thanks for the info
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Roberts, Larry
Sent: Tuesday, February 26, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: RE: pix question [7:36500]
Oops, typo alert.
The Global statement should read:
Global (outside
kevin,
my bad. I got that all messed up! I didn't know if 6.2 came out yet, but I
am
interested in it only using the 100tx is that what the ldss is?
thanks for clearing up my mess,
ipguru
BASSOLE Rock wrote:
Hi group,
I want to know what is Long Distance State Sharing (LDSS) and for
Hi group,
I want to know what is Long Distance State Sharing (LDSS) and for what
reason it's supported by the stateful failover?
Also why the PIX does not transfer HTTP (port 80) session in stateful
failover?
Thank you.
Rock .
Message Posted at:
I'm guessing that Long Distance State Sharing is the use of firewalls with
stateful failover which are separated by a long distance.
As you may or may not know, the Pix Failover cable limits the distance
between Pix's at the moment (unless something's changed recently). Can't
remember how long it
I didn't realize it didn't support http
I really don't think there is need for http statefull failover though...
I mean logically... with every link you can start a new session...if the
page is sitting in front of you, why keep state?
-Patrick
Gaz 02/06/02 11:27AM
I'm guessing that Long
over an Ethernet connection instead of requiring the Failover Cable.
David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
- Original Message -
From: Patrick Ramsey
To:
Sent: Wednesday, February 06, 2002 11:38 AM
Subject: Re: PIX question [7:34630]
I didn't realize it didn't
Ethernet connection instead of requiring the Failover Cable.
David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
- Original Message -
From: Patrick Ramsey
To:
Sent: Wednesday, February 06, 2002 11:38 AM
Subject: Re: PIX question [7:34630]
I didn't realize it didn't supp
[EMAIL PROTECTED] http://dcp.dcptech.com
- Original Message -
From: Patrick Ramsey
To:
Sent: Wednesday, February 06, 2002 11:38 AM
Subject: Re: PIX question [7:34630]
I didn't realize it didn't support http
I really don't think there is need for http statefull failover though...
Hi,
1) 6.2 is not out yet...we are still at 6.1(x)
2) Since pix 5.X release, Stateful failover is supported and it will
replicate TCP connection except the HTTP (port 80) connections.
3) In 6.0, Stateful failover will replicate all TCP connections
including the HTTP connections.
4) The
The recommended design for PIX to have your Webserver in a private network
segment hanging off at the dmz port, and then statically map private IP
address to public IP address.
In this design before customer decided to have PIX for security they were
running their webserver with atleast 25
to
only 56bit encryption on the 501 for IPSec (last I checked it was...). Once
again...just another change in command syntax for different encryption types
so it's good to study with.
Allen
- Original Message -
From: Brian Zeitz
To:
Sent: Wednesday, January 23, 2002 10:47 AM
Subject: Pix
1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use of NAT.Applying access list
later for
Ramesh
No you don't need to config NAT, secondly to open up all ports for a host,
as a source to any where, try this acl
access-list acl_inside permit tcp host 192.10.1.1 any
For some more info have a look at the CCO
http://www.cisco.com/warp/customer/707/
cheers Pat
Ramesh c wrote in
At 08:24 AM 11/20/01 -0500, Ramesh c wrote:
1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use
I have many devices on the inside (most secure) interface of my PIX that I
need to allow telnet and ftp access to users from the outside (least secure)
interface of the PIX. I know that I can create a static map to the inside IP
addresses, but I dont have enough outside IP addresses to support
I've not tried it yet, but if you're using version 6.0, how about using port
re-direction - Using one IP address on the outside, but telnet to a
different port for each internal device.
static (inside,outside) tcp 192.168.124.99 3001 10.1.1.1 telnet netmask
255.255.255.255 0 0
static
I am not sure that you can specify the port numbers on that outside address,
but I will try it tomorrow. Someone also suggested that I create a telnet
server and telnet to it first and then telnet to other devices. but I did
not think it would work because I did not think the PIX would allow the
versions of PIX support port redirection, but again, I haven't confirmed
this.
Anyway, check them out.
---
Rik Guyler
-Original Message-
From: Bruce Williams [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 09, 2001 3:35 PM
To: [EMAIL PROTECTED]
Subject: PIX Question [7:15518]
I have
OK basic PIX stuff
High to Low: use NAT and Global command
Low to High: use Static and Conduits (or ACLs)
Now... You want people to access your internal boxes using external IPs
OK
First way.. Statically assign external addresses to the internal hosts
that need to be accessed
=
-Original Message-
From: Rizzo Damian [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 5:16 PM
To: [EMAIL PROTECTED]
Subject: PIX question... [7:5248]
Hey all, is it possible to translate public IP addresses (outside) to
private IP addresses (inside) on a PIX firewall
in the direction of
internal to external.
The only reliable, secure and supported solution is a static/conduit setup.
Hope this helps
-Original Message-
From: PSIHOYIOS PANAYIOTIS [mailto:[EMAIL PROTECTED]]
Sent: 22 May 2001 11:11
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
Hi all
idea, no matter how you do it. Anyone
who's worked with IDS at all will be able to vouch for that one.
Andras
-Original Message-
From: PSIHOYIOS PANAYIOTIS [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 22, 2001 3:11 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
Hi all
If Life is a Game, These are the Rules:
Experience is a hard teacher.
She give the test first and the lessons afterwards.
- Original Message -
From: Richie, Nathan
To:
Sent: Monday, May 21, 2001 5:05 PM
Subject: RE: PIX question... [7:5248]
I beg to differ. I do not believe this can
Hey all, is it possible to translate public IP addresses (outside) to
private IP addresses (inside) on a PIX firewall. Basically the exact
opposite of what's usually performed on a firewall. We are going to have
users dial in to our internet router and receive a Public IP address. They
have to
Scary, use VPN
Rizzo Damian 05/21 10:15 AM
Hey all, is it possible to translate public IP addresses (outside) to
private IP addresses (inside) on a PIX firewall. Basically the exact
opposite of what's usually performed on a firewall. We are going to have
users dial in to our internet router
Sounds like a VPN is your best bet.
Should you decide to implement the VPN, you may want to consider whether
you still need to maintain the modem pool on the Internet router. Reducing
this cost could help justify the cost of implementing a VPN solution. A
properly authenticated VPN user
:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 11:44 AM
To: Rizzo Damian
Cc: [EMAIL PROTECTED]
Subject: Re: PIX question... [7:5248]
Sounds like a VPN is your best bet.
Should you decide to implement the VPN, you may want to consider whether
you still need to maintain the modem pool on the Internet
[mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 11:44 AM
To: Rizzo Damian
Cc: [EMAIL PROTECTED]
Subject: Re: PIX question... [7:5248]
Sounds like a VPN is your best bet.
Should you decide to implement the VPN, you may want to consider whether
you still need to maintain the modem pool
mapping doesn't seem to work. Probably because it require a one-to-one
mapping no? Thanks for any help in advance!
-Rizzo
-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 1:12 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248
because it require a one-to-one
mapping no? Thanks for any help in advance!
-Rizzo
-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 1:12 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
I'm not clear on what you're asking
addresses, and not the
private address themselves?
andras
-Original Message-
From: Rizzo Damian [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
Actually it seems as if you understand exactly what I'm asking. Your
21, 2001 12:50 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
Actually it seems as if you understand exactly what I'm
asking. Your idea is
very similar to mine. However it didn't work unfortunately.
Let me ask this
another way, if you don't mind...You have an internet
because it require a one-to-one
mapping no? Thanks for any help in advance!
-Rizzo
-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 1:12 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
I'm not clear on what you're
PROTECTED]
Subject: RE: PIX question... [7:5248]
OK kids. Allowing packets from a lower security level interface to a higher
security level interface requires a conduit or access list. So yes, it can
be
done. I wouldn't forget about security though. ;^)
D.
At 01:50 PM 05/21/2001 -0400, Rizzo
afterwards.
- Original Message -
From: Richie, Nathan
To:
Sent: Monday, May 21, 2001 5:05 PM
Subject: RE: PIX question... [7:5248]
I beg to differ. I do not believe this can be done. When the PIX
translates (either dynamically or statically), it takes a private IP
address
(inside
To: [EMAIL PROTECTED]
Subject:Re: PIX question... [7:5248]
hi Rizzo!
You can not even telnet into your PIx from the outside interface, nor you
can telnet into it without VPN or SSH. Making the PIX work the way you want
(in contrary to the usual way of NATing high security to Low security
Message-
From: syson [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 5:14 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX question... [7:5248]
hi Rizzo!
You can not even telnet into your PIx from the outside interface, nor you
can telnet into it without VPN or SSH. Making the PIX work
, Nathan
To:
Sent: Monday, May 21, 2001 5:05 PM
Subject: RE: PIX question... [7:5248]
I beg to differ. I do not believe this can be done. When the PIX
translates (either dynamically or statically), it takes a private IP
address
(inside interface) and translates it to a Public IP address
, Nathan
To:
Sent: Monday, May 21, 2001 5:05 PM
Subject: RE: PIX question... [7:5248]
I beg to differ. I do not believe this can be done. When the PIX
translates (either dynamically or statically), it takes a private IP
address
(inside interface) and translates it to a Public IP address
Here are the following concerns my client has in regards to thier
configuration. Please give me your thoughts on this situation.
--
Here are a few of the Questions we have in relation to the PIX 515 Firewall.
We are using IOS 5.2 on the PIX just so you know.
We need to Re-IP the Crypto
Does anyone have any ideas?
Strange problem...
Here is the setup
I have a PIX firewall directly connect to a token-ring ethernet segment. All
users on this segment can reach the internet.(I am using NAT..(nat 1 0 0)
I also have a fast ethernet segment connected to the token ring segment
Post your config, if you don't mind. Nuke the passwords and any IPSEC keys,
etc.
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Brandon wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Does anyone
Hi
The 520 is on end of life.
See in:
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/1302_pp.htm
Sammi wrote:
Hello all,
I am trying to decide which PIX model to purchase; the 520 or the 515.
I am bringing in a 256k pipe. The telco is supplying the router, I do
not know which
Sammi wrote:
While the 520 chassis is significantly larger than the 515, I cannot
discern added hardware or functionality that accounts for the
differences.
Probably the same reason that the NetRanger is shipped in a
4U case. Legacy from the Wheel Group. Small company, 4U cases
are
, 2001 9:16 AM
Subject: Re: PIX Question [7:2061]
The 520 has a faster cpu for one thing. (515 is a 200mhz while 520 is a
300
or 333 mhz cpu). Also I believe you get more slots to put interfaces in
with the 520.
But I wouldn't buy either one - buy a 525. The 515 is too slow if you
OK so I'm going thru emails backwards today ;) Comments inline.
- Original Message -
From: Sammi
To:
Sent: Thursday, April 26, 2001 3:00 AM
Subject: PIX Question [7:2061]
Hello all,
I am trying to decide which PIX model to purchase; the 520 or the 515.
I am bringing in a 256k
haha...got filtered for s exu al content ;) Not sure where...
- Original Message -
From: Allen May
To:
Sent: Thursday, April 26, 2001 10:16 AM
Subject: Re: PIX Question [7:2061]
525 has a 600MHz processor and yes...520 is going away soon.
http://www.cisco.com/warp/customer/cc/pd
-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim McCoy
Sent: Thursday, April 26, 2001 12:55 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX Question on VPNs [7:2134]
Turn off use remote gateway on the client vpn connection.
Vijay Ramcharan wrote in message
000601c0ad6d$9d22d4c0$9865fea9
]]
Sent: Thursday, April 26, 2001 1:53 PM
To: 'Jim McCoy'; [EMAIL PROTECTED]
Subject: RE: PIX Question on VPNs [7:2134]
Man, you just blew my mind. Works fine except that I can't browse using
domain names. However if I use the IP address of the web server, I can get
to the site. Weird, since I
user office. As for
the 520 since it's end of life soon and since it only has a 300+ mhz cpu -
I'd go with something that would last for a few years - a 525 with 600+ mhz
cpu, etc..
Ian
- Original Message -
From: simonis
To:
Sent: Thursday, April 26, 2001 9:11 AM
Subject: Re: PIX
Turn off use remote gateway on the client vpn connection.
Vijay Ramcharan wrote in message
000601c0ad6d$9d22d4c0$9865fea9@VRAMCHARRAN">news:000601c0ad6d$9d22d4c0$9865fea9@VRAMCHARRAN...
Hi everyone,
I have a question on the operation of VPNs when using a PIX and connecting
via PPTP from a
Hi everyone,
I have a question on the operation of VPNs when using a PIX and connecting
via PPTP from a Win2K client.
Suppose I have a PIX that is setup to accept PPTP connections and
dynamically assign the client an IP address from a LAN subnet after they've
been authenticated on the PIX.
After
To: [EMAIL PROTECTED]
Sent: Thursday, March 15, 2001 10:33 AM
Subject: PIX Question on VPNs
Hi everyone,
I have a question on the operation of VPNs when using a PIX and connecting
via PPTP from a Win2K client.
Suppose I have a PIX that is setup to accept PPTP connections and
dynamica
-
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 07, 2001 10:40 AM
To: [EMAIL PROTECTED]
Subject: Fw: PIX question
Crap..typo below. Box sitting outside the pix needs to log to the syslog
server inside the pix.
- Original Message -
From: "Allen May" [EMAIL
inside
telnet timeout 15
terminal width 80
- Original Message -=20
From: Richie, Nathan=20
To: 'Allen May' ; [EMAIL PROTECTED]=20
Sent: Thursday, March 08, 2001 12:31 PM
Subject: RE: PIX question
If you can sho the configs (minus security information) it might be =
easier
I have a PIX using IPSec for a VPN tunnel between 2 networks. On the
outside interface is a box using SYSLOG trying to write to a box on the
inside interface. I made an external static IP for the internal box, added
a conduit to permit udp-syslog...nothing. Tried adding access-list # permit
In regards to a pix, I have the following question.
When I'm trying to restrict access from the inside to the dmz, how would I
do that and can you give some examples. For example, do I use an access
list or an outbound command and what are the differences between the two.
In addition, is
I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to
access an Internet address on a particular port. I am using outbound
statement with except to do this. But it is not working. Can anyone put some
light on that. Here is what I am doing:
A user from 10.6.x.x subnet needs
I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to
access an Internet address on a particular port. I am using outbound
statement with except to do this. But it is not working. Can anyone put some
light on that. Here is what I am doing:
A user from 10.6.x.x subnet needs to
]
Subject: Fwd: PIX QUESTION
I am using PIX 515 IOS ver 4.4. I have to allow only one inside user to
access an Internet address on a particular port. I am using outbound
statement with except to do this. But it is not working. Can anyone put some
light on that. Here is what I am doing
Hi everybody,
I have one PIX firewall running v 4.2(4). Based on the config, i've specified only a
few user can go
out to internet.
But, my problem is when a user running on NT w/s or server, they can go out to
internet while not
for users running on win95.
Anybody experienced the problem
If you want to control who gets out try using an outbound access list and
apply it to your outside interface
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 31, 2000 8:40 PM
To: [EMAIL PROTECTED]
Subject: PIX
Can your 95 users ping the gateway by IP address and hostname?
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 31, 2000 6:40 PM
Subject: PIX question
Hi everybody,
I have one PIX firewall running v 4.2(4). Based on the config, i've
PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, October 28, 2000 2:44 PM
Subject: PIX question
Hello,
Is there any way to have outside users access an
internal subnet? I see from CCO that you can only have
ouside users access a particular internal host.
Thanks in advan
Hello,
Is there any way to have outside users access an
internal subnet? I see from CCO that you can only have
ouside users access a particular internal host.
Thanks in advance.
Jim
__
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!
]]
Sent: Friday, October 20, 2000 5:13 PM
To: [EMAIL PROTECTED]
Subject: PIX question***
In the PIX firewall I have to allow one internal address to access one
external address on a specific port. I am using PIX Ver 4.4. And the
outbound statement only allows either source or des
In the PIX firewall I have to allow one internal address to access one
external address on a specific port. I am using PIX Ver 4.4. And the
outbound statement only allows either source or destination. Is there any
way I can do it..?
Thanks
Use an outbound access-list.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/p
ix44cfg.htm
Hope this helps,
Evan Francen
-Original Message-
From: Peter Gray [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 20, 2000 5:13 PM
To: [EMAIL PROTECTED]
Subject: PIX
Hi Everyone,
There is a web server on the inside of a firewall that is not implementing
NAT and the IP address is transparent to the outside world and people
accessing the server are using the IP address from browsing which is a
security risk (hole). Authentication is through TACACS+ or
Hi Everyone,
There is a web server on the inside of a firewall that is not implementing
NAT and the IP address is transparent to the outside world and people
accessing the server are using the IP address from browsing which is a
security risk (hole). Authentication is through TACACS+ or
Hi everyone,
There is a web server on the inside of a firewall that is not implementing
NAT and the IP address is transparent to the outside world and people
accessing the server are using the IP address from browsing which is a
security risk (hole). Authentication is through TACACS+ or
I'm not sure I understand what you're trying to do. It sounds like reverse
dns, but I'm not sure why you'd want to do a reverse fix-up. Why not just
implement the reverse entry in your DNS server? and don't worry about the
PIX.
I suspect what you want is: 'www.mydomain.com' to resolve to
Hi Everyone,
There is a web server on the inside of a firewall that is not implementing
NAT and the IP address is transparent to the outside world and people
accessing the server are using the IP address from browsing which is a
security risk (hole). Authentication is through TACACS+ or
It's fine for software config. The PIX 506 is not hardware upgradable, so
if you just plan on using it learn the IOS then it should do nicely.
Hope that helps
Russ..
"Jim Bond" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello,
I'm trying to study PIX.
I hate to ask this but how do I put a secondary ip address on the inside
interface of a PIX 515? I could not find it on CCO and there doesn't appear
to be a secondary command.
Thanks,
Duncan
===
Duncan Maccubbin | [EMAIL PROTECTED]
Senior Network
101 - 175 of 175 matches
Mail list logo