Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Management for IDS and Firewalls with Cisco expert Nadeem Khawaja. Nadeem supports Security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Introduction Systems. He is a computer graduate and is a double CCIE in Routing & Switching and in Security. Feel free to post any questions relating to Management for IDS and Firewalls. Remember to use the rating system to let Nadeem know if you’ve received an adequate response.

 

Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 1. Visit this forum often to view responses to your questions and the questions of other community members.

 

49 REPLIES
Bronze

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

How do I go about install rsa keys for local ssh access on my failover 525's? I am familure with the rsa commands but do I need to configure ssh on the primary, then fail them over and configure ssh on the secondary? Since the keys are in flash, will the primary sync them with the standby?

Thanks in advance...

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Mike,

Thanks for the question. The RSA keys will not be synced with the secondary. You need to generate RSA keys for each PIX separately. Either you console into each PIX one by one and generate the keys or do the failover procedure as you mentioned above.

Best Regards,

Nadeem Khawaja

CCIE # 9069

CCIE R/S & Security

Cisco Systems,INC.

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hello Nadeem,

what syslog message do I have to enable to view who connects or tries to connect (errors) to my pix to manage it?

And, how can i view the timestamp in the logging buffer?

Thanks

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi,

Thanks for your question. For the telnet/SSH access to PIX, you need to configure logging level to debug.

Below is a sample output for a successfull and unsuccessfull telnet access to PIX. Here you can See that TCP access request message (the initial telnet access request to the PIX) has a message number of 710001. This number corresponds to SYSLOG level. 7xxxxx is debug level.

As an alternate you can also configure AAA Accounting.

pixfirewall(config)# 710001: TCP access requested from 10.21.113.130/1347 to inside:172.16.171.39/telnet

710002: TCP access permitted from 10.21.113.130/1347 to inside:172.16.171.39/telnet

605005: Login permitted from 10.21.113.130/1347 to inside:172.16.171.39/telnet for user ""

611103: User logged out: Uname: enable_1

710001: TCP access requested from 10.21.113.130/1349 to inside:172.16.171.39/telnet

710002: TCP access permitted from 10.21.113.130/1349 to inside:172.16.171.39/telnet

605004: Login denied from 10.21.113.130/1349 to inside:172.16.171.39/telnet foruser ""

611103: User logged out: Uname: enable_1

For getting timestamp in buffer, there is no option available at the moment. In order to get TimeStamp in Syslog Server, you can use the command " logging timestamp".

Hope this answers your question.

Thanks

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

I'm currently work on a project to deploy IDSM in a cmapus. We have around 10 IDSM and thus we use VMS to manage and monitor IDSM and use Cisco Threat Response to try to reduce the false alarm. I know that CTR is able to filter the alarms from IDMSbut how about alarm displayed in VMS security monitor? For example, if CTR downgrades a alarm from IDSM to lower level, will this alarm also is display as a lower level at VMS security monitor? How CTR and VMS work together so that the false alarm will be reduced from my VMS security monitor console?

Thanks and Regards

Deng Qi

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Deng,

Thanks for your question.

IDSM is sending alarms to two separate destinations

1-VMS (Security Monitor)

2-CTR

CTR is only filtering out alarms and/or downgrading them to be displayed ONLY in CTR. The acutal alarm level still remains the same on IDSM and hence VMS Security Monitor will see it as it is.

With the next release of VMS, CTR will be integrated with VMS to help avoid false alarms.

Hope this answers your question.

Thanks,

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

Thanks for your information. Another thing is how about SIMS? Will CTR be able to work with SIMS now or in future? In fact we have VMS, CTR and SIMS now for current IDSM project. But I'm quite confuse about the positioning of these 3 softwares. Can you help to explain Cisco's positioning of these 3 softwares and how can we integrate them together currently and in future.?

Thanks and Regards

Deng Qi

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

Another question is: Does Cisco Security Agent support Free BSD 4.2 platform. There is no explict mention on whether Free BSD is supported in CCO website.

Thanks and Regards

Deng Qi

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Deng,

CSA agent support for FREE BSD platform is not available as of yet.

Thanks

Nadeem Khawaja

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Deng,

At this moment all these softwares are separate. SIMS is nothing more then a sophisticated SYSLOG server, that has the capability of getting SYSLOG messages from various devices. I don't think SIMS will be integrated with VMS product. It can be only CTR.

Thanks,

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Deng,

From my take on your scenario is as follows

VMS (IDS-MC) is used for configuration management, CTR collects to events from the Sensor and can forward SNMP into SIMS for aggregation and correlation.

CTR will be integrated into SecMon but it is not there today.

You can send events to both SecMon and CTR but that is just doubling the traffic. What you are really waiting for is outbound RDEP in CTR so it can send onto SecMon.

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

I've installed CSPM3.1 to manage my PIX. However, I'm having problem in generating reports for Detailed Network Traffic, Most Access Website, Most FTP site, etc. It keeps giving me this error:

PIX: Detailed audit event records for network service events are not available for the selected device. Verify that the event disposition settings are set to log, or log and notify, for events under the Service Statistics category in the Configure Logging and Notifications panel and that the device-specific log settings for this device are not set to generate debug-level syslog messages.

PIX: Audit event records do not exist for the specified time range. Either no audit events occurred within this time range, you have specified an invalid time range, or Cisco Secure Policy Manager was not operational during this time range. Verify the Start Time and/or End Time values specified for this report and contact your system administrator to determine whether Cisco Secure Policy Manager was operational during this time range.

By default, the setting for event disposition are already set to log when CSPM is installed. I've also set the PIX to send debug level syslog to the CSPM. Although I can see that my CSPM server has received the syslog, somehow my CSPM just cannot capture any audit events from the syslog. Is there a directory which stored the PIX syslog and is there a setting that will direct the CSPM to point to that directory for audit events capturing?

Appreciate your help.

Thanks

Mcklair

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Mcklair,

Thanks for your question. This reporting errors has always been an issue. At this time what seems to be the problem is that CSPM Syslog parser is not able to recognize the Syslog messages being sent by PIX.

There is a problem with PIX 6.2 or later codes.

Are you using PIX 6.2 or newer code?

Unfortunately CSPM SYSLOG doesn't support PIXes that are running 6.2.2. In 6.2 they changed the syslog

messaging for URL information and FTP which is what is used to generate the reports that you are

trying to get. Right now even 3.1 doesn't support 6.2 syslogs.

In order for this to work you would have to considering down grading your PIX to a version that is supported.

Thanks

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

thanks for the update. Just a quick check, is Cisco working on any patches or PIX OS upgrade to solve this syslogs issue?

Thanks

Mcklair

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Mcklair,

I have to check this out from developers, but I doubt that work is going on, on this syslog issue. This is mainly becuase of CSPM being replaced with new tools e.g. Firewall Management Console (VMS).

Both the CSPM and PIX have come out with new codes and this issue is still there, so I don't think it will be fixed. But I can double check this out.

Please send an email to me offline.

Thanks

Nadeem Khawaja

nkhawaja@cisco.com

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

We’ve recently installed VMS 2.1 but are unable to add our PIX to the managed device list in PIX MC via the “import configuration from existing device” option. The import process reports errors regarding “unrecognized commands” for the NTP and daylight savings time related lines as well as for several static commands and ultimately will not add the device. The static commands it doesn’t like involve static translations of entities on a low interface to a higher one.

Are you aware if support for these lines will be included in a future VMS release?

Is it possible to manage the device from PIX MC if it won’t import its configuration?

Thanks in advance,

Craig.

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Craig,

In PIXMC1.0 there were some unsupported commands.e.g.

Site-to-site VPNs

Termination of remote-access VPN on the Cisco PIX Firewall

Point-to-Point Protocol over Ethernet (PPPoE)

Dual NAT

Turbo access control lists (ACLs)

Lightweight Directory Access Protocol (LDAP) fix-up

H323/Port Address Translation (PAT)

Trivial File Transfer Protocol (TFTP) settings for the Cisco IP Phone

Object groupings on the Cisco PIX Firewall

LAN failover

More information can be found at

http://cco/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/pix/sup_dev/dev_supt.htm

Now the workarounds are

1. remove the problem commands from the pix and import the Configs

2. copy the entire Configs from the pix into a txt file; remove the problem commands from this txt file , insert the "removed" commands in

the "ending commands" under pix mc--> configure-->settings-->Configs' additions.

Then import the Configs

However some of the new commands are supported in PIXMC1.1.2

Further information can be found at

http://cco/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix_111/pxdvc112.htm

Thanks

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi,

I have a problem with the pix clock. I have configured NTP exactly in the primary and in the secondary pix, but in the secondary clock is 30 minuts slow. Do I need configure timezones? Where can i found description of the timezone used by the pix? This is my ntp configuration and status:

#sh ntp

ntp server ip_address source inside prefer

#sh clock det

13:55:58.938 UTC Tue Jul 22 2003

Time source is NTP

# sh ntp asso deta

ip_address_ntp configured, insane, invalid, stratum 2

ref ID 192.5.41.41, time c2c764f4.7ee5de15 (07:23:32.495 UTC Tue Jul 22 2003)

our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024

root delay 0.00 msec, root disp 1000.02, reach 377, sync dist 1746.078

delay 0.27 msec, offset -8247528.5871 msec, dispersion 745.93

precision 2**7, version 3

org time c2c79e1e.1eb851eb (11:27:26.119 UTC Tue Jul 22 2003)

rcv time c2c7be55.a612e5a2 (13:44:53.648 UTC Tue Jul 22 2003)

xmt time c2c7be55.a600b77d (13:44:53.648 UTC Tue Jul 22 2003)

filtdelay = 0.27 0.31 0.27 0.27 0.31 0.27 0.29 0.29

filtoffset = -824752 -824713 -824675 -824638 -824598 -824561 -824521 -824484

filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.77 109.39

Thanks

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hello

I have a customer that would like a VPN connection to the VP's home office to be always on. At the branch office he will be useing a pix 501 and at the VP's home he will be useing a 1700. Do you know of any good white papers for this. Also at the branch office there are vlans. Is there going to be a problem with the VP accessing the servers on the different vlans?

Thanks

Anthony

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Anthony,

Thanks for your question. you can find some refrence at this link

http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html

Basically the solution is confiuging Network Extension mode on the PIX501 going to any Easy VPN Server, as soon as you bring up the PIX501 in NEM it will initiate a tunnel to the head end and will keep it up.

As long as you have routing among the VLANs, you should not be having any issues for VP's connectivity with servers on different VLANS.

Thanks

Nadeem Khawaja

rlu
New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Nadeem,

We had an issue about IPSec via UDP with PAT on CSS11051

We can't get connected to a concentrator from a remote LAN, regular clients directly connected to the internet can connect without a problem, the topology looks like this:

client--CSS--PIX--CSS(doing pat)--PIX--CSS--internet router-------internet----PIX--concentrator.

We were finally able to get it to work with IPSec/TCP after opening TCP port 10000. we still could not get it to work with UDP port 10000. The CSS that is doing the pat'ing does not build a flow for the return packet, the PIX in front of the CSS is sending the packet according to the debugs, but the CSS is blocking it for some reason.

Cisco VPN Client : 4.0.1 (Rel)

3030 Concentrator: 4.0

PIX : 6.2(2)

CSS11051: 6.1(ap0610004)

Please advise.

Thanks

Richard

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Richard,

Thanks for your question.

We have seen issues in the past regarding IPSec/udp on the client....

Can you please check the LOGS to see what message it gives for disconnection on the Concentrator side:

Here is the bug ID CSCea19984

Internally found severe defect: Verified (V)

Concentrator reports -unsupported message length- during client conn

Log would be needed. A bug can be filed based on the log messages.

Thanks

Nadeem Khawaja

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi,

Thanks for the question. TimeZone can be configured through this command.

clock timezone []

But i don't think this is a time zone config issue, it seems to me as a hardware issue on the secondary.

what does the "show ntp asso" says on the secondary PIX?

Thanks

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

This is the sh ntp asso in the secondary. But the clock that isn't sync is the primary.

sh ntp asso

address ref clock st when poll reach delay offset disp

~ip_address 192.5.41.41 2 501 1024 377 0.3 -68828 694.2

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hello Mr. Khawaja ,

My question is not about network management it is about pix firewall configuration . I have 2 proxy servers one is inside the network and one is on my proxy interface of pix firewall . Inside proxy ip address is 10.0.0.189 and IP address of other proxy server which is on my proxy interface is 168.187.120.163 .

I have 15 MB link to remote site untill last week everything was working perfectly then suddenly the connections started dropping and i was able to use only 2 MB bandwidth out of 15 MB. ISP is working perfectly . I had put my laptop on proxy interface with outside proxy server it worked perfectly like before but when i access something from inside firewall it goes upto maximum 2.5 MB then the connection drops . Can you please check my PIX configurations and tell me where could be the problem ? Your help in this matter will be appreciated .

My email is haseeb_eng@hotmail.com

sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security70

nameif ethernet3 proxy security50

nameif ethernet4 myfailover security40

nameif ethernet5 intf5 security25

object-group network ho-group

network-object 10.0.0.0 255.255.252.0

network-object 168.187.131.0 255.255.255.0

network-object 168.187.214.0 255.255.255.0

object-group network shu-group

network-object 172.16.0.0 255.255.0.0

network-object 168.187.132.0 255.255.255.0

network-object 168.187.74.64 255.255.255.192

network-object 168.187.126.128 255.255.255.224

object-group network ho-nts

network-object host 168.187.131.30

object-group network honts5

network-object host 168.187.131.192

object-group network admingrp

network-object host 10.0.3.249

network-object host 10.0.3.250

network-object host 10.0.3.248

network-object host 10.0.3.246

network-object host 10.0.3.247

network-object host 10.0.1.27

object-group network ho-lan

network-object 168.187.131.0 255.255.255.0

object-group network ho-lan2

network-object 168.187.214.0 255.255.255.0

object-group network bubyan-lan

network-object 168.187.128.0 255.255.255.128

object-group network ho-prv

network-object 10.0.0.0 255.255.252.0

object-group network proxy

network-object host 168.187.120.163

object-group network internet-users

group-object ho-group

group-object shu-group

object-group network Equate

network-object Equate-Olefins 255.255.255.0

object-group network ho-server

network-object host 168.187.214.46

network-object host 168.187.214.47

network-object host 168.187.214.48

network-object host 168.187.214.49

network-object host 168.187.214.50

network-object host 168.187.214.51

network-object host 168.187.214.52

network-object host 168.187.214.53

network-object host 168.187.214.54

object-group network shu-lan

network-object 168.187.132.0 255.255.255.0

object-group network shbprv-lan

network-object 172.16.0.0 255.255.0.0

object-group network export-net

network-object 168.187.74.64 255.255.255.192

object-group network RAS

network-object 168.187.126.128 255.255.255.248

object-group network videocon

network-object host 168.187.131.50

object-group network kpcvideo

network-object host 192.168.69.3

object-group network internet-proxy-srv

description Internet proxy server

network-object 10.0.0.189 255.255.255.255

object-group network internet-proxy-srv_ref

network-object 10.0.0.189 255.255.255.255

object-group network erp-ibm-group

network-object host 10.0.3.1

network-object host 10.0.3.2

network-object host 10.0.3.3

network-object host 10.0.3.4

network-object host 10.0.3.5

network-object host 10.0.3.6

network-object host 10.0.3.7

network-object host 10.0.3.8

network-object host 10.0.3.9

network-object host 10.0.3.10

object-group network ibm-vpn-serverlist

network-object 32.107.0.0 255.255.0.0

object-group network pic-vpn

description PIC VPN Device

network-object host 168.187.131.181

object-group network passthru

network-object host 10.0.1.27

network-object host 168.187.131.40

access-list outgoing permit ip object-group honts5 any

access-list outgoing permit ip object-group ho-nts any

access-list outgoing permit ip object-group ho-group object-group shu-group

access-list outgoing permit ip object-group internet-users object-group proxy

access-list outgoing permit ip object-group internet-proxy-srv object-group Equate

access-list outgoing permit ip object-group ho-group object-group bubyan-lan

access-list outgoing permit ip object-group admingrp any

access-list outgoing permit icmp any any

access-list outgoing permit ip object-group videocon object-group kpcvideo

access-list outgoing permit tcp object-group erp-ibm-group any eq 5080

access-list outgoing permit ip object-group erp-ibm-group object-group ibm-vpn-serverlist

access-list outgoing permit ip object-group pic-vpn any

access-list proxyrule permit ip object-group proxy any

access-list proxyrule permit ip object-group proxy 168.187.131.0 255.255.255.0

access-list incoming permit tcp any object-group ho-nts eq domain

access-list incoming permit udp any object-group ho-nts eq domain

access-list incoming permit udp any object-group ho-nts eq dnsix

access-list incoming permit tcp any object-group ho-nts eq smtp

access-list incoming permit tcp any object-group ho-nts eq pop3

access-list incoming permit tcp any object-group ho-nts eq www

access-list incoming permit icmp any object-group ho-nts

access-list incoming permit tcp any object-group honts5 eq www

access-list incoming permit ip object-group shu-group object-group ho-group

access-list incoming permit tcp object-group Equate object-group ho-nts eq www

access-list incoming permit ip object-group Equate object-group internet-proxy-srv_ref

access-list incoming permit ip object-group bubyan-lan object-group ho-group

access-list incoming permit ip object-group kpcvideo object-group videocon

access-list incoming permit icmp any object-group videocon

access-list incoming permit icmp any object-group admingrp

access-list incoming permit ip any object-group pic-vpn

access-list incoming permit icmp any host 168.187.131.39

access-list incoming permit ip any object-group passthru

access-list incoming permit icmp any host 168.187.131.40

pager lines 24

logging on

logging standby

logging host inside 10.0.3.250

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full shutdown

interface ethernet3 100full

interface ethernet4 100full

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu proxy 1500

mtu myfailover 1500

mtu intf5 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.0.0.1 255.255.252.0

ip address dmz 192.168.3.1 255.255.255.0

ip address proxy 168.187.120.165 255.255.255.240

ip address myfailover 192.168.4.1 255.255.255.0

ip address intf5 127.0.0.1 255.255.255.255

nat (inside) 0 168.187.131.0 255.255.255.0 0 0

nat (inside) 0 168.187.214.0 255.255.255.0 0 0

nat (inside) 0 10.0.0.0 255.255.252.0 0 0

nat (proxy) 0 168.187.120.163 255.255.255.255 0 0

static (inside,outside) 168.187.131.181 168.187.131.181 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.214.48 168.187.214.48 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.2.26 10.0.2.26 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.2.28 10.0.2.28 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.0.189 10.0.0.189 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.192 168.187.131.192 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.103 10.0.3.249 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.39 10.0.3.250 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.38 10.0.3.248 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.129 10.0.3.1 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.130 10.0.3.2 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.131 10.0.3.3 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.132 10.0.3.4 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.133 10.0.3.5 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.134 10.0.3.6 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.135 10.0.3.7 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.136 10.0.3.8 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.137 10.0.3.9 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.138 10.0.3.10 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.36 10.0.3.246 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.37 10.0.3.247 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.40 10.0.1.27 netmask 255.255.255.255 0 0

access-group incoming in interface outside

access-group outgoing in interface inside

access-group proxyrule in interface proxy

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 168.187.131.0 255.255.255.0 10.0.0.19 1

route inside 168.187.132.0 255.255.255.0 10.0.0.19 1

route inside 168.187.214.0 255.255.255.0 10.0.0.19 1

route inside 172.16.0.0 255.255.0.0 10.0.0.19 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi Haseeb,

Thanks for your question. I was wondering since all your connections goes through the proxy server, could it be the inside Proxy Server, cause of this latency? Have you tried bypassing the proxy server?

Does Syslog messages on PIX show anything?

How about the "show interface" output, do you see any packet drops?

We need further information here, e.g. SYSLOG messages, messages on the Proxy Server, and may be sniffer traces on the inside/outside of the PIX.

Thanks

Nadeem Khawaja

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi,

I still think this is a hardware issue. For further assisstance you would need to open up TAC case.

Thanks

Nadeem Khawaja

New Member

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Is it possible set a password to pix console access?

Thanks

Cisco Employee

Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

Hi,

Thanks for your question. You have to configure AAA authentication on the console. Here is a link for your refrence.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e71.shtml#consoleport

Thanks

Nadeem Khawaja

66
Views
10
Helpful
49
Replies
CreatePlease login to create content