Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Interesting problem with pix 515 UR

Reply
Thread Tools

Interesting problem with pix 515 UR

 
 
Andrea Borghi
Guest
Posts: n/a
 
      08-13-2006
just an interesting problem with a pix515E-UR:

running 6.3(5)

This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
connected to the GE0/2 of a catalyst2950.

All the servers are directly connected to the catalyst 2950 and i see the error counters on the
phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.

My problem is related to the basic connectivity. what i see is that the connectivity is present either
from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
itself the destinations.

The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
(typically at night).

I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
the addresses are correct and in the correct vlan.

because i can always connect to the pix externally even during the problem, i sent the pix log to a server
and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
SYN timeout because evidently the pix cannot send the traffic to the destination.

Any ideas? i'm frankly run out of ideas
(and quite tempted to leave this *as is* and go to the beach for some days...

following i am sending the pix config and the relevant part of the 2950 config
(with any sensitive information purged)

*PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
need to. In fact, i have sensed this problem without access-lists or security at all, directly
from the pix console while installing the device.

bye
Andrea


-------------
Catalyst 2950 vlan config
Switch#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11,Fa0/12
Fa0/13, Fa0/14,Fa0/15,Fa0/16
Fa0/17, Fa0/18,Fa0/19,Fa0/20
2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24
3 external active
4 extra active
999 NativeForTrunks active

Switch#sh run
Building configuration...

Current configuration : 2034 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
logging buffered 32768 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
username root privilege 15 password 0 XXXXXXXXXXX
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
[..]
!
interface FastEthernet0/21
description server webvecchio
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/22
description server readytec
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/23
description www server
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/24
description Mail Server
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description Link to firewall PIX515 mode .1Q eth1
switchport trunk native vlan 999
switchport mode trunk
load-interval 30
duplex full
speed 100
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
no ip http server
!
logging trap debugging
logging facility local3
logging source-interface Vlan2
logging 10.10.10.60
!
[..]
!
end

-------------------------
Pix config:

pix# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0017.9514.6751, irq 10
1: ethernet1: address is 0017.9514.6752, irq 11
This PIX has an Unrestricted (UR) license.

pix# sh run
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan1 physical
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security90
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pix
domain-name XXXXXXX.it
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.60 mail
name 10.10.10.50 www
name 10.10.10.70 www-vecchio
name X.Y.Z.0 my-net
name X.X.X.40 public-net
name 10.10.10.80 rtec
name 10.10.10.2 switch1
name 192.168.3.0 Vpn
name 10.10.10.0 dmz-net
name 192.168.1.0 inside-net
name X.X.X.41 fastweb-gw
object-group service public-services tcp
description public services
port-object eq www
port-object eq smtp
port-object eq 90
port-object eq pop3
port-object eq imap4
object-group service my-access-tcp tcp
description Service access TCP Protocol
port-object eq 24
port-object eq telnet
port-object eq 81
port-object eq 3389
access-list outside_access_in permit tcp any interface outside object-group public-services
access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0
access-list inside_outbound_nat0_acl remark local traffic
access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 21
logging device-id string fw
logging host dmz mail
logging host outside X.Y.Z.66
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.42 255.255.255.252
ip address inside 192.168.1.10 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpdn_pool 192.168.3.1-192.168.3.250
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location mail 255.255.255.255 dmz
pdm location www 255.255.255.255 dmz
pdm location www-vecchio 255.255.255.255 dmz
pdm location my-net 255.255.255.128 outside
pdm location rtec 255.255.255.255 dmz
pdm location switch1 255.255.255.255 dmz
pdm location Vpn 255.255.255.0 outside
pdm location dmz-net 255.255.255.0 dmz
pdm location inside-net 255.255.255.0 inside
pdm location fastweb-gw 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 150
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 inside-net 255.255.255.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 dmz-net 255.255.255.0 0 0
static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 fastweb-gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 84.16.227.160 source outside
ntp server 194.100.206.70 source outside
ntp server 83.245.15.97 source outside
ntp server 85.214.43.186 source outside
ntp server 80.74.144.230 source outside
ntp server 192.36.143.150 source outside
ntp server 195.228.155.101 source outside
ntp server 80.203.145.142 source outside
http server enable
http my-net 255.255.255.128 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside-net 255.255.255.0 inside
telnet mail 255.255.255.255 dmz
telnet timeout 5
ssh my-net 255.255.255.128 outside
ssh timeout 60
console timeout 0
vpdn group pptp_vpn accept dialin pptp
vpdn group pptp_vpn ppp authentication chap
vpdn group pptp_vpn ppp authentication mschap
vpdn group pptp_vpn ppp encryption mppe 40 required
vpdn group pptp_vpn client configuration address local vpdn_pool
vpdn group pptp_vpn pptp echo 300
vpdn group pptp_vpn client authentication local
vpdn username XXXXXXXX password *********
vpdn enable outside
dhcpd address 192.168.1.200-192.168.1.254 inside
dhcpd dns mail
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXXX.it
dhcpd auto_config outside
dhcpd enable inside
username root password XXXXXXXXXXXXXX encrypted privilege 15
terminal width 80



 
Reply With Quote
 
 
 
 
J
Guest
Posts: n/a
 
      08-14-2006
Andrea Borghi wrote:
> just an interesting problem with a pix515E-UR:
>
> running 6.3(5)
>
> This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
> to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
> the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
> connected to the GE0/2 of a catalyst2950.
>
> All the servers are directly connected to the catalyst 2950 and i see the error counters on the
> phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.
>
> My problem is related to the basic connectivity. what i see is that the connectivity is present either
> from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
> but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
> itself the destinations.
>
> The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
> the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
> or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
> (typically at night).
>
> I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
> the addresses are correct and in the correct vlan.
>
> because i can always connect to the pix externally even during the problem, i sent the pix log to a server
> and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
> SYN timeout because evidently the pix cannot send the traffic to the destination.
>
> Any ideas? i'm frankly run out of ideas
> (and quite tempted to leave this *as is* and go to the beach for some days...
>
> following i am sending the pix config and the relevant part of the 2950 config
> (with any sensitive information purged)
>
> *PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
> i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
> need to. In fact, i have sensed this problem without access-lists or security at all, directly
> from the pix console while installing the device.
>
> bye
> Andrea


The only thing that jumps out at me is that this could be an IP
conflict on the backside of the Pix. Frankly I don't what a Pix would
do if it encountered a conflicting IP. Would it only affect the one L3
interface or would it put the whole L2 interface in a state of limbo?
You might try shutting down all the VLANs but one and see if it lasts.
Then add them back one by one to see if the problem is tied to one
VLAN.

J

 
Reply With Quote
 
 
 
 
Andrea Borghi
Guest
Posts: n/a
 
      08-14-2006
J wrote:

> Andrea Borghi wrote:
>> just an interesting problem with a pix515E-UR:

[..]
> The only thing that jumps out at me is that this could be an IP
> conflict on the backside of the Pix. Frankly I don't what a Pix would
> do if it encountered a conflicting IP. Would it only affect the one L3
> interface or would it put the whole L2 interface in a state of limbo?
> You might try shutting down all the VLANs but one and see if it lasts.
> Then add them back one by one to see if the problem is tied to one
> VLAN.


I have analyzed that scenario. I cannot do that because these days i am
*not* on the site, so i cannot translate the configurations to another vlan
and close it. the problem is that the client pcs are on VLAN1 via another
series of switches and i cannot reache these to change parameters yet.

I have analyzed the arp table on the pix during the problem and the
addresses are the same so it seems to me that the pix must try to send the
traffic to the correct L2 addr, so there is something we are not
considering.

I have the 2950 doing buffered logging and the switch is silent of relevant
messages, i remember that the 3548s i had will tell someting as "mac
address XXXX relearned on interface XY zz times" but there is *not* a
message concerning mac addresses in the logs and the arp and the
mac-address-tables are ok in the switch.

Andrea
 
Reply With Quote
 
saharan.jasbir@gmail.com
Guest
Posts: n/a
 
      09-01-2006
Consider diabling Proxy arp on inside interface. It will solve your
problem...
Jasbir Saharan
Andrea Borghi wrote:
> just an interesting problem with a pix515E-UR:
>
> running 6.3(5)
>
> This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
> to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
> the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
> connected to the GE0/2 of a catalyst2950.
>
> All the servers are directly connected to the catalyst 2950 and i see the error counters on the
> phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.
>
> My problem is related to the basic connectivity. what i see is that the connectivity is present either
> from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
> but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
> itself the destinations.
>
> The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
> the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
> or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
> (typically at night).
>
> I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
> the addresses are correct and in the correct vlan.
>
> because i can always connect to the pix externally even during the problem, i sent the pix log to a server
> and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
> SYN timeout because evidently the pix cannot send the traffic to the destination.
>
> Any ideas? i'm frankly run out of ideas
> (and quite tempted to leave this *as is* and go to the beach for some days...
>
> following i am sending the pix config and the relevant part of the 2950 config
> (with any sensitive information purged)
>
> *PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
> i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
> need to. In fact, i have sensed this problem without access-lists or security at all, directly
> from the pix console while installing the device.
>
> bye
> Andrea
>
>
> -------------
> Catalyst 2950 vlan config
> Switch#sh vlan
>
> VLAN Name Status Ports
> ---- -------------------------------- --------- -------------------------------
> 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
> Fa0/5, Fa0/6, Fa0/7, Fa0/8
> Fa0/9, Fa0/10, Fa0/11,Fa0/12
> Fa0/13, Fa0/14,Fa0/15,Fa0/16
> Fa0/17, Fa0/18,Fa0/19,Fa0/20
> 2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24
> 3 external active
> 4 extra active
> 999 NativeForTrunks active
>
> Switch#sh run
> Building configuration...
>
> Current configuration : 2034 bytes
> !
> version 12.1
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Switch
> !
> logging buffered 32768 debugging
> enable secret 5 XXXXXXXXXXXXXXXXXXXX
> !
> username root privilege 15 password 0 XXXXXXXXXXX
> ip subnet-zero
> !
> !
> spanning-tree mode pvst
> no spanning-tree optimize bpdu transmission
> spanning-tree extend system-id
> !
> [..]
> !
> interface FastEthernet0/21
> description server webvecchio
> switchport access vlan 2
> load-interval 30
> spanning-tree portfast
> !
> interface FastEthernet0/22
> description server readytec
> switchport access vlan 2
> load-interval 30
> spanning-tree portfast
> !
> interface FastEthernet0/23
> description www server
> switchport access vlan 2
> load-interval 30
> spanning-tree portfast
> !
> interface FastEthernet0/24
> description Mail Server
> switchport access vlan 2
> load-interval 30
> spanning-tree portfast
> !
> interface GigabitEthernet0/1
> !
> interface GigabitEthernet0/2
> description Link to firewall PIX515 mode .1Q eth1
> switchport trunk native vlan 999
> switchport mode trunk
> load-interval 30
> duplex full
> speed 100
> !
> interface Vlan1
> no ip address
> no ip route-cache
> shutdown
> !
> interface Vlan2
> ip address 10.10.10.2 255.255.255.0
> no ip route-cache
> !
> ip default-gateway 10.10.10.1
> no ip http server
> !
> logging trap debugging
> logging facility local3
> logging source-interface Vlan2
> logging 10.10.10.60
> !
> [..]
> !
> end
>
> -------------------------
> Pix config:
>
> pix# sh ver
>
> Cisco PIX Firewall Version 6.3(5)
> Cisco PIX Device Manager Version 3.0(4)
> Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
> Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
> 0: ethernet0: address is 0017.9514.6751, irq 10
> 1: ethernet1: address is 0017.9514.6752, irq 11
> This PIX has an Unrestricted (UR) license.
>
> pix# sh run
> PIX Version 6.3(5)
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet1 vlan1 physical
> interface ethernet1 vlan2 logical
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan2 dmz security90
> enable password XXXXXXXXXX encrypted
> passwd XXXXXXXXXXX encrypted
> hostname pix
> domain-name XXXXXXX.it
> clock timezone CEST 1
> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 10.10.10.60 mail
> name 10.10.10.50 www
> name 10.10.10.70 www-vecchio
> name X.Y.Z.0 my-net
> name X.X.X.40 public-net
> name 10.10.10.80 rtec
> name 10.10.10.2 switch1
> name 192.168.3.0 Vpn
> name 10.10.10.0 dmz-net
> name 192.168.1.0 inside-net
> name X.X.X.41 fastweb-gw
> object-group service public-services tcp
> description public services
> port-object eq www
> port-object eq smtp
> port-object eq 90
> port-object eq pop3
> port-object eq imap4
> object-group service my-access-tcp tcp
> description Service access TCP Protocol
> port-object eq 24
> port-object eq telnet
> port-object eq 81
> port-object eq 3389
> access-list outside_access_in permit tcp any interface outside object-group public-services
> access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp
> access-list outside_access_in permit icmp any any
> access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0
> access-list inside_outbound_nat0_acl remark local traffic
> access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net 255.255.255.0
> access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0
> pager lines 24
> logging on
> logging monitor debugging
> logging buffered debugging
> logging trap debugging
> logging facility 21
> logging device-id string fw
> logging host dmz mail
> logging host outside X.Y.Z.66
> icmp permit any outside
> icmp permit any inside
> icmp permit any dmz
> mtu outside 1500
> mtu inside 1500
> ip address outside X.X.X.42 255.255.255.252
> ip address inside 192.168.1.10 255.255.255.0
> ip address dmz 10.10.10.1 255.255.255.0
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip verify reverse-path interface dmz
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpdn_pool 192.168.3.1-192.168.3.250
> no failover
> failover timeout 0:00:00
> failover poll 15
> no failover ip address outside
> no failover ip address inside
> no failover ip address dmz
> pdm location mail 255.255.255.255 dmz
> pdm location www 255.255.255.255 dmz
> pdm location www-vecchio 255.255.255.255 dmz
> pdm location my-net 255.255.255.128 outside
> pdm location rtec 255.255.255.255 dmz
> pdm location switch1 255.255.255.255 dmz
> pdm location Vpn 255.255.255.0 outside
> pdm location dmz-net 255.255.255.0 dmz
> pdm location inside-net 255.255.255.0 inside
> pdm location fastweb-gw 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 150
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 inside-net 255.255.255.0 0 0
> nat (dmz) 0 access-list dmz_outbound_nat0_acl
> nat (dmz) 1 dmz-net 255.255.255.0 0 0
> static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0
> static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 fastweb-gw 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authentication ssh console LOCAL
> aaa authentication telnet console LOCAL
> ntp server 84.16.227.160 source outside
> ntp server 194.100.206.70 source outside
> ntp server 83.245.15.97 source outside
> ntp server 85.214.43.186 source outside
> ntp server 80.74.144.230 source outside
> ntp server 192.36.143.150 source outside
> ntp server 195.228.155.101 source outside
> ntp server 80.203.145.142 source outside
> http server enable
> http my-net 255.255.255.128 outside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet inside-net 255.255.255.0 inside
> telnet mail 255.255.255.255 dmz
> telnet timeout 5
> ssh my-net 255.255.255.128 outside
> ssh timeout 60
> console timeout 0
> vpdn group pptp_vpn accept dialin pptp
> vpdn group pptp_vpn ppp authentication chap
> vpdn group pptp_vpn ppp authentication mschap
> vpdn group pptp_vpn ppp encryption mppe 40 required
> vpdn group pptp_vpn client configuration address local vpdn_pool
> vpdn group pptp_vpn pptp echo 300
> vpdn group pptp_vpn client authentication local
> vpdn username XXXXXXXX password *********
> vpdn enable outside
> dhcpd address 192.168.1.200-192.168.1.254 inside
> dhcpd dns mail
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd domain XXXXXXXX.it
> dhcpd auto_config outside
> dhcpd enable inside
> username root password XXXXXXXXXXXXXX encrypted privilege 15
> terminal width 80


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
[newbie]Pix 515 - How to recognize Pix version : failover or restricted or UR officemicro1999@yahoo.fr Cisco 1 09-11-2005 10:21 PM
PIX 515 'PIX-1FE=' Problems Michael Kiessling Cisco 4 07-13-2004 06:42 AM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM



Advertisments