Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- PIX FIREWALLS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss PIX Firewalls with Cisco expert Cihan Yazicioglu. Cihan is a Technical Marketing Engineer for the VPN and Security group at Cisco Systems, Inc. He provides technical support to field engineers and frequently conducts PIX Firewall training for Cisco's TAC (Technical Assistance Center). He is also a certified Cisco Security Professional. Remember to use the rating system to let Cihan know if you’ve received an adequate response.

Cihan might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27. Visit this forum often to view responses to your questions and the questions of other community members.

93 REPLIES
New Member

Re: ASK THE EXPERT- PIX FIREWALLS

When will QoS be implemented on the PIX?

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

And as an anticipated follow up to that question, when will version 7.0 be released?

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

That should be orderable and on CCO by CYQ4 of 2004

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Jami, there is no definitive time set for implementing QoS. But if get back to me with some of your concerns and QoS using a PIX I will bring this up to the PIX development team.

thanks.

Cihan@cisco.com

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I have a pix Firewall 520 running the software 5.1(4) equipped with three interfaces .

I want to prevent my external PIX interface from being "pinged". i have tried the command " icmp deny any any outside" but it seems that this version does not support such command . I HAVE SEARCHED THROUGH CISCO website but I COULD NOT FIND ANYTHING ABOUT PIX software 5.1(4). so how could i prevent PIX interfaces from being pinged using that software ? What am I missing?

Note: i am obliged to use that old software due to PIX flash capacity(2MB)

Thanks for your reply

Regards,

Ali

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Ali, you must have one of the old 520's. You are right"icmp" command was introduce with 5.2 and it requires 16 Mb of Flash. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/relnotes/pixrn521.htm#xtocid4

If you are having a hard time upgrading the flash send me an email at cihan@cisco.com I can assist you. (I have some older units here)

Thanks.

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

I am running into the same problem, my pix is running 5.1.2 because I have 2MB flash on my pix. I am trying to upgrade to the 5.2,

Cihan, Could you please help me on this? Thanks

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Send me an email I can assist you

cihan@cisco.com

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

Thanks a lot for you reply,

so no alternative solutions or worarounds to prevent PIX interface from being pinged with this current software ? it s very crtical to me to hide the outside interface from the public .

the upgrade will be done but i have to wait for the new flash memory ( it takes up to six or heigh weeks to be available).

so if you could provide me a temporary solution , it will be appreciated.

Regards,

Ali.

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Hi,

No insights on my reply?!!! or do you want me to write you on your email?

Thanks in advance

Ali.

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

no way of doing it unless you upgrade to a newer version. 16 Mb flash is needed for any version is newer then 5.2.

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

One workaround would be to place an ACL on the router facing the internet.

Regards,

Mike

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

When will be implemented on the PIX support for PPTP authentication to Windows 2003 radius (IAS)?

Re: ASK THE EXPERT- PIX FIREWALLS

I have not tested this but I suspect that this will work fine currently. The PIX is able to authenticate PPTP clients via an external Radius server. Assuming MS did not deviate from the Radius RFC in 2003, this setup should work. Have you tried this and are you having problems?

Scott

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

I have tried. The ias server authenticates ok (i see in the log) but the pix not accept the answer.

I have found this in a cisco forum, so it's not only my case:

"Forgive me if this has been covered, I looked back a few months and wasn't able to find anything on it. I set up a PIX tonight and at the end the customer asked me to have it authenticate VPN users against his Active Directory database, so I added in the aaa-server commands and the necessary client authentication commands, but failed to ever succesfully authenticate any remote users through IAS. I have set this up many times using Windows 2000 IAS without issue, but apparently there is a big difference in how it is implemented in 2003 OR...I'm just totally overlooking something obvious (we all miss something occasionall :) Has anyone se this up succesfully using IAS 2003? Any ideas or docs, pointers you might have? "

Any help?

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Take a look at the following doc. If that is not what you need let me know.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cihan

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

This configuration is for IpSec, not for PPTP.

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

Is it possible to connect using DSL pppoe with the dhcp setroute option a 506E ver 6.3 outside interface and create a VPN tunnel terminating on the outside interface to access servers on the inside interface?

Re: ASK THE EXPERT- PIX FIREWALLS

Yes, the PIX does not care how the IP address was set on the interface where you are enabling IPSec. The trick is that you will need to know this address for your users to set in the VPN client as a destination address. If your provider changes this DHCP address often, this may be a difficult process to manage. Just do a search on CCO for 'PIX IPSec' and take a look at any sample config that shows the PIX terminating VPN client sessions.

Scott

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I need to implement the NAT outside command:

I configure it in this way:

nat (outside,inside) 10.1.1.1 192.168.1.1 255.255...

where 10.1.1.1 is the address translated inside of the ousider address 192.168.1.1, so it is able to initiate a communication towards other 10.1.1.x

but it doesn't seems to function

and if I do a show xlate I don't see this entry.

where is my mistake?

NB: I use a Pix515 running 6.2(2)

Thanks

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

You must use the static command against nat

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I need to implement the NAT outside command:

I configure it in this way:

nat (outside,inside) 10.1.1.1 192.168.1.1 255.255...

where 10.1.1.1 is the address translated inside of the ousider address 192.168.1.1, so it is able to initiate a communication towards other 10.1.1.x

but it doesn't seems to function

and if I do a show xlate I don't see this entry.

where is mistake?

NB: I use a Pix515 running 6.2(2)

Thanks

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I need to implement the NAT outside command:

I configure it in this way:

nat (outside,inside) 10.1.1.1 192.168.1.1 255.255...

where 10.1.1.1 is the address translated inside of the ousider address 192.168.1.1, so it is able to initiate a communication towards other 10.1.1.x

but it doesn't seems to function

and if I do a show xlate I don't see this entry.

where is the error?

NB: I use a Pix515 running 6.2(2)

Thanks

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I need to implement the NAT outside command:

I configure it in this way:

nat (outside,inside) 10.1.1.1 192.168.1.1 255.255...

where 10.1.1.1 is the address translated inside of the ousider address 192.168.1.1, so it is able to initiate a communication towards other 10.1.1.x

but it doesn't seems to function

and if I do a show xlate I don't see this entry.

where is the error?

NB: I use a Pix515 running 6.2(2)

Thanks

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I need to implement the NAT outside command:

I configure it in this way:

nat (outside,inside) 10.1.1.1 192.168.1.1 255.255...

where 10.1.1.1 is the address translated inside of the ousider address 192.168.1.1, so it is able to initiate a communication towards other 10.1.1.x

but it doesn't seems to function

and if I do a show xlate I don't see this entry.

where is the error?

NB: I use a Pix515 running 6.2(2)

Thanks

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Hello,

I have a PIX 515E and our remote users currently use PPTP to VPN to the corporate network.

We are planning to set up a co-location and I want to use the same PIX to make a site-to-site IPSec VPN. Can the PIX do both types of VPN's simultaneously? Is there anything that I need to consider?

Re: ASK THE EXPERT- PIX FIREWALLS

Yup, should not be a problem. Take a look here for an example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml

Scott

New Member

Re: ASK THE EXPERT- PIX FIREWALLS

Ok PIX Firewall Experts, I really NEED YOUR HELP. I have posted the following two times now, and still no one has been able to resolve the issue. I hope you can.

Gentlemen, I have a situation whereas I cannot do DNS REVERSE LOOKUP thru my Pix 515E. There are sites on the .mil (Niprnet), which I have here, that require a DNS REVERSE LOOKUP. When I attempt to go to the site, it gives me the DNS Error and reflects my PAT Address of my Firewall. I CAN GO EVERYWHERE ELSE ON THE INTERNET WITH NO PROBLEM! I have tried everything that I know, everything that I have researched on the Cisco web site, and to no avail, I still cannot get DNS REVERSE LOOKUP THRU MY Firewall. I can only access those particular sites from my two OUTSIDE DNS Servers. Yes, my DNS Configurations inside and outside are correct! Any Help would be greatly appreciated. I have exhausted all possibilities. Thanks in advance! Ron

Re: ASK THE EXPERT- PIX FIREWALLS

Ron,

I am confused by this. What do you want to be "reverse lookup-able" (I know, not a word...)? Are you saying that the web site is failing to load because it cannot resolve your PAT address to a reverse DNS entry? Do you have a reverse DNS entry for your PAT address? In other words, can you (from an outside host) do an nslookup on your PAT address and get a name? I don't understand what you mean by "I can only access those particular sites from my two OUTSIDE DNS Servers." Can you elaborate on this?

Scott

39
Views
0
Helpful
93
Replies