Re: Quick Pix Question. [7:70145]
The counters are not incrementing because the entries are not being matched. Suspect that the ACL is applied to the wrong interface. Remember the direction - in - which means that the access list is applied to traffic entering a particular interface from their residence on that interface. For example: INISDE -PIX -OUTSIDE If I want my ACL to filter ICMP traffic orginating from the INSIDE network, I would apply it to the INSIDE interface. However, if I have to filter ICMP traffic to my INSIDE network from the OUTSIDE network, I would apply it to the OUTSIDE interface. HTH, Charles ""Paul"" wrote in message news:[EMAIL PROTECTED] > Hi all ... > > One of my 515's has all its access-list counters set to 0, when I ping for > instance, the counter for the relevant ICMP access-list does not increment > ??? > > How do I turn it on ??? I have searched the Cisco website and my Pix book > without any luck ?? > > Kind regards > > Paul ... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70198&t=70145 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Quick Pix Question. [7:70145]
Hi all ... One of my 515's has all its access-list counters set to 0, when I ping for instance, the counter for the relevant ICMP access-list does not increment ??? How do I turn it on ??? I have searched the Cisco website and my Pix book without any luck ?? Kind regards Paul ... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70145&t=70145 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question - IPX Support? [7:66338]
nettable_walker wrote: > > 3/27/2003 9:00pm Thursday > > This has come up before - > Is there any such thing as an IPX firewall ? Sure. A Cisco router with IPX access lists!? :-) > > Richard > > // > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66360&t=66338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question - IPX Support? [7:66338]
3/27/2003 9:00pm Thursday This has come up before - Is there any such thing as an IPX firewall ? Richard // Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66358&t=66338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question - IPX Support? [7:66338]
No the PIX doesn't do IPX so the tunnel is your friend. Dave Lupi, Guy wrote: > I have never worked with the PIX before, but I was wondering if PIX > firewalls support IPX. I want to configure a PIX with an IPX address on one > of the interfaces, and configure an encrypted GRE tunnel with another PIX at > another location. Can I do that, or do I need a router behind the PIX doing > the tunnel setup so that the PIX sees IP only? > > > Guy H. Lupi -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66342&t=66338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question - IPX Support? [7:66338]
No the PIX does not support IPX only IP, you will need a router for that Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66341&t=66338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question - IPX Support? [7:66338]
I have never worked with the PIX before, but I was wondering if PIX firewalls support IPX. I want to configure a PIX with an IPX address on one of the interfaces, and configure an encrypted GRE tunnel with another PIX at another location. Can I do that, or do I need a router behind the PIX doing the tunnel setup so that the PIX sees IP only? Guy H. Lupi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66338&t=66338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:65769]
In my opinion it is smarter and safer to use a DMZ interface on a PIX firewall vice having a switch/hub before the firewall. This is because if one of your DMZ nodes are attacked from the internet you can easily close the hole and block the attack source. With a hub before firewall you will have to rely on the OS to block the attack or disconnect the node from the switch/hub. It may be work to create static NAT translations and ACLs, but you definitely have control over what is being accessed exactly. ""Sam"" wrote in message news:[EMAIL PROTECTED] > Hey there > > Mostly, firewall design includes a dmz. In most companies, within this DMZ, > is it more likely to see the servers directly being given registered public > IP's, > > OR > > Is it more likely to see the servers being given private IP's and then a nat > translation created for internet users to access the servers. > > > Also, what are the pros and cons for the above two situations? > > thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65958&t=65769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:65769]
I most often set it up with the first. With regards to situation #1: Pro: Easier maintenance of the firewall for the "private" network (not as many NATs to configure) Cons: Requires two firewalls, once in front of the DMZ and one behind it Limited address space from the ISP Must maintain strong filter rules on the "front" firewall Situation #2 only requires one firewall, you can nat several services onto one address, but you run the risk of the firewall becoming overloaded and slowing down internet access, since it has to NAT *everything* now :-) Just my $.02 :-) ""Sam"" wrote in message news:[EMAIL PROTECTED] > Hey there > > Mostly, firewall design includes a dmz. In most companies, within this DMZ, > is it more likely to see the servers directly being given registered public > IP's, > > OR > > Is it more likely to see the servers being given private IP's and then a nat > translation created for internet users to access the servers. > > > Also, what are the pros and cons for the above two situations? > > thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65774&t=65769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:65769]
Hey there Mostly, firewall design includes a dmz. In most companies, within this DMZ, is it more likely to see the servers directly being given registered public IP's, OR Is it more likely to see the servers being given private IP's and then a nat translation created for internet users to access the servers. Also, what are the pros and cons for the above two situations? thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65769&t=65769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
Was this NAT or PAT? If PAT, and the client kept on trying to open up new connections, the source port would probably be different for each, thus a new xlate in the translation table. Cheers1 -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. ""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > I don't understand why the xlate table would grow. I can understand the > connections table growing, sure, but did the PIX really re-translate the > same internal address over 7000 times in just few minutes? > > John > > >>> Scott Roberts 3/13/03 11:08:29 AM >>> > strange that it would create another translation instead of using the old > one?? I suppose its more an error in the client software thinking it still > has a valid server connection and tries to open a brand new one then. > > the only thing that comes to my mind would be to expire your translations > faster, but I've never done this, so I don't even know if its possible. > > scott > > ""Manny"" wrote in message > news:[EMAIL PROTECTED] > > I ran into a situation today where we had a machine that was trying to FTP > > through the firewall. We allow FTP outbound. The problem that came up was > > that the user had no idea that an FTP client was setup on his machine. The > > FTP client (spyware) kept trying to connect to a server (ispynow.com) > using > > the incorrect user name and password. For every attempt an xlate entry was > > created. It created about 7000 entries in a matter of minutes. The > firewall > > was paralyzed. I had to console in and look at the xlate table. Even > through > > the console I had a hard time viewing the table. Is there any way to > prevent > > this from happening again?This is the second time this year an incident of > > this nature with the xlate table has occurred. How can I monitor the xlate > > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65638&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
Was this NAT or PAT? If PAT, and the client kept on trying to open up new connections, the source port would probably be different for each, thus a new xlate in the translation table. Cheers1 -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. ""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > I don't understand why the xlate table would grow. I can understand the > connections table growing, sure, but did the PIX really re-translate the > same internal address over 7000 times in just few minutes? > > John > > >>> Scott Roberts 3/13/03 11:08:29 AM >>> > strange that it would create another translation instead of using the old > one?? I suppose its more an error in the client software thinking it still > has a valid server connection and tries to open a brand new one then. > > the only thing that comes to my mind would be to expire your translations > faster, but I've never done this, so I don't even know if its possible. > > scott > > ""Manny"" wrote in message > news:[EMAIL PROTECTED] > > I ran into a situation today where we had a machine that was trying to FTP > > through the firewall. We allow FTP outbound. The problem that came up was > > that the user had no idea that an FTP client was setup on his machine. The > > FTP client (spyware) kept trying to connect to a server (ispynow.com) > using > > the incorrect user name and password. For every attempt an xlate entry was > > created. It created about 7000 entries in a matter of minutes. The > firewall > > was paralyzed. I had to console in and look at the xlate table. Even > through > > the console I had a hard time viewing the table. Is there any way to > prevent > > this from happening again?This is the second time this year an incident of > > this nature with the xlate table has occurred. How can I monitor the xlate > > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65380&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:65095]
New source port for each outbound FTP connection probably. Symon -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: 13 March 2003 18:12 To: [EMAIL PROTECTED] Subject: Re: PIX Question [7:65095] I don't understand why the xlate table would grow. I can understand the connections table growing, sure, but did the PIX really re-translate the same internal address over 7000 times in just few minutes? John >>> Scott Roberts 3/13/03 11:08:29 AM >>> strange that it would create another translation instead of using the old one?? I suppose its more an error in the client software thinking it still has a valid server connection and tries to open a brand new one then. the only thing that comes to my mind would be to expire your translations faster, but I've never done this, so I don't even know if its possible. scott ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to > FTP through the firewall. We allow FTP outbound. The problem that came > up was that the user had no idea that an FTP client was setup on his > machine. The FTP client (spyware) kept trying to connect to a server > (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry > was created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an > incident of this nature with the xlate table has occurred. How can I > monitor the xlate table for strange behavior? = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65406&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
I don't understand why the xlate table would grow. I can understand the connections table growing, sure, but did the PIX really re-translate the same internal address over 7000 times in just few minutes? John >>> Scott Roberts 3/13/03 11:08:29 AM >>> strange that it would create another translation instead of using the old one?? I suppose its more an error in the client software thinking it still has a valid server connection and tries to open a brand new one then. the only thing that comes to my mind would be to expire your translations faster, but I've never done this, so I don't even know if its possible. scott ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65342&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
strange that it would create another translation instead of using the old one?? I suppose its more an error in the client software thinking it still has a valid server connection and tries to open a brand new one then. the only thing that comes to my mind would be to expire your translations faster, but I've never done this, so I don't even know if its possible. scott ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65331&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
Manny, A couple of thoughts, not necessarily in order of applicability: 1) Change the timeout values for idle connections for conn (connection slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to 5-10 minutes. These are idle timeouts and will probably work for most environments unless you have a lot of low traffic, long timeout connections. (uses the 'timeout' command) 2) Enable aaa authorization for at least ftp and http. Force users to authenticate before using those services. 3) Log PIX messages to a syslog server, monitor it for xlate problems with something like logsurfer. 4) Install an IDS system and monitor for failed FTP logins. Obviously, these are not mutually exclusive. HTH, Kent On Tue, 2003-03-11 at 16:04, Manny wrote: > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65180&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
Manny, Yes, you can limit the maximum number of connections to a device and the maximum number of half-open (embryonic) connections. This is done with the NAT command, at least in your case, since the connections are going from high-to-low security levels. The NAT command allows you to specify these two parameters. You'll need to be careful as to what you set them to, otherwise you might be preventing legitimate connections. By the way, the defaults for these values is the limit of your connection license, so as you have seen, an internal user could easily (purposefully or not) create a DoS attack and paralyze your network. Cheers! -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65173&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
I'm not sure of the exact metric, but you should enable syslog and have this sent to a syslog server. With syslog server you can have the system parse the syslog and react to particular entries. Of course that depends on what you use to manage the syslog db. ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65122&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:65095]
I ran into a situation today where we had a machine that was trying to FTP through the firewall. We allow FTP outbound. The problem that came up was that the user had no idea that an FTP client was setup on his machine. The FTP client (spyware) kept trying to connect to a server (ispynow.com) using the incorrect user name and password. For every attempt an xlate entry was created. It created about 7000 entries in a matter of minutes. The firewall was paralyzed. I had to console in and look at the xlate table. Even through the console I had a hard time viewing the table. Is there any way to prevent this from happening again?This is the second time this year an incident of this nature with the xlate table has occurred. How can I monitor the xlate table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65095&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:64518]
you need a tftp server program to install on a internal computer http://81.96.141.40:82/software/cisco/TFTP%20Server/TFTP%20Server.rar down load from me if you want run it and set a local path on the local pc in the tftp server EG c:\cisco\script\ just leave it running. in the pix at the command prompt type tftp-server inside 192.168.0.150 filename when that is set to write a config to a file type write net : (192.168.0.150 was the ip of my machine on the internal network) in the c:\cisco\script\ folder is a file called "filename" It actually works to load one back in wipe your old flash out by write erase to load the config saved config net : Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64649&t=64518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:64518]
Unfortunately, you cannot copy the IOS off the flash. The good news is Cisco retains a majority of the PIX IOS on the CCO software center website. I encountered this as I built a project plan for upgrading PIX firewalls. I found the old version of my IOS software on their website and used that successfully to back out a change. ""Joupin"" wrote in message news:[EMAIL PROTECTED] > Hi > > How could I back up a PIX IOS with TFTP ? Seems that its not as easy as > router or Switch IOS BACKUP > > Regards > joupin > www.joupin.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64528&t=64518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:64518]
Hi How could I back up a PIX IOS with TFTP ? Seems that its not as easy as router or Switch IOS BACKUP Regards joupin www.joupin.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64518&t=64518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT ON PIX QUESTION [7:64398]
basically yes, I think your statement is correct. 1) I haven't configured a PIX recently, but I don't recall it requiring an access-list for static address translation, since the port is actually part of the static (or conduit) command. Now I'm sure you'd want a ACL, but simply for the same reason you'd put it on any interface, nothing specific to NAT though. 2) as far as dynamic being one way, thats correct, but the way you worded the sentence seems to imply that its also a one way from outside to inside. dynamic is always inside to out and is blocked outside to inside. scott ""Sam"" wrote in message news:[EMAIL PROTECTED] > Hey Guys. > First of all, there aren't any words to express my appreciation for this > list and all the guys who are always so helpful in here. > > These questions are regarding NAT in reference to PIX only. > > 1)Static NAT works both ways. From outside to inside and vice versa. > However, You need an access-list configured if you are accessing from a > lower-security interface to a higher-security one. > > 2)Dynamic NAT on the contrary doesn't work both ways. Connections can be > initiated only from one interface to another and the other can only reply > statefully. Am I right? > Eg: If I configure an internal network(10.0.1.0) to translate to > 64.4.4.10-64.4.4.30, 30 connections can be initiated towards the internet > and they would work fine. Replies can be sent back to those initiated > connections but no connections can be initiated from the Internet to the > internal network. Hence, I call it stateful. > Am I right about this full statement? > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64404&t=64398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT ON PIX QUESTION [7:64398]
Hey Guys. First of all, there aren't any words to express my appreciation for this list and all the guys who are always so helpful in here. These questions are regarding NAT in reference to PIX only. 1)Static NAT works both ways. From outside to inside and vice versa. However, You need an access-list configured if you are accessing from a lower-security interface to a higher-security one. 2)Dynamic NAT on the contrary doesn't work both ways. Connections can be initiated only from one interface to another and the other can only reply statefully. Am I right? Eg: If I configure an internal network(10.0.1.0) to translate to 64.4.4.10-64.4.4.30, 30 connections can be initiated towards the internet and they would work fine. Replies can be sent back to those initiated connections but no connections can be initiated from the Internet to the internal network. Hence, I call it stateful. Am I right about this full statement? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64398&t=64398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:64289]
e0(outside)64.5.5.1 (internet IP) e2(dmz)172.16.1.50 I issued this command static (dmz,outside) 64.5.5.10 172.16.1.50 1) This means that outside hosts would be able to telnet to 64.5.5.10 and they would in-turn be actually accessing 172.16.1.50. Of course i would have the access list configured. 2) Does it also mean that when 172.16.1.50 accesses websites, would the websites log the ip 64.5.5.10 or 172.16.1.50 When I tried out the above, Condition 1 above is working fine. Condition 2 doesn't seem to work. The hosts are actually logging the actual IP 172.16.1.50 while I was under the impression that the IP logged would be 64.5.5.10 Any ideas? Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64289&t=64289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:63892]
Ed, Try clear logging. It depends on what you are trying to clear. Steve Wilson Network Engineer -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED] Sent: 26 February 2003 18:30 To: [EMAIL PROTECTED] Subject: PIX question [7:63892] does someone know what the equivalent of "clear counters" is on the PIX? i don't know why, but i can't find a thing... thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63962&t=63892 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:63892]
does someone know what the equivalent of "clear counters" is on the PIX? i don't know why, but i can't find a thing... thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63892&t=63892 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:60941]
Could it be because a host on the outside may need to initiate a connection to the host on the inside. The PIX requires a NAT, even if it is to the same address. ""Evans, TJ (BearingPoint)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > If there is no route for that block, including summarizations thereof (and > no interface in that subnet), then it shouldn't go anywhere / be reachable. > > So the next question - does it work? > * Can that machine get out, and if so ... try > www.whatismyip.com > ... and what is it's IP? > > Also - is there another router somewhere that will route it, or another > router/FW that will re/de-NAT it to a routed IP? > > > Thanks! > TJ > [EMAIL PROTECTED] > > > > -Original Message- > From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 13, 2003 8:44 AM > To: [EMAIL PROTECTED] > Subject: RE: PIX Question [7:60941] > > The thing is the the router external to the pix, does not have a route for > the 157.157.0.0 network, considering that, whill this ever work ??? > > Although the address is a public IP address, this company uses it as an > internal address, and It sould not be visible on the internet, also the > server with the IP address in on the inside network, not the DMZ > ** > The information in this email is confidential and may be legally > privileged. Access to this email by anyone other than the > intended addressee is unauthorized. If you are not the intended > recipient of this message, any review, disclosure, copying, > distribution, retention, or any action taken or omitted to be taken > in reliance on it is prohibited and may be unlawful. If you are not > the intended recipient, please reply to or forward a copy of this > message to the sender and delete the message, any attachments, > and any copies thereof from your system. > ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61000&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
If there is no route for that block, including summarizations thereof (and no interface in that subnet), then it shouldn't go anywhere / be reachable. So the next question - does it work? * Can that machine get out, and if so ... try www.whatismyip.com ... and what is it's IP? Also - is there another router somewhere that will route it, or another router/FW that will re/de-NAT it to a routed IP? Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 8:44 AM To: [EMAIL PROTECTED] Subject: RE: PIX Question [7:60941] The thing is the the router external to the pix, does not have a route for the 157.157.0.0 network, considering that, whill this ever work ??? Although the address is a public IP address, this company uses it as an internal address, and It sould not be visible on the internet, also the server with the IP address in on the inside network, not the DMZ ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60961&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
The thing is the the router external to the pix, does not have a route for the 157.157.0.0 network, considering that, whill this ever work ??? Although the address is a public IP address, this company uses it as an internal address, and It sould not be visible on the internet, also the server with the IP address in on the inside network, not the DMZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60954&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
It is just a static NAT of the internal address to an external address, in this case they happen to be the same address ... sometimes used in conjunction with conduits/ACL's to permit certain monitoring/syslog/tftp/etc. traffic to external devices (edge routers, for ex.) without exposing the internal hosts globally. However, this seems to not by your case as you are using external IP's. In this case, it may be an example of a network that was not behind a firewall originally, but has now been moved behind one ... and they didn't want to bother re-addressing :). Just my $.01 Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 6:13 AM To: [EMAIL PROTECTED] Subject: PIX Question [7:60941] Hi Can anyone please tell me what the point of the following command is static (inside,outside) 157.157.146.13 157.157.146.13 netmask 255.255.255.255 0 0 Same IP address on the inside and the outside, I have seen this used on production networks, but can not figure out why, can anyone please explain. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60951&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
Do any of your external devices have a route for the 157.157.x.x network, pointing to the PIX to get there? I have used this in the past to ensure that another local device outside the PIX could send syslog messages to a server behind it, using it's real address. Symon -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 11:57 To: [EMAIL PROTECTED] Subject: RE: PIX Question [7:60941] Ok, But I am not quite sure I understand this, beacuse in this example the address is used as an privat address on the company4s internal network, and is not routed to the pix on the outside interface from hosts on the network, so If this is to bypass NAT, by what IP address do the hosts on the outside know the inside host, as I have not used a static command to assign any Public IP address that is routable on the outside interface to the internl host ??? = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60950&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
For static(inside,outside), I remember doing this in our lab where two PIXs connect one after the other. Disabling NAT static(inside,outside) for the transition network would simplify things. I guess you might just see this setup in a production network. Ü Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60947&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
An application for this would be if you have a server with a global ip address assigned to it in your DMZ, then you don't want your PIX to translate your global from the outside. static (dmz,outside)157.157.146.13 157.157.146.13 netmask 255.255.255 0 0 Another case would be an intranet server, also in the dmz interface, being accessed from your inside network. Inside hosts appear on the DMZ with their own addresses. static (inside,dmz)10.200.200.101 10.200.200.101 netmask 255.255.255 0 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60946&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
I's used when no NAT is performed. Kvepja, Marko. > -Original Message- > From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] > Sent: manudagur, 13. janzar 2003. 11:13 > To: [EMAIL PROTECTED] > Subject: PIX Question [7:60941] > > > Hi > > Can anyone please tell me what the point of the following command is > > static (inside,outside) 157.157.146.13 157.157.146.13 netmask > 255.255.255.255 0 0 > > Same IP address on the inside and the outside, I have seen > this used on > production networks, but can not figure out why, can anyone > please explain. Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4, Reykjavmk. Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra Margmiplun hf. er ap finna a vefsmpunni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60945&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
Ok, But I am not quite sure I understand this, beacuse in this example the address is used as an privat address on the company´s internal network, and is not routed to the pix on the outside interface from hosts on the network, so If this is to bypass NAT, by what IP address do the hosts on the outside know the inside host, as I have not used a static command to assign any Public IP address that is routable on the outside interface to the internl host ??? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60944&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
I think that is to ensure that any traffic coming from the outside to the inside for that particular host will NOT get address translated (as long as you have a conduit or access list command that allows access). Symon -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 11:13 To: [EMAIL PROTECTED] Subject: PIX Question [7:60941] Hi Can anyone please tell me what the point of the following command is static (inside,outside) 157.157.146.13 157.157.146.13 netmask 255.255.255.255 0 0 Same IP address on the inside and the outside, I have seen this used on production networks, but can not figure out why, can anyone please explain. = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60943&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:60941]
Hi Can anyone please tell me what the point of the following command is static (inside,outside) 157.157.146.13 157.157.146.13 netmask 255.255.255.255 0 0 Same IP address on the inside and the outside, I have seen this used on production networks, but can not figure out why, can anyone please explain. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60941&t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
All u need to do is create a static Private to Public address on the PIX. However, user in the inside will access the server via the Private address. Therefore, the packet will not leave the inside interface and come by in. Greg Owens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58632&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
Hi Arni, As far as I know you can not because of the split horizon rule built into the PIX. This implies data/packets can not be sent out the same interface it has been received on. I might be wrong though. Regards Gerhard -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: 05 December 2002 17:22 To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58629&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
I don't think the Alias command or the DNAT tricks work for the "Same Interface Routing" rule, which the Pix won't do. Sorry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58628&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
Use the alias command: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_ note09186a0080094aee.shtml -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 7:22 AM To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58627&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:58623]
If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host´s on the internet to access. that´s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58623&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix question [7:57869]
gotta put static or nat translation statements for ANY traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ramesh c Sent: Friday, November 22, 2002 1:48 AM To: [EMAIL PROTECTED] Subject: Pix question [7:57869] Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 interface ethernet0 10baset interface ethernet1 10baset interface ethernet0 100basetx ip address outside 209.165.201.2 255.255.255.248 ip address inside 192.168.7.0 255.255.255.0 ip address dmz 172.16.1.0 255.255.255.0 hostname pixfirewall arp timeout 14400 no failover names pager lines 24 logging buffered debugging access-list acl_out permit tcp any host 209.165.201.19 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 access-list ping_acl permit icmp any any access-group ping_acl in interface inside access-group ping_acl in interface dmz access-list acl_out permit icmp any any timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 My question is ,can my systems from inside initiate connection to dmz with the above configuration?.meaning can the Pix act as a router?Since i read inside can initiate connection to dmz or outside by default _ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57871&t=57869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix question [7:57869]
Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 interface ethernet0 10baset interface ethernet1 10baset interface ethernet0 100basetx ip address outside 209.165.201.2 255.255.255.248 ip address inside 192.168.7.0 255.255.255.0 ip address dmz 172.16.1.0 255.255.255.0 hostname pixfirewall arp timeout 14400 no failover names pager lines 24 logging buffered debugging access-list acl_out permit tcp any host 209.165.201.19 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 access-list ping_acl permit icmp any any access-group ping_acl in interface inside access-group ping_acl in interface dmz access-list acl_out permit icmp any any timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 My question is ,can my systems from inside initiate connection to dmz with the above configuration?.meaning can the Pix act as a router?Since i read inside can initiate connection to dmz or outside by default _ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57869&t=57869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: General PIX question DES/3DES [7:55200]
In article , [EMAIL PROTECTED] says... > 3DES is subject to country implementation. So need to request to Cisco for > implementation of the 3DES. > CMIAW > > Best Regards, > HATO > > > >From: "[EMAIL PROTECTED]" > >Reply-To: "[EMAIL PROTECTED]" > >To: [EMAIL PROTECTED] > >Subject: General PIX question DES/3DES [7:55200] > >Date: Wed, 9 Oct 2002 17:35:10 GMT > > > >Do any of the PIX firewalls come with 3DES or is it an upgrade option on > >all > >the models Particularly the PIX-525-UR-BUN. > > > >Thanx, > >mkj > _ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx I may be mistaken, but I seem to remember the 3DES licence for the bigger Pix's (525) are about #450 (GBP). The smaller ones are much cheaper starting at about 40 GBP for the 501 and rising. Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55414&t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: General PIX question DES/3DES [7:55200]
3DES is subject to country implementation. So need to request to Cisco for implementation of the 3DES. CMIAW Best Regards, HATO >From: "[EMAIL PROTECTED]" >Reply-To: "[EMAIL PROTECTED]" >To: [EMAIL PROTECTED] >Subject: General PIX question DES/3DES [7:55200] >Date: Wed, 9 Oct 2002 17:35:10 GMT > >Do any of the PIX firewalls come with 3DES or is it an upgrade option on >all >the models Particularly the PIX-525-UR-BUN. > >Thanx, >mkj _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55246&t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: General PIX question DES/3DES [7:55200]
I know I've seen a Pix 501 that comes with 3DES on ebay priced around $100 more than the straight DES ones, if that helps a bit. Tom Larus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Do any of the PIX firewalls come with 3DES or is it an upgrade option on all > the models Particularly the PIX-525-UR-BUN. > > Thanx, > mkj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55233&t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: General PIX question DES/3DES [7:55200]
Upgrade. You can get DES free but 3DES is upgrade. --- "[EMAIL PROTECTED]" wrote: > Do any of the PIX firewalls come with 3DES or is it > an upgrade option on all > the models Particularly the PIX-525-UR-BUN. > > Thanx, > mkj [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55240&t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
General PIX question DES/3DES [7:55200]
Do any of the PIX firewalls come with 3DES or is it an upgrade option on all the models Particularly the PIX-525-UR-BUN. Thanx, mkj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55200&t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:53832]
Tom, Sweet. Let me know if that does not Solve your issue. You peaked my curiosity on this one. Thank You, Leslie McIntosh Sr. Network Engineer Deloitte & Touche Outsourcing -Original Message- From: Tom Nielsen [mailto:[EMAIL PROTECTED]] Sent: Sun 9/22/2002 8:52 PM To: [EMAIL PROTECTED] Cc: Subject: RE: PIX Question [7:53832] Well... Close. I was using conduit statements more so than access lists. After seeing what you had put down, I think my error was in the global statement. I had... global (outside) 1 interface Tom &i=53875&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. - If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53893&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:53832]
Well... Close. I was using conduit statements more so than access lists. After seeing what you had put down, I think my error was in the global statement. I had... global (outside) 1 interface Tom Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53875&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:53832]
Tom, I am seeing the following: configure terminal access-list 101 permit tcp any host x.x.17.34 eq ftp access-list 101 permit tcp any host x.x.17.34 eq www access-list 101 permit tcp any host x.x.17.34 eq smtp !PAT for extenal web access global (outside) 1 x.x.17.34 nat (inside) 1 192.168.0.0 255.255.0.0 0 0 !Port redirection for email, ftp, web server static (inside,outside) tcp x.x.17.34 ftp 192.168.x.x ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.17.34 www 192.168.x.x www netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.17.34 smtp 192.168.x.x smtp netmask 255.255.255.255 0 0 !allow external access to email, ftp, web server access-group 101 in interface outside exit Is this similar to what you have? Are you seeing anything in the Xlate table indicating that the internal users are at least getting a xlate on the PIX? I am more familiar with conduit statements, but the ACL's are the same. I think I would take this back to PAT if there are still issues. Prove PAT then add statements to see what is killing the connections. Les -Original Message- From: Tom Nielsen [mailto:[EMAIL PROTECTED]] Sent: Sun 9/22/2002 12:11 AM To: [EMAIL PROTECTED] Cc: Subject: RE: PIX Question [7:53832] I saw that in my search for the answer. When I try to implement it, the only device that is able to get on the internet is the device hosting the website/email. All other workstation could resolve the internet websites but could not browse. Tom &i=53841&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. - If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53843&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:53832]
I saw that in my search for the answer. When I try to implement it, the only device that is able to get on the internet is the device hosting the website/email. All other workstation could resolve the internet websites but could not browse. Tom Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53841&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:53832]
Tom, Having just passed my CSPFA and MCNS exams in the last month, I thought I was pretty on top or the PIX thing Then you ask about Port Redirection, so my curiosity is peaked and I had to do some Cisco.com surfing. I found a Link that deals specifically with NAT and port redirection: http://www.cisco.com/warp/public/707/28.html I do not think I covered a single chapter/question about port Redirection on my exams/study guide (Cisco Press). Check out the link, it looks pretty cool! Now I am going to have to get a 501 and try that at the house! Thank You, Leslie McIntosh Sr. Network Engineer Deloitte & Touche Outsourcing CCNA, CNE5, Network+, A+ - Working on CSS1 (3 of 4) -Original Message- From: Tom Nielsen [mailto:[EMAIL PROTECTED]] Sent: Sat 9/21/2002 8:01 PM To: [EMAIL PROTECTED] Cc: Subject: PIX Question [7:53832] Basic configuration issue. I have a very simple configuration. I have a PIX Firewall with 2 Interfaces (Inside,outside). I have an internal network, 192.168.0.0/16. The outside interface is x.x.17.35 - I have one additional IP Address x.x.17.34 that everyone has to nat out. The address (.34) also will handle all incoming mail, web and FTP requests and redirect it to a server in the 192.168.0.0/16 network. I am confused on the the Static, global and NAT commands for this configuration... any help would be appreciated. tom &i=53832&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. - If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53837&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:53832]
Basic configuration issue. I have a very simple configuration. I have a PIX Firewall with 2 Interfaces (Inside,outside). I have an internal network, 192.168.0.0/16. The outside interface is x.x.17.35 - I have one additional IP Address x.x.17.34 that everyone has to nat out. The address (.34) also will handle all incoming mail, web and FTP requests and redirect it to a server in the 192.168.0.0/16 network. I am confused on the the Static, global and NAT commands for this configuration... any help would be appreciated. tom Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53832&t=53832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:51095]
You're talking about "NAT 0". The default gateway address will be the same address as the default outside route on the PIX: either it will be your "Bastion Router" or your ISPs router. HTH Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Zahid Hassan Sent: Friday, August 09, 2002 1:36 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:51095] Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51104&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:51095]
So you have: Server --- inside- PIX -outside --- Internet How would a server with the public ip address talk to the PIX inside interface, that has a private ip address? It's like having two PC's with different ip addresses and trying to make them talk through a hub. For two devices to talk on the same wire they have to be on the same subnet. So you either have to reconfigure the server to have a private ip address or use a router on the inside of the PIX. PIX doesn't support secondary ip addresses. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Zahid Hassan Sent: Friday, August 09, 2002 3:36 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:51095] Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51102&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:51095]
What you normally do in this situation is to use static's. Lets assume the following: Inside server address 10.10.10.10 Outside server address 20.20.20.20 Ports needed 80,443,25 You place the server on the inside network, then use the following commands: Static (inside,outside) 20.20.20.20 10.10.10.10 netmask 255.255.255.255 This tells the FW to take any request for address 20.20.20.20 and send them to 10.10.10.10 Next assuming ACL's on the PIX you would do this: ( and assuming the ACL that is applied to the external interface is outside_acl ) Access-list outside_acl permit tcp any host 20.20.20.20 eq 80 Access-list outside_acl permit tcp any host 20.20.20.20 eq 443 Access-list outside_acl permit tcp any host 20.20.20.20 eq 25 Notice that you permit traffic to the external address. That's the "normal" way to do it and protect the server when 2 interfaces are all that are available. Thanks Larry -Original Message- From: Zahid Hassan [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 3:36 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:51095] Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51100&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:51095]
You will have to do a NAT 0 (zero) to use the public address on the inside, and the default gateway will not be on the pix, but on the router on the other side (outside) of the pix. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Zahid Hassan [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 2:36 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:51095] Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51099&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:51095]
Hi All, I have got a PIX firewall with two interfaces, the outside interface has a public IP address and inside a private IP address. I will need to connect a server with a public IP address. I know that the PIX firewall can be configured not to NAT a specific IP address. Can I connect a server with a public IP address on the inside interface of the PIX ? If yes, what will be the default gateway, the inside or the outside interface of the PIX ? Thanks in advance. Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51095&t=51095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:47556]
And to top if off, unless your running the newest code, the only way to enable the new code is to reinstall the OS... In 6.2 they have added the ability to change from the command prompt, but in older versions its only possible by reloading the OS, even if it's the same OS. Thanks Larry -Original Message- From: Dan Penn [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: RE: pix question [7:47556] Wrong, the 3DES isn't like most cisco features that you can just download. They give you a code that you actually have to enter into the pix. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Carpenter Sent: Thursday, June 27, 2002 8:46 AM To: [EMAIL PROTECTED] Subject: Re: pix question [7:47556] I don't think so - Original Message - From: "GEORGE" To: Sent: Thursday, June 27, 2002 9:03 AM Subject: pix question [7:47556] I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47580&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:47556]
Wrong, the 3DES isn't like most cisco features that you can just download. They give you a code that you actually have to enter into the pix. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Carpenter Sent: Thursday, June 27, 2002 8:46 AM To: [EMAIL PROTECTED] Subject: Re: pix question [7:47556] I don't think so - Original Message - From: "GEORGE" To: Sent: Thursday, June 27, 2002 9:03 AM Subject: pix question [7:47556] I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47577&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:47556]
I don't think so - Original Message - From: "GEORGE" To: Sent: Thursday, June 27, 2002 9:03 AM Subject: pix question [7:47556] I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47566&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:47556]
Yes... you can get the DES key for free though. - Original Message - From: "GEORGE" To: Sent: Thursday, June 27, 2002 9:03 AM Subject: pix question [7:47556] > I have the 3des encryption disabled do I have to purchase a license to > enable it? > > VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47560&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:47556]
George, >From the Cisco website: 168-bit 3DES keys may be purchased, and are available through the Cisco MarketPlace. If you have already purchased the 3DES Upgrade and you have your Cisco PIX Firewall 3DES upgrade document with entitlement number (printed on document), please register this as a Purchased License. http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&f id=324 Good luck, Pieter Jan Bakhuijzen iXio Networks http://www.ixionetworks.com ""GEORGE"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have the 3des encryption disabled do I have to purchase a license to > enable it? > > VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47558&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:47556]
Yes, you need buy that license. Best Regards SeaTigerIII CCSA, CLP4, CCDA, CCNP, MCSE4, MCSE2000 Email : [EMAIL PROTECTED] web: http://seatigeriii.d2g.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 10:04 PM To: [EMAIL PROTECTED] Subject: pix question [7:47556] I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled [GroupStudy.com removed an attachment of type text/x-vcard which had a name of jacky.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47557&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:47556]
I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47556&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:45658]
PIX no Router yes. FW-1 yes but you have to play with it. "Anil Kumar" Sent by: [EMAIL PROTECTED] 06/03/2002 09:51 PM Please respond to "Anil Kumar" To: [EMAIL PROTECTED] cc: Subject:PIX question [7:45658] Hi All, Does the PIX fw support secondary ip address option for the interface, as which is carried out on router ethernet interface? Thanks in Advance. Regards.. Anil __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45726&t=45658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:45639]
Anthony, >From what I read in your post: Cable Modem Inside - 172.16.1.1/16 Pix Outside -172.16.1.1/16 (you have 172.161.1.1/16 below) Pix Inside - 10.1.1.1/24 default route: in your post "route outside 0 0 172.16.1.2" what it should be "route outside 0 0 172.16.1.1" this is based on the above information With the above configuration to be correct and the route outside statement changed, try to ping your cable modem from the pix. If this works, then move on to getting from the inside of your pix to the outside. Justin From: "Anthony Ramsey" Reply-To: "Anthony Ramsey" To: [EMAIL PROTECTED] Subject: pix question [7:45639] Date: Sun, 2 Jun 2002 18:49:24 -0400 Hi all, I appreciate any feedback to my question: I am setting up a lab environment and intially trying to configure a router and a pix behind it. my router's outside interface is connected to a cable modem and have a live ip address assigned to it. cable modempix> inside hosts. the router's inside interface has a private ip add. of 172.16.1.1 /24 and the pix' outside interface is 172.161.1.2 /24. the inside interface of the pix has an ip address of 10.1.1.1 /24 and all inside hosts have that as the default gateway. securities are set up correctly on the inside and outside interfaces. I am using a global pat address, different from the one on the router's interface connected to the cable modem (no statics going on in the pix). i am unable to reach the internet even when I use the statement: "conduit permit ip any any" and no packets are able to reach the 172.16.1.0 network from the inside hosts not even the 172.16.1.2 address which belongs to the pix's outside interface. I have a "route outside 0 0 172.16.1.2" statement as well. from the router I can ping inside hosts, with the correct route statement. hope this is enough information. please help! thanks Tony _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45669&t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX question [7:45658]
PIX doesnt support that, routers or sups supports. Best regards, ""Anil Kumar"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Does the PIX fw support secondary ip address option for the > interface, as which is carried out on router ethernet > interface? > > > Thanks in Advance. > > Regards.. Anil > > > __ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45660&t=45658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:45658]
Hi All, Does the PIX fw support secondary ip address option for the interface, as which is carried out on router ethernet interface? Thanks in Advance. Regards.. Anil __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45658&t=45658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:45639]
With the assumption that all set correctly, nat cooralates to global, etc, etc. and you cleared all caches after set up;which I would say somewhere they are not, I would run icmp debugs, take all acl's off except the one's needed for the nat/pat, and watch the packets, you'll find it. -TV ""Anthony Ramsey"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > I appreciate any feedback to my question: > I am setting up a lab environment and intially trying > to configure a router and a pix behind it. > my router's outside interface is connected to a cable > modem and have a live ip address assigned to it. > cable modempix> inside > hosts. > > the router's inside interface has a private ip add. of > 172.16.1.1 /24 and the pix' outside interface is > 172.161.1.2 /24. the inside interface of the pix has > an ip address of 10.1.1.1 /24 and all inside hosts > have that as the default gateway. securities are set > up correctly on the inside and outside interfaces. > I am using a global pat address, different from the > one on the router's interface connected to the cable > modem (no statics going on in the pix). i am unable to > reach the internet even when I use the statement: > "conduit permit ip any any" and no packets are able > to reach the 172.16.1.0 network from the inside hosts > not even the 172.16.1.2 address which belongs to the > pix's outside interface. > I have a "route outside 0 0 172.16.1.2" statement as > well. > from the router I can ping inside hosts, with the > correct route statement. > > hope this is enough information. please help! > thanks > Tony > > > > __ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45643&t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:45639]
Hi all, I appreciate any feedback to my question: I am setting up a lab environment and intially trying to configure a router and a pix behind it. my router's outside interface is connected to a cable modem and have a live ip address assigned to it. cable modempix> inside hosts. the router's inside interface has a private ip add. of 172.16.1.1 /24 and the pix' outside interface is 172.161.1.2 /24. the inside interface of the pix has an ip address of 10.1.1.1 /24 and all inside hosts have that as the default gateway. securities are set up correctly on the inside and outside interfaces. I am using a global pat address, different from the one on the router's interface connected to the cable modem (no statics going on in the pix). i am unable to reach the internet even when I use the statement: "conduit permit ip any any" and no packets are able to reach the 172.16.1.0 network from the inside hosts not even the 172.16.1.2 address which belongs to the pix's outside interface. I have a "route outside 0 0 172.16.1.2" statement as well. from the router I can ping inside hosts, with the correct route statement. hope this is enough information. please help! thanks Tony __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45639&t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:44532]
It is part of CiscoWorks 2000 VPN/Security bundle. Here is the link to the above: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnm an/vms_2_0/index.htm For CSPM 3.0, the link is here: http://www.cisco.com/warp/customer/cc/pd/sqsw/sqppmn/ Aurelian Georgescu -Original Message- From: Lupi, Guy [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: PIX question [7:44532] Does Cisco sell a PIX global management system, so that if you have 100 remote sites with a PIX each you can manage them from a central location? If so, a link to a description would be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44534&t=44532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:44532]
Does Cisco sell a PIX global management system, so that if you have 100 remote sites with a PIX each you can manage them from a central location? If so, a link to a description would be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44532&t=44532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Mark, Typically the alias command is used when: 1) You have overlapping addresses, ie. your using 10 net addressing and you have to connect to someone else who is also using 10 net addressing (this is done through DNS "doctoring") Or you have a split DNS. (see below) 2) You want to translate the dst address of packets going from inside to outside on the PIX. If you have a situation where your DNS is external and your servers are internal, you probably don't want the internal hosts accessing the internal servers using their external address. In order for the DNS replies to give the internal hosts the internal address of the servers, you would use the alias command to alter the reply to the internal hosts. This comes into play when you have what is typically called a "split-brain" DNS. The external DNS can only resolve hosts which are accessible from the outside. The internal DNS forwards to the external for name resolution of externally accessible hosts. Since the DNS resolution yeilds an externally reachable address, you would use the alias to make sure that the internal hosts use the internal IP while the external hosts use the external IP. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Tuesday, April 09, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say "I do want any outside host to access the web server" and then you say "So, I do want everyone to access the web server at ip address xxx.yyy.115.190", this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be "doctored" so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.2
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say "I do want any outside host to access the web server" and then you say "So, I do want everyone to access the web server at ip address xxx.yyy.115.190", this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be "doctored" so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: >Robert, > >Your conduit command doesn't look right. Typically you want to allow any >outside host to access the inside host specified in the conduit. You can >specify 'any' by using 0.0.0.0 or 0: > > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 > >Also, I'm not sure what your trying to accomplish with those alias commands: > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > >Your telling the PIX to translate dst address 172.20.21.241 to >xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 >back to the same inside address? Typically the internal hosts would just go >directly to the 172.20.21.241 address withou
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Ok, I'm more confused than before. :-) You say "I do want any outside host to access the web server" and then you say "So, I do want everyone to access the web server at ip address xxx.yyy.115.190", this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be "doctored" so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: >Robert, > >Your conduit command doesn't look right. Typically you want to allow any >outside host to access the inside host specified in the conduit. You can >specify 'any' by using 0.0.0.0 or 0: > > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 > >Also, I'm not sure what your trying to accomplish with those alias commands: > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > >Your telling the PIX to translate dst address 172.20.21.241 to >xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 >back to the same inside address? Typically the internal hosts would just go >directly to the 172.20.21.241 address without having to go through the PIX >in the first place. > >HTH, >Kent > >-Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Robert T. Repko (R Squared Consultants) >Sent: Saturday, April 06, 2002 8:23 PM >To: [EMAIL PROTECTED] >Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > >I am having a problem getting to the inside Mail/Web servers from the >outside and I can't determine why. > >I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also >reconfiguring the way their PIX was setup. The servers were configured >with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) >which made them vulnerable. I am moving them to an inside address and >building a conduit from the outside to the inside. > >In order to leave their old netw
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: >Robert, > >Your conduit command doesn't look right. Typically you want to allow any >outside host to access the inside host specified in the conduit. You can >specify 'any' by using 0.0.0.0 or 0: > > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 > >Also, I'm not sure what your trying to accomplish with those alias commands: > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > >Your telling the PIX to translate dst address 172.20.21.241 to >xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 >back to the same inside address? Typically the internal hosts would just go >directly to the 172.20.21.241 address without having to go through the PIX >in the first place. > >HTH, >Kent > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Robert T. Repko (R Squared Consultants) >Sent: Saturday, April 06, 2002 8:23 PM >To: [EMAIL PROTECTED] >Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > >I am having a problem getting to the inside Mail/Web servers from the >outside and I can't determine why. > >I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also >reconfiguring the way their PIX was setup. The servers were configured >with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) >which made them vulnerable. I am moving them to an inside address and >building a conduit from the outside to the inside. > >In order to leave their old network up and running while I configured the >7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had >everything configured and working. Then over the Easter holiday I >configured their PIX trying to use the same statements that I had in my PIX >506. This is where I ran into problems. Since they are running such an >old version (Ver 4.1.4) of the IOS I could not use the same exact >commands. I'm not as familiar with the PIX 4.1.4 commands and obviously >have something stated incorrectly. Below I have what I believe to be the >pertinent information from both the 7206 and PIX. Can someone tell me >where I went wrong. The xxx.yyy represent the same 2 octets through out >both configs. Any help greatly appreciated. > >Cisco 7206 VXR > >interface FastEthernet0/1 > description ** Firewall Connection (inside area)** > ip address xxx.yyy.115.18 255.255.255.240 secondary > ip address 172.20.19.3 255.255.255.0 > >ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) >ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) > > >Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) > >interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 >interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 > >global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 >global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 > >static (in
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 *** * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40764&t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
I thought that's what I had? conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 (outside address) (port) (ip addr of host to reach) (inside address) If I'm misunderstanding could you rewrite the statement above to demonstrate what you mean. Please keep in mind this is ver 4.1.4, 'any' is not a valid part of the conduit statement, the PIX complains when I use 'any' in the command. At 4/7/2002 12:59 AM, Daniel Cotts reminisced: >Conduit should be outside address of local machine (xxx.yyy.115.172) then >port to be reached (25 tcp) then address and subnet mask of remote hosts >wishing access. any = 0.0.0.0 0.0.0.0. It could be a single address; but I'd >expect to see a routable address. > > > -Original Message- > > From: Robert T. Repko (R Squared Consultants) > > [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, April 06, 2002 10:23 PM > > To: [EMAIL PROTECTED] > > Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > > > > > I am having a problem getting to the inside Mail/Web servers from the > > outside and I can't determine why. > > > > I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also > > reconfiguring the way their PIX was setup. The servers were > > configured > > with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' > > statement) > > which made them vulnerable. I am moving them to an inside > > address and > > building a conduit from the outside to the inside. > > > > In order to leave their old network up and running while I > > configured the > > 7206VXR. I used my PIX 506 (Ver 5.x) for configuration > > purposes. I had > > everything configured and working. Then over the Easter holiday I > > configured their PIX trying to use the same statements that I > > had in my PIX > > 506. This is where I ran into problems. Since they are > > running such an > > old version (Ver 4.1.4) of the IOS I could not use the same exact > > commands. I'm not as familiar with the PIX 4.1.4 commands > > and obviously > > have something stated incorrectly. Below I have what I > > believe to be the > > pertinent information from both the 7206 and PIX. Can > > someone tell me > > where I went wrong. The xxx.yyy represent the same 2 octets > > through out > > both configs. Any help greatly appreciated. > > > > Cisco 7206 VXR > > > > interface FastEthernet0/1 > > description ** Firewall Connection (inside area)** > > ip address xxx.yyy.115.18 255.255.255.240 secondary > > ip address 172.20.19.3 255.255.255.0 > > > > ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points > > to the ISP) > > ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points > > to the PIX) > > > > > > Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) > > > > interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 > > interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 > > > > global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 > > global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 > > > > static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 > > static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 > > > > conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 > > 255.255.255.255 > > conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 > > 255.255.255.255 > > conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 > > 255.255.255.255 > > > > alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > > alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 > > alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 > > > > route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 > > route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 > > route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 > > route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 > > route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 > > > > ** > > * > > * Robert T. Repko - R Squared Consultants |Voice: (610) > > 253-2849* > > * Serving the Computing World for 20 years | Fax: (610) > > 253-0725* > > * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: > > [EMAIL PROTECTED] * > > * Custom Programming|
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Conduit should be outside address of local machine (xxx.yyy.115.172) then port to be reached (25 tcp) then address and subnet mask of remote hosts wishing access. any = 0.0.0.0 0.0.0.0. It could be a single address; but I'd expect to see a routable address. > -Original Message- > From: Robert T. Repko (R Squared Consultants) > [mailto:[EMAIL PROTECTED]] > Sent: Saturday, April 06, 2002 10:23 PM > To: [EMAIL PROTECTED] > Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > > I am having a problem getting to the inside Mail/Web servers from the > outside and I can't determine why. > > I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also > reconfiguring the way their PIX was setup. The servers were > configured > with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' > statement) > which made them vulnerable. I am moving them to an inside > address and > building a conduit from the outside to the inside. > > In order to leave their old network up and running while I > configured the > 7206VXR. I used my PIX 506 (Ver 5.x) for configuration > purposes. I had > everything configured and working. Then over the Easter holiday I > configured their PIX trying to use the same statements that I > had in my PIX > 506. This is where I ran into problems. Since they are > running such an > old version (Ver 4.1.4) of the IOS I could not use the same exact > commands. I'm not as familiar with the PIX 4.1.4 commands > and obviously > have something stated incorrectly. Below I have what I > believe to be the > pertinent information from both the 7206 and PIX. Can > someone tell me > where I went wrong. The xxx.yyy represent the same 2 octets > through out > both configs. Any help greatly appreciated. > > Cisco 7206 VXR > > interface FastEthernet0/1 > description ** Firewall Connection (inside area)** > ip address xxx.yyy.115.18 255.255.255.240 secondary > ip address 172.20.19.3 255.255.255.0 > > ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points > to the ISP) > ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points > to the PIX) > > > Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) > > interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 > interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 > > global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 > global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 > > static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 > static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 > > conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 > 255.255.255.255 > conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 > 255.255.255.255 > conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 > 255.255.255.255 > > alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 > alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 > > route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 > route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 > route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 > route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 > route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 > > ** > * > * Robert T. Repko - R Squared Consultants |Voice: (610) > 253-2849* > * Serving the Computing World for 20 years | Fax: (610) > 253-0725* > * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: > [EMAIL PROTECTED] * > * Custom Programming| Address: 4 Juniper > Ave.* > * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA > 18045 * > ** > * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40725&t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco PIX question, static, conduit, and alias [7:40722]
I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 *** * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40722&t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: PIX Question !!! [7:40465]
dont you have to place the inside ip addrres on the outside interface? i think you have it reverse, ip address inside 192.168.2.14 255.255.255.248 ip address outside 216.6.24.129 255.255.255.192 then nat (inside) 0 192.168.2.14 255.255.255.0 0 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avi Sent: Thursday, April 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40503&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question !!! [7:40465]
Avi, You have a few things in your config that look strange: 1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 This creates a static with the outside address of 192.168.2.13, which you indicate is your router's IP address, and an inside address of 216.6.24.129, which you indicate is your inside PIX interface. This makes no sense. A static translation is used to create a new address on the outside that is not currently in use by any device to map to an inside end device, such as a server. I don't understand what you are trying to do with this command and this may be the cause of your problem. 2) route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 You are pointing the PIX's inside default route to its own interface? I don't see what you are trying to accomplish by doing this, if there is no inside router you should just leave of the route inside command. 3) You say outside hosts are able to reach 216.6.24.130, do you mean they are able to ping the host? If the outside hosts can ping the inside host, the inside host should be able to ping the outside hosts since you have a conduit permit icmp any in your config. If the .130 host is a unix box, sometimes they try to resolve names during ping, so it may be that your ping is failing because name lookups are failing. Just a guess. It looks like something is not correct with your static command, so I would fix that first. Also, you are running a very old version of code at 4.4, you are 2 major release behind, so there may also be some weird bug present in this code rev, I would strongly consider upgrading the code to current levels. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avi Sent: Thursday, April 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable trap
RE: PIX Question !!! [7:40465]
In problems like this you have to enable "debug icmp trace" to help you to resolve this issue, rather then guessing what you missed. What this statement suppose to do: static (inside,outside) 192.168.2.13 216.6.24.129 ip address inside 216.6.24.129 255.255.255.192 route outside 0.0.0.0 0.0.0.0 192.168.2.13 You want that ip address of the inside interface will look like outside router??? I would use "clear static" and "clear xlate"... You'll never be able to ping 192.168.2.14 ip from the 216.6.24.130 host, but you should be able to ping .13. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Avi Sent: Thursday, April 04, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40522&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question !!! [7:40465]
Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255.255 telnet timeout 15 terminal width 80 PROBLEM My problem is frm host 216.6.24.130 I can ping inside interface of PIX, but I can't ping outside interface of PIX nor the internal router. Also i am not able to ping the proxy server. Sitting on the PIXI am able to ping inside as well as outside, even the Proxy server. Also outside hosts are able to reach the host 216.6.24.130. Can someone pls throw some light on this as to where i am going wrong or i am missing on some command. Ur kind help will be appreciated a lot. Thanxs & Rgds, Avi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40465&t=40465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
show access-l -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39635&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
George, In current versions, it's "show access-list". :-) pix# sh ver Cisco Secure PIX Firewall Version 6.0(1) PIX Device Manager Version 1.0(1) pix# sh access-list access-list 1 permit icmp any any (hitcnt=27) access-list 1 permit ip any host 172.16.1.55 (hitcnt=0) access-list 1 permit ip any host 172.16.1.60 (hitcnt=16) access-list 1 permit tcp host 172.16.1.2 host 10.1.1.3 eq bgp (hitcnt=1) pix# Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 5:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39620&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
That would be : show access-list You might also want to do : show conduit show sysopt Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39612&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
show access-list(s) -Original Message- From: george gittins To: [EMAIL PROTECTED] Sent: 27/03/02 13:05 Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39604&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:39560]
whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39560&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:37893]
or static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 to treat the 2 network DMZ and inside zone in routing mode... ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 > > > Gaz > > ""Ali, Abbas"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I have just installed a PIX firewall with three interfaces. The Inside > > network is 192.168.1.0 and the DMZ network is 192.168.2.0. > > > > There are a few webservers on a dmz network that need to have an access to > > all the servers on the inside network. Technically I am going to have to > > statically map each server on the inside netowork to an unused address on > > the dmz network and then open the conduit permission. > > > > For example, I have a NT server running on 192.168.1.12. In order for > > webserver to connect to this box I will have to to > > > > Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 > > conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. > > > > I will be very tedious and I will waste so many address on a dmz network > > in an order to create mapping entry for all the servers on inside network. > > > > > > Is there any smaller way of doing it? Can I map the whole dmz network to > > inside network instead of mapping each unused address to inside address? > > > > Abbas Ali, AVVID, CCDP, CCNP, MCSE > > Network Engineer II > > NextiraOne, LLC > > Tel: 714.428.3367 > > Pager: 714.748.4817 > > Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37916&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:37893]
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 Gaz ""Ali, Abbas"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have just installed a PIX firewall with three interfaces. The Inside > network is 192.168.1.0 and the DMZ network is 192.168.2.0. > > There are a few webservers on a dmz network that need to have an access to > all the servers on the inside network. Technically I am going to have to > statically map each server on the inside netowork to an unused address on > the dmz network and then open the conduit permission. > > For example, I have a NT server running on 192.168.1.12. In order for > webserver to connect to this box I will have to to > > Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 > conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. > > I will be very tedious and I will waste so many address on a dmz network > in an order to create mapping entry for all the servers on inside network. > > > Is there any smaller way of doing it? Can I map the whole dmz network to > inside network instead of mapping each unused address to inside address? > > Abbas Ali, AVVID, CCDP, CCNP, MCSE > Network Engineer II > NextiraOne, LLC > Tel: 714.428.3367 > Pager: 714.748.4817 > Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37895&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:37893]
I have just installed a PIX firewall with three interfaces. The Inside network is 192.168.1.0 and the DMZ network is 192.168.2.0. There are a few webservers on a dmz network that need to have an access to all the servers on the inside network. Technically I am going to have to statically map each server on the inside netowork to an unused address on the dmz network and then open the conduit permission. For example, I have a NT server running on 192.168.1.12. In order for webserver to connect to this box I will have to to Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. I will be very tedious and I will waste so many address on a dmz network in an order to create mapping entry for all the servers on inside network. Is there any smaller way of doing it? Can I map the whole dmz network to inside network instead of mapping each unused address to inside address? Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II NextiraOne, LLC Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37893&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: pix question [7:36500]
thanks for the info -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roberts, Larry Sent: Tuesday, February 26, 2002 8:33 AM To: [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Oops, typo alert. The Global statement should read: Global (outside) # a.b.c.d netmask 255.255.255.0 Thanks Larry -Original Message- From: Roberts, Larry Sent: Tuesday, February 26, 2002 11:34 AM To: 'george gittins'; [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36539&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Oops, typo alert. The Global statement should read: Global (outside) # a.b.c.d netmask 255.255.255.0 Thanks Larry -Original Message- From: Roberts, Larry Sent: Tuesday, February 26, 2002 11:34 AM To: 'george gittins'; [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36508&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36507&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Yes you can use globally routable ip addresses on the inside interface. Either use nat (inside) 0 ip address netmask or do a static (inside,outside)ip address same ip address netmask. > -Original Message- > From: george gittins [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 9:41 AM > To: [EMAIL PROTECTED] > Subject: pix question [7:36500] > > > I have a pool of ip address im assigning as they leave my > internal network. > Is their a way i can assign specific global ip address to > inside networks. > > George Gittins > Internet Systems Manager > Weslaco, Tx 78599 > Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36503&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]