Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 config not working on 506E

I tried taking a PIX 501 config, and installing it on a 506E, this did not work. I could not pass traffic in or out of the PIX (translation did not work). Should this be that case? The config works fine on the 501. Below is the config.

Thanks

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname FW

domain-name domain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol domain 53

no fixup protocol smtp 25

names

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.232 255.255.255.224

ip address inside 10.1.1.2 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNpool 10.1.1.251-10.1.1.254

pdm location 10.1.1.0 255.255.255.0 inside

pdm history enable

arp timeout 1800

global (outside) 1 xxx.xxx.xxx.233 netmask 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

static (inside,outside) xxx.xxx.xxx.228 SERVERWEB netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.240 SERVERDCEXC netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.234 VPN-PPTP-Out1 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.235 VPN-PPTP-Out2 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.236 VPN-PPTP-Out3 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.237 VPN-PPTP-out4 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.231 SERVER-Open-FTP netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.238 Carpediem netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.229 SERVERDCEXC netmask 255.255.255.255 0 0

conduit permit tcp host xxx.xxx.xxx.229 eq smtp any

conduit permit tcp host xxx.xxx.xxx.240 eq smtp any

conduit permit tcp host xxx.xxx.xxx.229 eq www any

conduit permit tcp host xxx.xxx.xxx.229 eq 443 any

conduit permit tcp host xxx.xxx.xxx.240 eq www any

conduit permit tcp host xxx.xxx.xxx.228 eq www any

conduit permit tcp host xxx.xxx.xxx.228 eq ftp any

conduit permit tcp host xxx.xxx.xxx.231 eq ftp any

conduit permit tcp host xxx.xxx.xxx.238 eq www any

conduit permit tcp host xxx.xxx.xxx.238 eq 443 any

conduit permit icmp any any echo-reply

conduit permit gre any any

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community n0publ1c

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key mykey address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local VPNpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn-all idle-time 1800

telnet 10.1.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local VPNpool

vpdn group 1 client configuration dns 10.1.1.9 207.217.120.83

vpdn group 1 client configuration wins 10.1.1.9

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username xxx password

vpdn username yyy ssssss password

vpdn enable outside

vpdn enable inside

terminal width 80

4 REPLIES
Silver

Re: PIX 501 config not working on 506E

Hi,

Normally configurations are exchangable, so, have you tried the clear xlate command?

Are your interfaces up?

Send some of the logging output which shows what happens, maybe we can help you.

Kind Regards,

Leo

New Member

Re: PIX 501 config not working on 506E

Thanks for the reply,

-I cleared XLATE and ARP tables

-Both interfaces were up, as I was able to ping them fron the inside and outside (sho int also showed them as up)

Unfortunately I do not have logging output. However does the below message mean anything?

Global XXX.XXX.XXX.233 will be Port Address Translated

WARNING: access-list protocol or port will not be used

Gold

Re: PIX 501 config not working on 506E

Hi -

Try getting your conduits changed over to ACL's as conduits and ACL's are known not to work together. Basically, ACL's will be used over conduits.

Hope this helps -

Silver

Re: PIX 501 config not working on 506E

The warning message you get is because of your nat 0 command in place which points to an access-lists which does not have ip only statements in it, but also icmp. These rules are not used while an access-list is bound to the nat 0, in case an access-list is bound to the nat 0 command, you should only use ip permit and ip deny on this access-list (the PIX will just ignore other protocol rules)

Besides that, you have to get rid of the conduit commands, instead of conduits, use access-lists bounded to the appropiate interface. The use of conduits is not recommended anymore.

Hope this helps,

Leo

94
Views
0
Helpful
4
Replies