sharing (LDSS) and for what
> > reason it's supported by the stateful failover?
> > Also why the PIX does not transfer HTTP (port 80) session in stateful
> > failover?
> >
> > Thank you.
> >
> > Rock .
> >>>>>>>>>>>>> Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
> /or proprietary information in the possession of WellStar Health System,
> Inc. ("WellStar") and is intended only for the individual or entity to
whom
> addressed. This email may contain information that is held to be
> privileged, confidential and exempt from disclosure under applicable law.
If
> the reader of this message is not the intended recipient, you are hereby
> notified that any unauthorized access, dissemination, distribution or
> copying of any information from this email is strictly prohibited, and may
> subject you to criminal and/or civil liability. If you have received this
> email in error, please notify the sender by reply email and then delete
this
> email and its attachments from your computer. Thank you.
>
>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34648&t=34630
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
Hi David,
Thanks for info. Been waiting for it for a while. Do you have any more
information about this?
Can't find anything on CCO.
Would be nice if just one fast ethernet connection is used.
Gaz
""David C Prall"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> State sharing for HTTP can be enabled on the PIX, but by default is does
> not. Most connections are less then the time it takes to transfer the
> information. But if you are doing large file transfers via HTTP this can
> change.
>
> In the 6.2 code LDSS (or whatever Cisco is calling it) will be supported
> over an Ethernet connection instead of requiring the Failover Cable.
>
> David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
> - Original Message -
> From: "Patrick Ramsey"
> To:
> Sent: Wednesday, February 06, 2002 11:38 AM
> Subject: Re: PIX question [7:34630]
>
>
> > I didn't realize it didn't support http
> >
> > I really don't think there is need for http statefull failover though...
> >
> > I mean logically... with every link you can start a new session...if the
> > page is sitting in front of you, why keep state?
> >
> > -Patrick
> >
> > >>> Gaz 02/06/02 11:27AM >>>
> > I'm guessing that Long Distance State Sharing is the use of firewalls
with
> > stateful failover which are separated by a long distance.
> > As you may or may not know, the Pix Failover cable limits the distance
> > between Pix's at the moment (unless something's changed recently). Can't
> > remember how long it is exactly (guessing 10 feet).
> >
> > Don't know the reason for lack of support for stateful http. Possibly
> large
> > amount of work for little benefit.
> >
> > Gaz
> >
> > ""BASSOLE Rock"" wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi group,
> > >
> > >
> > > I want to know what is Long Distance State Sharing (LDSS) and for what
> > > reason it's supported by the stateful failover?
> > > Also why the PIX does not transfer HTTP (port 80) session in stateful
> > > failover?
> > >
> > > Thank you.
> > >
> > > Rock .
> > >>>>>>>>>>>>> Confidentiality DisclaimerThis email and any files
> transmitted with it may contain confidential and
> > /or proprietary information in the possession of WellStar Health System,
> > Inc. ("WellStar") and is intended only for the individual or entity to
> whom
> > addressed. This email may contain information that is held to be
> > privileged, confidential and exempt from disclosure under applicable
law.
> If
> > the reader of this message is not the intended recipient, you are hereby
> > notified that any unauthorized access, dissemination, distribution or
> > copying of any information from this email is strictly prohibited, and
may
> > subject you to criminal and/or civil liability. If you have received
this
> > email in error, please notify the sender by reply email and then delete
> this
> > email and its attachments from your computer. Thank you.
> >
> >
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34650&t=34630
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
I've also heard that long failover is planned to be in the next release.
And it will be called "LAN Failover" and yes, it will be through
Ethernet connection...no more failover cable required.
Kevin
Gaz wrote:
> Hi David,
>
> Thanks for info. Been waiting for it for a while. Do you have any more
> information about this?
> Can't find anything on CCO.
> Would be nice if just one fast ethernet connection is used.
>
> Gaz
>
> ""David C Prall"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>State sharing for HTTP can be enabled on the PIX, but by default is does
>>not. Most connections are less then the time it takes to transfer the
>>information. But if you are doing large file transfers via HTTP this can
>>change.
>>
>>In the 6.2 code LDSS (or whatever Cisco is calling it) will be supported
>>over an Ethernet connection instead of requiring the Failover Cable.
>>
>>David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
>>- Original Message -
>>From: "Patrick Ramsey"
>>To:
>>Sent: Wednesday, February 06, 2002 11:38 AM
>>Subject: Re: PIX question [7:34630]
>>
>>
>>
>>>I didn't realize it didn't support http
>>>
>>>I really don't think there is need for http statefull failover though...
>>>
>>>I mean logically... with every link you can start a new session...if the
>>>page is sitting in front of you, why keep state?
>>>
>>>-Patrick
>>>
>>>
>>>>>>Gaz 02/06/02 11:27AM >>>
>>>>>>
>>>I'm guessing that Long Distance State Sharing is the use of firewalls
>>>
> with
>
>>>stateful failover which are separated by a long distance.
>>>As you may or may not know, the Pix Failover cable limits the distance
>>>between Pix's at the moment (unless something's changed recently). Can't
>>>remember how long it is exactly (guessing 10 feet).
>>>
>>>Don't know the reason for lack of support for stateful http. Possibly
>>>
>>large
>>
>>>amount of work for little benefit.
>>>
>>>Gaz
>>>
>>>""BASSOLE Rock"" wrote in message
>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>
>>>>Hi group,
>>>>
>>>>
>>>>I want to know what is Long Distance State Sharing (LDSS) and for what
>>>>reason it's supported by the stateful failover?
>>>>Also why the PIX does not transfer HTTP (port 80) session in stateful
>>>>failover?
>>>>
>>>>Thank you.
>>>>
>>>>Rock .
>>>>
>>>>>>>>>>>>>>>> Confidentiality DisclaimerThis email and any files
>>>>>>>>>>>>>>>>
>>transmitted with it may contain confidential and
>>
>>>/or proprietary information in the possession of WellStar Health System,
>>>Inc. ("WellStar") and is intended only for the individual or entity to
>>>
>>whom
>>
>>>addressed. This email may contain information that is held to be
>>>privileged, confidential and exempt from disclosure under applicable
>>>
> law.
>
>>If
>>
>>>the reader of this message is not the intended recipient, you are hereby
>>>notified that any unauthorized access, dissemination, distribution or
>>>copying of any information from this email is strictly prohibited, and
>>>
> may
>
>>>subject you to criminal and/or civil liability. If you have received
>>>
> this
>
>>>email in error, please notify the sender by reply email and then delete
>>>
>>this
>>
>>>email and its attachments from your computer. Thank you.
>>>
>>>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34723&t=34630
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
Hi, 1) 6.2 is not out yet...we are still at 6.1(x) 2) Since pix 5.X release, Stateful failover is supported and it will replicate TCP connection except the HTTP (port 80) connections. 3) In 6.0, Stateful failover will replicate all TCP connections including the HTTP connections. 4) The Ethernet connection you are referring to is not the "LAN failover" that will be included in the 6.2 code. Cisco says that Stateful Failover requires a 100 Mbps or Gigabit Ethernet interface to be used exclusively for passing state information between the two PIX Firewall units. BUT in that scenario, you STILL NEED the special failover cable. So distance between boxes must be very close. 5) With LAN failover, you will not need this special failover cable so you can install your standby unit at the other end of your building if you want. Hope this help, Kevin ipguru1 wrote: > Don't know about the LDSS, or 6.2, but according to CSPFA Coursebook > (Chapman Jr.), the > failover cable can now be 100 full-duplex crossover or 100 half-duplex with > hub, this is > to support the stateful failover, but not the http state (page 182). If > something came > out in 6.2 that supports the http, sorry > > > hth, > ipguru > > BASSOLE Rock wrote: > > >>Hi group, >> >>I want to know what is Long Distance State Sharing (LDSS) and for what >>reason it's supported by the stateful failover? >>Also why the PIX does not transfer HTTP (port 80) session in stateful >>failover? >> >>Thank you. >> >>Rock . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34726&t=34630 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:34630]
kevin, my bad. I got that all messed up! I didn't know if 6.2 came out yet, but I am interested in it only using the 100tx is that what the ldss is? thanks for clearing up my mess, ipguru BASSOLE Rock wrote: > Hi group, > > I want to know what is Long Distance State Sharing (LDSS) and for what > reason it's supported by the stateful failover? > Also why the PIX does not transfer HTTP (port 80) session in stateful > failover? > > Thank you. > > Rock . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34758&t=34630 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Yes you can use globally routable ip addresses on the inside interface. Either use nat (inside) 0 ip address netmask or do a static (inside,outside)ip address same ip address netmask. > -Original Message- > From: george gittins [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 9:41 AM > To: [EMAIL PROTECTED] > Subject: pix question [7:36500] > > > I have a pool of ip address im assigning as they leave my > internal network. > Is their a way i can assign specific global ip address to > inside networks. > > George Gittins > Internet Systems Manager > Weslaco, Tx 78599 > Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36503&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36507&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Oops, typo alert. The Global statement should read: Global (outside) # a.b.c.d netmask 255.255.255.0 Thanks Larry -Original Message- From: Roberts, Larry Sent: Tuesday, February 26, 2002 11:34 AM To: 'george gittins'; [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36508&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: pix question [7:36500]
thanks for the info -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roberts, Larry Sent: Tuesday, February 26, 2002 8:33 AM To: [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Oops, typo alert. The Global statement should read: Global (outside) # a.b.c.d netmask 255.255.255.0 Thanks Larry -Original Message- From: Roberts, Larry Sent: Tuesday, February 26, 2002 11:34 AM To: 'george gittins'; [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36539&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:37893]
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 Gaz ""Ali, Abbas"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have just installed a PIX firewall with three interfaces. The Inside > network is 192.168.1.0 and the DMZ network is 192.168.2.0. > > There are a few webservers on a dmz network that need to have an access to > all the servers on the inside network. Technically I am going to have to > statically map each server on the inside netowork to an unused address on > the dmz network and then open the conduit permission. > > For example, I have a NT server running on 192.168.1.12. In order for > webserver to connect to this box I will have to to > > Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 > conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. > > I will be very tedious and I will waste so many address on a dmz network > in an order to create mapping entry for all the servers on inside network. > > > Is there any smaller way of doing it? Can I map the whole dmz network to > inside network instead of mapping each unused address to inside address? > > Abbas Ali, AVVID, CCDP, CCNP, MCSE > Network Engineer II > NextiraOne, LLC > Tel: 714.428.3367 > Pager: 714.748.4817 > Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37895&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:37893]
or static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 to treat the 2 network DMZ and inside zone in routing mode... ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 > > > Gaz > > ""Ali, Abbas"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I have just installed a PIX firewall with three interfaces. The Inside > > network is 192.168.1.0 and the DMZ network is 192.168.2.0. > > > > There are a few webservers on a dmz network that need to have an access to > > all the servers on the inside network. Technically I am going to have to > > statically map each server on the inside netowork to an unused address on > > the dmz network and then open the conduit permission. > > > > For example, I have a NT server running on 192.168.1.12. In order for > > webserver to connect to this box I will have to to > > > > Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 > > conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. > > > > I will be very tedious and I will waste so many address on a dmz network > > in an order to create mapping entry for all the servers on inside network. > > > > > > Is there any smaller way of doing it? Can I map the whole dmz network to > > inside network instead of mapping each unused address to inside address? > > > > Abbas Ali, AVVID, CCDP, CCNP, MCSE > > Network Engineer II > > NextiraOne, LLC > > Tel: 714.428.3367 > > Pager: 714.748.4817 > > Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37916&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
show access-list(s) -Original Message- From: george gittins To: [EMAIL PROTECTED] Sent: 27/03/02 13:05 Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39604&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
That would be : show access-list You might also want to do : show conduit show sysopt Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39612&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
George, In current versions, it's "show access-list". :-) pix# sh ver Cisco Secure PIX Firewall Version 6.0(1) PIX Device Manager Version 1.0(1) pix# sh access-list access-list 1 permit icmp any any (hitcnt=27) access-list 1 permit ip any host 172.16.1.55 (hitcnt=0) access-list 1 permit ip any host 172.16.1.60 (hitcnt=16) access-list 1 permit tcp host 172.16.1.2 host 10.1.1.3 eq bgp (hitcnt=1) pix# Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 5:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39620&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
show access-l -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39635&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question !!! [7:40465]
In problems like this you have to enable "debug icmp trace" to help you to resolve this issue, rather then guessing what you missed. What this statement suppose to do: static (inside,outside) 192.168.2.13 216.6.24.129 ip address inside 216.6.24.129 255.255.255.192 route outside 0.0.0.0 0.0.0.0 192.168.2.13 You want that ip address of the inside interface will look like outside router??? I would use "clear static" and "clear xlate"... You'll never be able to ping 192.168.2.14 ip from the 216.6.24.130 host, but you should be able to ping .13. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Avi Sent: Thursday, April 04, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40522&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question !!! [7:40465]
Avi, You have a few things in your config that look strange: 1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 This creates a static with the outside address of 192.168.2.13, which you indicate is your router's IP address, and an inside address of 216.6.24.129, which you indicate is your inside PIX interface. This makes no sense. A static translation is used to create a new address on the outside that is not currently in use by any device to map to an inside end device, such as a server. I don't understand what you are trying to do with this command and this may be the cause of your problem. 2) route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 You are pointing the PIX's inside default route to its own interface? I don't see what you are trying to accomplish by doing this, if there is no inside router you should just leave of the route inside command. 3) You say outside hosts are able to reach 216.6.24.130, do you mean they are able to ping the host? If the outside hosts can ping the inside host, the inside host should be able to ping the outside hosts since you have a conduit permit icmp any in your config. If the .130 host is a unix box, sometimes they try to resolve names during ping, so it may be that your ping is failing because name lookups are failing. Just a guess. It looks like something is not correct with your static command, so I would fix that first. Also, you are running a very old version of code at 4.4, you are 2 major release behind, so there may also be some weird bug present in this code rev, I would strongly consider upgrading the code to current levels. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avi Sent: Thursday, April 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable trap
FW: PIX Question !!! [7:40465]
dont you have to place the inside ip addrres on the outside interface? i think you have it reverse, ip address inside 192.168.2.14 255.255.255.248 ip address outside 216.6.24.129 255.255.255.192 then nat (inside) 0 192.168.2.14 255.255.255.0 0 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avi Sent: Thursday, April 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40503&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:15518]
I've not tried it yet, but if you're using version 6.0, how about using port re-direction - Using one IP address on the outside, but telnet to a different port for each internal device. static (inside,outside) tcp 192.168.124.99 3001 10.1.1.1 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp 192.168.124.99 3002 10.1.1.2 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp 192.168.124.99 3003 10.1.1.3 telnet netmask 255.255.255.255 0 0 With the relevant access lists to control who can telnet to the devices. Then just: "telnet 192.168.124.99 3001 etc" Looks good but needs testing. Anybody rip it to pieces??? Gaz ""Bruce Williams"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have many devices on the inside (most secure) interface of my PIX that I > need to allow telnet and ftp access to users from the outside (least secure) > interface of the PIX. I know that I can create a static map to the inside IP > addresses, but I dont have enough outside IP addresses to support all of the > devices on the inside. I am using PAT to allow users from the inside (most > secure) interface to get access to the outside (less secure) interface. Can > I use PAT the same way to allow outside users to access the inside servers > on one address or is there a way to open the PIX up for all users from the > outside to get in on a temporary basis? > > Bruce Williams > 215-275-2723 > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15558&t=15518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
