I have experienced by using PDM to configure VPN is unstable. Everytime I
try to modify the particular VPN connection. All of the connection will be
disconnected.
In addition, everytime if you have changed the configuration in PDM, you
must remember to save it manually, otherwise reboot will erase
Basic config PDM OK
Exotic > CLI
HIGH security? No pdm no ssh no telnet no snmp
large shop> maybe from a private management segment snmp
small shop > inside intf PDM management/monitoring + extra access-list
Always include radius/tacacs+ in the process for auth
Always work from policies.
Mart
Yes, I would like syntax.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74778&t=74422
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: ht
"Our security group is recommending not to use PDM to
configure our Pix firewalls. They did not give any
reason for their recommendation. Does anyone know why
PDM should not be used?"
From what I understand there are a few commands that can't be used from
the PDM (they require the use of the
: "Deepali S"
>Reply-To: "Deepali S"
>To: [EMAIL PROTECTED]
>Subject: RE: PIX Firewal Software Version [7:73894]
>Date: Tue, 2 Sep 2003 07:27:31 GMT
>
>Hi ,
>
> I would suggest you to use PIX 6.2 software rather than 6.3.1 , since
>this
>has a lot of
; Mark
> CCIE R&S, Security
> Lab Technician
> GigaVelocity.com
>
> - Original Message -
> >From: "Deepali S"
> >Reply-To: "Deepali S"
> >To: [EMAIL PROTECTED]
> >Subject: RE: PIX Firewal Software Version [7:73894]
> >Date: Tue, 2
: "Deepali S"
>Reply-To: "Deepali S"
>To: [EMAIL PROTECTED]
>Subject: RE: PIX Firewal Software Version [7:73894]
>Date: Tue, 2 Sep 2003 07:27:31 GMT
>
>Hi ,
>
> I would suggest you to use PIX 6.2 software rather than 6.3.1 , since
>this
>has a lot of
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
-Original Message-
From: Deepali S [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 02, 2003 3:14 AM
To: [EMAIL PROTECTED]
Subject: RE:
""Deepali S"" wrote in message
news:[EMAIL PROTECTED]
> Hi ,
>
> I would suggest you to use PIX 6.2 software rather than 6.3.1 , since
this
> has a lot of BUGs , you can download the latest PIX software version 6.3.2
Do not even think of trying to run 6.3.2. Go ahead, try to get 6.3.2 from
cco
Hi Hitesh,
If you want to upgrade the license to 3DES please write to
[EMAIL PROTECTED] with the following details:
1.No.Of Interfaces on PIX
2.Serial Number
3.PIX Model number
4.The feature request : Need a 3DES license
The 3DES license is free , you will get a HEX code as the 3DES licne
Hi ,
I would suggest you to use PIX 6.2 software rather than 6.3.1 , since this
has a lot of BUGs , you can download the latest PIX software version 6.3.2
Let me know if you have any queries.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74639&t=73894
--
Yeah! u need to put in the command sets on the PIX .
First step you would like to put would be the nat and global commands.
Second you would need to specify the routes for the dmz.
Pls let me know if you owuld like to know the syntax of the command.
Message Posted at:
http://www.groupstu
Hi! John,
The isakmp and pre-share key is used only when you have the L2L tunnel
setup.
When you have a VPN tunnel between Client and PIX , the command below is
same as the isakmp and pre-shared key.
vpngroup VPNUSER password
Spli tunneling is used when you want the user to browse
Hi James,
First and foremost please make sure that the inside ip address of the pix
and the VPN address pool are of different range since there is a BUG
associated , i would recommend you to use an entirely different range of
address pool.
What is the client version you are using? If you are us
Most likely, you need to check the access-list applied to your inbound DMZ
interface and permit tcp port 80. You also need to verify your nat commands
and global commands are set for dmz network too, if you are nating them.
zak spaniol wrote:
>
> I have a server on my DMZ that I want to browse i
acket sent from the client is checked against this list. So must be more
specific in my experience.
Martijn
-Oorspronkelijk bericht-
Van: Derek Gaff [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 26 augustus 2003 9:57
Aan: [EMAIL PROTECTED]
Onderwerp: Re: PIX VPN Client Configuration - A
James
Your missing the command "vpdn enable outside" from your config.
regards
derek
- Original Message -
From: "James Willard"
To:
Sent: Tuesday, August 26, 2003 12:17 AM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]
> Hi all,
>
> Thanks in advance for reading t
Hi James,
It would be nice to have the output of the "show crypto ipsec sa" on the PIX
while pinging back and forth. It would be nice to get the output of the
"debug icmp trace" and the "sh access-list" as well but in any case my
suggestion is this:
1) If you are doing split-tunneling I will
John,
One question at the time:
1) "I noticed that I never set an isakmp pre-share key"
- Remember that for a VPN client connection, ISAKMP or Phase I is
established using "aggressive mode" in this case and due the remote
connection would come from any place on the Internet; a pre-share
"Because I am using a private range, I need to address a packet from a
private IP address and to internet / from internet to a private ip address.
Which would not work. Because 1700 would not do nat"
You are correct. I will setup access lists and the IP Inspect on the router.
Should I just disa
We do not have any more live IP address to use, I would need two more, one
on the inside of the router and one on the outside of the pix.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74252&t=74141
--
**Please support GroupStudy b
3 12:52
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX and Router Setup Question [7:74141]
Tell me if I am wrong: (off my hat)
Nat on pix only would cause me to use the 1700 as router/ routed subnet
between pix>1700.
Because I am using a private range, I need to address a packet from a
priv
Aan: [EMAIL PROTECTED]
Onderwerp: RE: PIX and Router Setup Question [7:74141]
You'd be better off just using NAT on the PIX, it's what it was made for.
Then just secure the 1721 as a perimeter router. NAT'ing twice could cause
problems.
-Original Message-
From: Michael Barnh
I would let the Firewall handle the NATing. If you just want the router to
perform NAT, you need to use NAT 0 on the PIX. The border router should
only do basic filtering and routing.
>
> From: "Michael Barnhart"
> Date: 2003/08/18 Mon PM 11:06:03 EDT
> To: [EMAIL PROTECTED]
> Subject: PIX and
You'd be better off just using NAT on the PIX, it's what it was made for.
Then just secure the 1721 as a perimeter router. NAT'ing twice could cause
problems.
-Original Message-
From: Michael Barnhart [mailto:[EMAIL PROTECTED]
Sent: 19 August 2003 04:06
To: [EMAIL PROTECTED]
Subject: PIX
Just disable the nat function on PIX for inside network using the nat 0
command...the traffic will reach the router with private source IP where u
can nat...
Chirag Arora
-Original Message-
From: Michael Barnhart [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 8:36 AM
To: [EM
Hi!
If there is not another reason, which you didn't mention, the easiest method
to solve your problem, if you do not configure NAT on PIX. In this case
internal adresses will be seen by the router, so you have to configure the
router to NAT the web and e-mail servers in statioc way, and to know a
ess-list 100.
Martijn
-Oorspronkelijk bericht-
Van: Skarphedinsson Arni V. [mailto:[EMAIL PROTECTED]
Verzonden: maandag 18 augustus 2003 15:52
Aan: [EMAIL PROTECTED]
Onderwerp: RE: PIX xlate question [7:74012]
Here are the Global and NAT statements
global (outside) 1 213.213
Here are the Global and NAT statements
global (outside) 1 213.213.128.100-213.213.128.200
global (outside) 2 213.213.128.50
global (dmz) 1 192.168.17.150
nat (inside) 0 access-list 100
nat (inside) 2 157.157.144.49 255.255.255.255 0 0
nat (inside) 2 10.100.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.
Your pool may consist of addresses from the local addresses, and the xlates
are occuring on a catch as catch basis, which acconts for the weird results
of your show command..
Assuming your local addresses are 213.x.x.x, your pool of addresses to which
these locals are to be translated is also 213.
Oops. Didn't look at the output closely enough. Can you send the NAT
statements?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Edward Sohn
Sent: Friday, August 15, 2003 7:36 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX xlate question [7:74012]
y
PROTECTED]
Subject: Re: PIX xlate question [7:74012]
Skarphedinsson Arni V. wrote:
> why would I see the following when I do sh xlate on the pix, i.e. one
> global address is beeing translated to the next in line global address
?
>
> and sugestions would be welcome
>
>
&g
Simer, I always leave all timers standard. That works. I keep PIXOS versions
in sync.
When you ping from site 2 in the morning, tunnel should also come up. Double
check all the access-lists/peer statements.
Martijn
-Oorspronkelijk bericht-
Van: Simer Mayo [mailto:[EMAIL PROTECTED]
Verz
The parameters you should be concerned with are:
isakmp policy 10 lifetime 86400
crypto ipsec security-association lifetime seconds 3600
After 24 hours, phase I key will be re-nego. Phase II key will be re-nego.
after 1 hours.
Simer Mayo wrote:
I have a site to site tunnel between 2 sit
Skarphedinsson Arni V. wrote:
> why would I see the following when I do sh xlate on the pix, i.e.
> one global address is beeing translated to the next in line global address
?
>
> and sugestions would be welcome
>
>
> Global 213.213.128.143 Local 213.213.128.142
> Global 213.213.128.142 Local
PLS give, just to be sure, Global and NAT statements.
Martijn
-Oorspronkelijk bericht-
Van: Skarphedinsson Arni V. [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 15 augustus 2003 12:34
Aan: [EMAIL PROTECTED]
Onderwerp: PIX xlate question [7:74012]
why would I see the folowing when I do
whew. I got ours about 3-4 mos ago. I thought I was going to have to have
a little chat w/ my reseller...
-Original Message-
From: Joshua Vince [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 5:59 AM
To: Wilmes, Rusty; [EMAIL PROTECTED]
Subject: RE: PIX License upgrade procedure
SHORT! Client paid for it like half a year ago or something.
Martijn
-Oorspronkelijk bericht-
Van: Wilmes, Rusty [mailto:[EMAIL PROTECTED]
Verzonden: maandag 11 augustus 2003 14:57
Aan: [EMAIL PROTECTED]
Onderwerp: RE: PIX License upgrade procedure [7:73769]
h - how long has it
: Wilmes, Rusty [mailto:[EMAIL PROTECTED]
> Verzonden: maandag 11 augustus 2003 14:57
> Aan: [EMAIL PROTECTED]
> Onderwerp: RE: PIX License upgrade procedure [7:73769]
>
>
> h - how long has it been free ?
> -Original Message-
> From: Joshua Vince
> To: [EMAIL
57
To: [EMAIL PROTECTED]
Subject: RE: PIX License upgrade procedure [7:73769]
h - how long has it been free ?
-Original Message-
From: Joshua Vince
To: [EMAIL PROTECTED]
Sent: 8/11/2003 4:04 AM
Subject: RE: PIX License upgrade procedure [7:73769]
It is free now.
http://www.cisco.co
It is free now.
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl
You will need a CCO login.
Josh
-Original Message-
From: Hitesh Pathak R [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2003 6:58 AM
To: [EMAIL PROTECTED]
Subject: PIX License upgrade procedure [7:
4000 even though their 65000 ports available
>
> From: "Lynne Padgett"
> Date: 2003/08/08 Fri AM 11:11:01 EDT> To: [EMAIL PROTECTED]
> Subject: RE: PIX translation problem [7:72567]
>
>
Greg Owens
202-398-2552
[GroupStudy removed an attachment with a content
PROTECTED]
Subject: RE: PIX translation problem [7:72567]
What is the maximum number of translations in a global pool on a PIX? I
didn't realize there was a cap. I was under the impression that the
number of translations was directly related to the PIX user/connection
license.
-O
About 1-2 months.
Notice the link:
3DES/AES Encryption License (Free)
Josh
-Original Message-
From: Wilmes, Rusty [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 8:57 AM
To: Joshua Vince; '[EMAIL PROTECTED] '
Subject: RE: PIX License upgrade procedure [7:73769]
h
No, but I know what it means. What kind of NAT are you doing? A global
pool, or a single address doing PAT? If it's a pool, then you can define a
single address (or interface) to do PAT when the global pool runs out. Or,
if you already have PAT and that is being exhausted, then you can define a
you said vpn pix-2-pix, so how does the router come into play? If he is
just a transit device you need not do anything.
-Original Message-
From: zak spaniol [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 12:57 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix 506e, 1721 router [7
changing the timeout value worked, so the problem is fixed
Thanks all
>
> From: "Reimer, Fred"
> Date: 2003/08/08 Fri AM 11:26:37 EDT
> To: [EMAIL PROTECTED]
> Subject: RE: PIX translation problem [7:72567]
>
>
Greg Owens
202-398-2552
[GroupStudy removed an
h - how long has it been free ?
-Original Message-
From: Joshua Vince
To: [EMAIL PROTECTED]
Sent: 8/11/2003 4:04 AM
Subject: RE: PIX License upgrade procedure [7:73769]
It is free now.
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl
You will need a CCO login
its definitely chargeable. A couple months ago I got a 3des license for a
515e restricted. Around $400.
-Original Message-
From: Dom [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2003 5:25 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX License upgrade procedure [7:73769]
IIRC, it is
IIRC, it is chargeable - Contact your local Cisco reseller.
Best regards,
Dom Stocqueler
SysDom Technologies
Visit our website - www.sysdom.org
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Hitesh Pathak R
Sent: 09 August 2003 11:58
To: [EMAIL PROTECT
ECTED]
Sent: Thursday, August 07, 2003 5:01 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX translation problem [7:72567]
No, but I know what it means. What kind of NAT are you doing? A global
pool, or a single address doing PAT? If it's a pool, then you can
define a
single address (or interface)
See RE: Access Internet via the corporate PIX [7:73563]
If this is not the answer, be more specific.
Martijn
>>
Build the tunnel first. Use HQ or RO dns. Make sure users cannot HTTP direct
through firewall, enable direct HTTPS trough it if you want. MAybe also no
ftp
I am going to be performing a VPN pix to pix configuration, the only part I
am not sure of is how to configure router. Any suggestion?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=73539&t=73521
--
**Please support GroupStudy by
There's no hiding around here is there :-)
The codes are just to allow you to see what flash memory you have presently
though. I don't think they resemble the actual part codes.
Just found the original:
i28F020 512 KB
AT29C040A 2 MB
atmel 2 MB
i28F640J5 8 MB - PIX 506
16 MB - all other PIXes
str
.
-Original Message-
From: Bikespace [mailto:[EMAIL PROTECTED]
Sent: 02 August 2003 01:31
To: [EMAIL PROTECTED]
Subject: Re: PIX OS 4.2 to 6.3 [7:73354]
I must admit, I've not been doing Pix as far back as 4.2 as far as I can
remember (just a few years), so you must feel you have had
US list price on 535 UR is $38,000
US list price on 525 UR is $13,000
List on a 16 MB Flash ISA card is $1,000
PIX-FLASH-16MB=
And from an old post - the part numbers for the various Flash cards - thanks
to Gaz - who I think is now "Bikespace".
You should have one of the following :
AT29C040A - 2
Hi Shawn,
You may well be able to just upgrade your 520 (which may mean flash/ram
upgrades). It depends on what you're putting through it, terminating on it
etc. Presumably you've got a fair bit going on if you're looking towards the
535.
I would think if you're on 4.2 at the moment you may well j
I must admit, I've not been doing Pix as far back as 4.2 as far as I can
remember (just a few years), so you must feel you have had good value from
your 520 if you've not had to mess with it at all.
I could not guarantee that all config would go over. It certainly wouldn't
be far out as most Pix co
Well that's exactly right...
Thanks for the links Chavira!
Stevo
""Chavira Luis"" wrote in message
news:[EMAIL PROTECTED]
> No, the PIX "translates" the response in a DNS proxy manner. This helps
when
> a host has a static translation using the pix.
>
> For example, imagine the 10.0.0.1 (inside
No, the PIX "translates" the response in a DNS proxy manner. This helps when
a host has a static translation using the pix.
For example, imagine the 10.0.0.1 (inside) and 200.33.76.1 (outside) pair.
The external BIND will answer the query with the external IP, but the PIX
will translate the answer
L PROTECTED] On Behalf Of
> Stevo
> Sent: July 21, 2003 11:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX DNS Issue [7:72685]
>
> You know I've had similar weirdness with my Pix (6.3) and DNS.
>
> I have 2 internal AD DNS servers and 2 external BIND DNS servers. Th
To: [EMAIL PROTECTED]
Subject: Re: PIX DNS Issue [7:72685]
You know I've had similar weirdness with my Pix (6.3) and DNS.
I have 2 internal AD DNS servers and 2 external BIND DNS servers. The 2
external DNS servers sit outside the PIX and AD DNS server obviously sit
behind the Pix on the i
.Nabil
>
> "I have never let my schooling interfere with my education."
>
>
>
> Andrew
> Larkins
>
> cc:
> Sent by: Subject: RE: PIX DNS
Issue
> [7:72685]
>
> [EMAIL PROTECTED]
education."
Andrew
Larkins
cc:
Sent by: Subject: RE: PIX DNS Issue
[7:72685]
[EMAIL PROTECTED]
try accessing port 53 of your external DNS server from your internal DNS
server. Should be reachable from it in order to work.
-Nakul
""Tunde Kalejaiye"" wrote in message
news:[EMAIL PROTECTED]
> I swapped a router running ios firewall with a pix 506e and i have been
> having
> all sorts of issue
Please send the config and we can have a look.
-Original Message-
From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED]
Sent: 21 July 2003 11:57
To: [EMAIL PROTECTED]
Subject: PIX DNS Issue [7:72685]
I swapped a router running ios firewall with a pix 506e and i have been
having
all sorts of is
Sorry to give one of those annoying answers. I saw this a couple of weeks
ago while configuring a Pix. I looked at the config and I had typo'd.
Unfortunately I can't remember what I'd done wrong at the time. Can you post
the config and it may jog my memory.
Regards,
Bikespace
""Greg Owens"" wr
Hi,
Can you give us some more info how to use this software .
Cheers
""Joseph Brunner"" wrote in message
news:[EMAIL PROTECTED]
> Try Private-I or Sawmill.
>
> I prefer Sawmill.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72386&t=72328
---
Try Private-I or Sawmill.
I prefer Sawmill.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72355&t=72328
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure v
so i found a reference to acl's not matching. the netscreen doesn't appear
to have one (but that's not confirmed yet). More news to follow.
-Original Message-
From: Wilmes, Rusty
Sent: Wednesday, June 11, 2003 4:01 PM
To: [EMAIL PROTECTED]
Subject: pix > netscreen vpn [7:70547]
Hi,
I
No. But i'll keep my eyes peeled!
Stac
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70526&t=70267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violati
Silly thing to overlook, but best to check anyway is that you have applied
the ACL to the correct interface
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70053&t=70022
--
FAQ, list archives, and subscription info: http://www.group
This is possible because you are using win2k now and if that is the case
for AD stuff you need to open port 445 also.
-Original Message-
From: jmullins1 [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list [7:70022]
I'm trying to al
No, you can not do that.
""Skarphedinsson Arni V."" wrote in message
news:[EMAIL PROTECTED]
> I have a router connected to a vlan trunk one for internet access, and one
> for a remote branch,but then I have a pix that all my users connect
throuhg,
> and does the NAT, but then of course the users
dmz.host.ip.addr dns netmask
255.255.255.255 0 0"
I don't have a 3-interface pix to test these possible solutions on, so I
can't say for certain that I'm correct. :(
-Mark
-Original Message-
From: Richard Botham [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 7:12 AM
To: [
Check your network lists on the concentrator. They need to as explicit as
possible. If you supernet any contiguous networks, ensure that you do not
accidentally include a network that is really down another tunnel.
Cheers,
Steve Wilson CCNP CCDA
Network Engineer
-Original Message-
From: [
Charles/Mark,
No infinate wisdom i'm afraid - just my £0.2.
Is it because the statements below effectively do nothing due to the fact
the statement 2 undoes what statement one has just done ?
[or have i missed the point.]
1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
2)alias (ins
I've recently upgraded to 6.3 with no problems...I would echo Madman and say
not a great idaea to use conduit and ACL's ...
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69974&t=69876
--
FAQ, list archives, and subscription info:
Try this:
pix(config)# access-list permit tcp host 10.1.1.X host
192.168.20.10 eq 7000
pix(config)# access-group in interface
where you fill the correct value for "X" in the source IP addess that's
needing to access the inside, where is whatever you want
to name your access list and is the n
yES
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Manny
Sent: Friday, May 30, 2003 11:26 AM
To: [EMAIL PROTECTED]
Subject: PIX 6.3 [7:69876]
Has anyone upgraded to 6.3? Will I still be able to use conduits and
static's? I currently have a 515 running
Yes it apparently will though you may want to consider using
access-lists:
pix520a# sh ver
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(0)148
Compiled on Wed 19-Mar-03 11:49 by morlee
pix520a up 14 days 14 hours
Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MH
Define static(s) to translate inside host address(es) to DMZ address(es)
like so:
static (inside,DMZ) 192.168.10.222 10.2.5.222 netmask 255.255.255.255 0
0
static (inside,DMZ) 192.168.10.230 10.2.5.230 netmask 255.255.255.255 0
0
Configure an access list to permit traffic to the tranlated insi
Charles-
I could be wrong, but my interpretation of the doc's covering the Alias
command says that you can't have your cake and eat it too. :)
What I mean is, I don't believe you can DNS-Doctor and Destination-NAT
at the same time. Like I said, I could be wrong.
>From what I understand, you need
-Original Message-
From: Steve Wilson [mailto:[EMAIL PROTECTED]
Sent: 30 March 2003 21:21
To: [EMAIL PROTECTED]
Subject: RE: PIX Nat Traversal / VPN [7:66404]
Last time I looked you could not do NAT-T on a PIX with 6.3 software.
Only VPN Gateways can handle it. Next gen of software
Last time I looked you could not do NAT-T on a PIX with 6.3 software. Only
VPN Gateways can handle it. Next gen of software should be able to do it sez
the great god Cisco. I have been looking forward to this for some time as I
install both PIX and VPN all the time.
Cheers,
Steve
-Original M
It is my understanding that cisco will be discontinuing support for the
conduit function in the near future. You should migrate those statements to
ACLs especially using ios 6.2. I had some unusual difficulties using a few
conduits with 6.2.
""Aaron Ajello"" wrote in message
news:[EMAIL PROTECTE
nettable_walker wrote:
>
> 3/27/2003 9:00pm Thursday
>
> This has come up before -
> Is there any such thing as an IPX firewall ?
Sure. A Cisco router with IPX access lists!? :-)
>
> Richard
>
> //
>
>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66360&t=663
3/27/2003 9:00pm Thursday
This has come up before -
Is there any such thing as an IPX firewall ?
Richard
//
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66358&t=66338
--
FAQ, list archives, and subscription info: ht
No the PIX doesn't do IPX so the tunnel is your friend.
Dave
Lupi, Guy wrote:
> I have never worked with the PIX before, but I was wondering if PIX
> firewalls support IPX. I want to configure a PIX with an IPX address on
one
> of the interfaces, and configure an encrypted GRE tunnel with ano
No the PIX does not support IPX only IP, you will need a router for that
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66341&t=66338
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report m
The 515 is actually at my home and from my office, I VPN to it. Yeah I know
it is quirky, but I do have a legitimate excuse.
You asked what the ip address outside DHCP setroute command does. I have
DSL at home with no static IP address. That line in my PIX essentially lets
the PIX know that I
The pix does have limited routing functionality. It can route packets but
it's not it's primary purpose. It's primary purpose is however NAT / PAT /
stateful inspection etc... With that said it can perform NAT/PAT in
realtime, much faster than a router which has a multitude of functions to
perf
In my opinion it is smarter and safer to use a DMZ interface on a PIX
firewall vice having a switch/hub before the firewall. This is because if
one of your DMZ nodes are attacked from the internet you can easily close
the hole and block the attack source. With a hub before firewall you will
have to
""Ben W"" wrote in message
news:[EMAIL PROTECTED]
> The PIX is not a router, however it does have a routing table and can
> participate in a limited fashion in certain routing protocols, like RIP.
I'm afraid I have to disagree. The Pix is a router. Basically, any device
that will forward packet
ursday, March 20, 2003 2:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: PIX Questions [7:65806]
>
>
> The PIX is not a router, however it does have a routing table and can
> participate in a limited fashion in certain routing protocols, like RIP.
>
> To answer your 2nd question, th
Newer versions of the PIX OS have more routing protocol support such as
OSPF. Vs. 6.3
-Original Message-
From: Ben W [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 20, 2003 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX Questions [7:65806]
The PIX is not a router, however it does have
With 3des encryption is it only capable of doing 3MB per sec.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bk
Sent: Wednesday, March 19, 2003 5:24 PM
To: [EMAIL PROTECTED]
Subject: pix 501 limitations [7:65785]
Good day,
I thought I read somewhere tha
time??
Thanks
>From: "BJ Rice"
>Reply-To: "BJ Rice"
>To: [EMAIL PROTECTED]
>Subject: RE: PIX VPN home access question [7:65666]
>Date: Tue, 18 Mar 2003 22:05:21 GMT
>
>The software is available at
>http://www.cisco.com/kobayashi/sw-center/sw-vpn.shtml.
The PIX is not a router, however it does have a routing table and can
participate in a limited fashion in certain routing protocols, like RIP.
To answer your 2nd question, there is no functional difference between the
IOS and PIX doing nat/pat. Its just a difference in configuration really.
Mes
access. May I know where you set your
outside interface IP in the config. What is the meaning of the command "ip
address outside dhcp setroute". you used dhcp to allocate IP to your
client?
>From: "BJ Rice"
>Reply-To: "BJ Rice"
>To: [EMAIL PROTECTED]
>
1 - 100 of 1512 matches
Mail list logo
