Interesting problem with pix 515 UR

Discussion in 'Cisco' started by Andrea Borghi, Aug 13, 2006.

  1. just an interesting problem with a pix515E-UR:

    running 6.3(5)

    This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
    to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
    the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
    connected to the GE0/2 of a catalyst2950.

    All the servers are directly connected to the catalyst 2950 and i see the error counters on the
    phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.

    My problem is related to the basic connectivity. what i see is that the connectivity is present either
    from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
    but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
    itself the destinations.

    The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
    the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
    or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
    (typically at night).

    I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
    the addresses are correct and in the correct vlan.

    because i can always connect to the pix externally even during the problem, i sent the pix log to a server
    and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
    SYN timeout because evidently the pix cannot send the traffic to the destination.

    Any ideas? i'm frankly run out of ideas
    (and quite tempted to leave this *as is* and go to the beach for some days... :)

    following i am sending the pix config and the relevant part of the 2950 config
    (with any sensitive information purged)

    *PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
    i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
    need to. In fact, i have sensed this problem without access-lists or security at all, directly
    from the pix console while installing the device.

    bye
    Andrea


    -------------
    Catalyst 2950 vlan config
    Switch#sh vlan

    VLAN Name Status Ports
    ---- -------------------------------- --------- -------------------------------
    1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
    Fa0/5, Fa0/6, Fa0/7, Fa0/8
    Fa0/9, Fa0/10, Fa0/11,Fa0/12
    Fa0/13, Fa0/14,Fa0/15,Fa0/16
    Fa0/17, Fa0/18,Fa0/19,Fa0/20
    2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24
    3 external active
    4 extra active
    999 NativeForTrunks active

    Switch#sh run
    Building configuration...

    Current configuration : 2034 bytes
    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch
    !
    logging buffered 32768 debugging
    enable secret 5 XXXXXXXXXXXXXXXXXXXX
    !
    username root privilege 15 password 0 XXXXXXXXXXX
    ip subnet-zero
    !
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    [..]
    !
    interface FastEthernet0/21
    description server webvecchio
    switchport access vlan 2
    load-interval 30
    spanning-tree portfast
    !
    interface FastEthernet0/22
    description server readytec
    switchport access vlan 2
    load-interval 30
    spanning-tree portfast
    !
    interface FastEthernet0/23
    description www server
    switchport access vlan 2
    load-interval 30
    spanning-tree portfast
    !
    interface FastEthernet0/24
    description Mail Server
    switchport access vlan 2
    load-interval 30
    spanning-tree portfast
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    description Link to firewall PIX515 mode .1Q eth1
    switchport trunk native vlan 999
    switchport mode trunk
    load-interval 30
    duplex full
    speed 100
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan2
    ip address 10.10.10.2 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.10.10.1
    no ip http server
    !
    logging trap debugging
    logging facility local3
    logging source-interface Vlan2
    logging 10.10.10.60
    !
    [..]
    !
    end

    -------------------------
    Pix config:

    pix# sh ver

    Cisco PIX Firewall Version 6.3(5)
    Cisco PIX Device Manager Version 3.0(4)
    Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
    Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
    0: ethernet0: address is 0017.9514.6751, irq 10
    1: ethernet1: address is 0017.9514.6752, irq 11
    This PIX has an Unrestricted (UR) license.

    pix# sh run
    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan1 physical
    interface ethernet1 vlan2 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan2 dmz security90
    enable password XXXXXXXXXX encrypted
    passwd XXXXXXXXXXX encrypted
    hostname pix
    domain-name XXXXXXX.it
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.10.10.60 mail
    name 10.10.10.50 www
    name 10.10.10.70 www-vecchio
    name X.Y.Z.0 my-net
    name X.X.X.40 public-net
    name 10.10.10.80 rtec
    name 10.10.10.2 switch1
    name 192.168.3.0 Vpn
    name 10.10.10.0 dmz-net
    name 192.168.1.0 inside-net
    name X.X.X.41 fastweb-gw
    object-group service public-services tcp
    description public services
    port-object eq www
    port-object eq smtp
    port-object eq 90
    port-object eq pop3
    port-object eq imap4
    object-group service my-access-tcp tcp
    description Service access TCP Protocol
    port-object eq 24
    port-object eq telnet
    port-object eq 81
    port-object eq 3389
    access-list outside_access_in permit tcp any interface outside object-group public-services
    access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0
    access-list inside_outbound_nat0_acl remark local traffic
    access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net 255.255.255.0
    access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0
    pager lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    logging trap debugging
    logging facility 21
    logging device-id string fw
    logging host dmz mail
    logging host outside X.Y.Z.66
    icmp permit any outside
    icmp permit any inside
    icmp permit any dmz
    mtu outside 1500
    mtu inside 1500
    ip address outside X.X.X.42 255.255.255.252
    ip address inside 192.168.1.10 255.255.255.0
    ip address dmz 10.10.10.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface dmz
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpdn_pool 192.168.3.1-192.168.3.250
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    pdm location mail 255.255.255.255 dmz
    pdm location www 255.255.255.255 dmz
    pdm location www-vecchio 255.255.255.255 dmz
    pdm location my-net 255.255.255.128 outside
    pdm location rtec 255.255.255.255 dmz
    pdm location switch1 255.255.255.255 dmz
    pdm location Vpn 255.255.255.0 outside
    pdm location dmz-net 255.255.255.0 dmz
    pdm location inside-net 255.255.255.0 inside
    pdm location fastweb-gw 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 150
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 inside-net 255.255.255.0 0 0
    nat (dmz) 0 access-list dmz_outbound_nat0_acl
    nat (dmz) 1 dmz-net 255.255.255.0 0 0
    static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 fastweb-gw 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    ntp server 84.16.227.160 source outside
    ntp server 194.100.206.70 source outside
    ntp server 83.245.15.97 source outside
    ntp server 85.214.43.186 source outside
    ntp server 80.74.144.230 source outside
    ntp server 192.36.143.150 source outside
    ntp server 195.228.155.101 source outside
    ntp server 80.203.145.142 source outside
    http server enable
    http my-net 255.255.255.128 outside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet inside-net 255.255.255.0 inside
    telnet mail 255.255.255.255 dmz
    telnet timeout 5
    ssh my-net 255.255.255.128 outside
    ssh timeout 60
    console timeout 0
    vpdn group pptp_vpn accept dialin pptp
    vpdn group pptp_vpn ppp authentication chap
    vpdn group pptp_vpn ppp authentication mschap
    vpdn group pptp_vpn ppp encryption mppe 40 required
    vpdn group pptp_vpn client configuration address local vpdn_pool
    vpdn group pptp_vpn pptp echo 300
    vpdn group pptp_vpn client authentication local
    vpdn username XXXXXXXX password *********
    vpdn enable outside
    dhcpd address 192.168.1.200-192.168.1.254 inside
    dhcpd dns mail
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain XXXXXXXX.it
    dhcpd auto_config outside
    dhcpd enable inside
    username root password XXXXXXXXXXXXXX encrypted privilege 15
    terminal width 80
     
    Andrea Borghi, Aug 13, 2006
    #1
    1. Advertising

  2. Andrea Borghi

    J Guest

    Andrea Borghi wrote:
    > just an interesting problem with a pix515E-UR:
    >
    > running 6.3(5)
    >
    > This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
    > to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
    > the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
    > connected to the GE0/2 of a catalyst2950.
    >
    > All the servers are directly connected to the catalyst 2950 and i see the error counters on the
    > phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.
    >
    > My problem is related to the basic connectivity. what i see is that the connectivity is present either
    > from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
    > but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
    > itself the destinations.
    >
    > The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
    > the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
    > or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
    > (typically at night).
    >
    > I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
    > the addresses are correct and in the correct vlan.
    >
    > because i can always connect to the pix externally even during the problem, i sent the pix log to a server
    > and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
    > SYN timeout because evidently the pix cannot send the traffic to the destination.
    >
    > Any ideas? i'm frankly run out of ideas
    > (and quite tempted to leave this *as is* and go to the beach for some days... :)
    >
    > following i am sending the pix config and the relevant part of the 2950 config
    > (with any sensitive information purged)
    >
    > *PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
    > i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
    > need to. In fact, i have sensed this problem without access-lists or security at all, directly
    > from the pix console while installing the device.
    >
    > bye
    > Andrea


    The only thing that jumps out at me is that this could be an IP
    conflict on the backside of the Pix. Frankly I don't what a Pix would
    do if it encountered a conflicting IP. Would it only affect the one L3
    interface or would it put the whole L2 interface in a state of limbo?
    You might try shutting down all the VLANs but one and see if it lasts.
    Then add them back one by one to see if the problem is tied to one
    VLAN.

    J
     
    J, Aug 14, 2006
    #2
    1. Advertising

  3. J wrote:

    > Andrea Borghi wrote:
    >> just an interesting problem with a pix515E-UR:

    [..]
    > The only thing that jumps out at me is that this could be an IP
    > conflict on the backside of the Pix. Frankly I don't what a Pix would
    > do if it encountered a conflicting IP. Would it only affect the one L3
    > interface or would it put the whole L2 interface in a state of limbo?
    > You might try shutting down all the VLANs but one and see if it lasts.
    > Then add them back one by one to see if the problem is tied to one
    > VLAN.


    I have analyzed that scenario. I cannot do that because these days i am
    *not* on the site, so i cannot translate the configurations to another vlan
    and close it. the problem is that the client pcs are on VLAN1 via another
    series of switches and i cannot reache these to change parameters yet.

    I have analyzed the arp table on the pix during the problem and the
    addresses are the same so it seems to me that the pix must try to send the
    traffic to the correct L2 addr, so there is something we are not
    considering.

    I have the 2950 doing buffered logging and the switch is silent of relevant
    messages, i remember that the 3548s i had will tell someting as "mac
    address XXXX relearned on interface XY zz times" but there is *not* a
    message concerning mac addresses in the logs and the arp and the
    mac-address-tables are ok in the switch.

    Andrea
     
    Andrea Borghi, Aug 14, 2006
    #3
  4. Andrea Borghi

    Guest

    Consider diabling Proxy arp on inside interface. It will solve your
    problem...
    Jasbir Saharan
    Andrea Borghi wrote:
    > just an interesting problem with a pix515E-UR:
    >
    > running 6.3(5)
    >
    > This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
    > to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
    > the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
    > connected to the GE0/2 of a catalyst2950.
    >
    > All the servers are directly connected to the catalyst 2950 and i see the error counters on the
    > phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.
    >
    > My problem is related to the basic connectivity. what i see is that the connectivity is present either
    > from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
    > but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
    > itself the destinations.
    >
    > The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
    > the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
    > or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
    > (typically at night).
    >
    > I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
    > the addresses are correct and in the correct vlan.
    >
    > because i can always connect to the pix externally even during the problem, i sent the pix log to a server
    > and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
    > SYN timeout because evidently the pix cannot send the traffic to the destination.
    >
    > Any ideas? i'm frankly run out of ideas
    > (and quite tempted to leave this *as is* and go to the beach for some days... :)
    >
    > following i am sending the pix config and the relevant part of the 2950 config
    > (with any sensitive information purged)
    >
    > *PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
    > i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
    > need to. In fact, i have sensed this problem without access-lists or security at all, directly
    > from the pix console while installing the device.
    >
    > bye
    > Andrea
    >
    >
    > -------------
    > Catalyst 2950 vlan config
    > Switch#sh vlan
    >
    > VLAN Name Status Ports
    > ---- -------------------------------- --------- -------------------------------
    > 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
    > Fa0/5, Fa0/6, Fa0/7, Fa0/8
    > Fa0/9, Fa0/10, Fa0/11,Fa0/12
    > Fa0/13, Fa0/14,Fa0/15,Fa0/16
    > Fa0/17, Fa0/18,Fa0/19,Fa0/20
    > 2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24
    > 3 external active
    > 4 extra active
    > 999 NativeForTrunks active
    >
    > Switch#sh run
    > Building configuration...
    >
    > Current configuration : 2034 bytes
    > !
    > version 12.1
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname Switch
    > !
    > logging buffered 32768 debugging
    > enable secret 5 XXXXXXXXXXXXXXXXXXXX
    > !
    > username root privilege 15 password 0 XXXXXXXXXXX
    > ip subnet-zero
    > !
    > !
    > spanning-tree mode pvst
    > no spanning-tree optimize bpdu transmission
    > spanning-tree extend system-id
    > !
    > [..]
    > !
    > interface FastEthernet0/21
    > description server webvecchio
    > switchport access vlan 2
    > load-interval 30
    > spanning-tree portfast
    > !
    > interface FastEthernet0/22
    > description server readytec
    > switchport access vlan 2
    > load-interval 30
    > spanning-tree portfast
    > !
    > interface FastEthernet0/23
    > description www server
    > switchport access vlan 2
    > load-interval 30
    > spanning-tree portfast
    > !
    > interface FastEthernet0/24
    > description Mail Server
    > switchport access vlan 2
    > load-interval 30
    > spanning-tree portfast
    > !
    > interface GigabitEthernet0/1
    > !
    > interface GigabitEthernet0/2
    > description Link to firewall PIX515 mode .1Q eth1
    > switchport trunk native vlan 999
    > switchport mode trunk
    > load-interval 30
    > duplex full
    > speed 100
    > !
    > interface Vlan1
    > no ip address
    > no ip route-cache
    > shutdown
    > !
    > interface Vlan2
    > ip address 10.10.10.2 255.255.255.0
    > no ip route-cache
    > !
    > ip default-gateway 10.10.10.1
    > no ip http server
    > !
    > logging trap debugging
    > logging facility local3
    > logging source-interface Vlan2
    > logging 10.10.10.60
    > !
    > [..]
    > !
    > end
    >
    > -------------------------
    > Pix config:
    >
    > pix# sh ver
    >
    > Cisco PIX Firewall Version 6.3(5)
    > Cisco PIX Device Manager Version 3.0(4)
    > Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
    > Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
    > 0: ethernet0: address is 0017.9514.6751, irq 10
    > 1: ethernet1: address is 0017.9514.6752, irq 11
    > This PIX has an Unrestricted (UR) license.
    >
    > pix# sh run
    > PIX Version 6.3(5)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > interface ethernet1 vlan1 physical
    > interface ethernet1 vlan2 logical
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif vlan2 dmz security90
    > enable password XXXXXXXXXX encrypted
    > passwd XXXXXXXXXXX encrypted
    > hostname pix
    > domain-name XXXXXXX.it
    > clock timezone CEST 1
    > clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 10.10.10.60 mail
    > name 10.10.10.50 www
    > name 10.10.10.70 www-vecchio
    > name X.Y.Z.0 my-net
    > name X.X.X.40 public-net
    > name 10.10.10.80 rtec
    > name 10.10.10.2 switch1
    > name 192.168.3.0 Vpn
    > name 10.10.10.0 dmz-net
    > name 192.168.1.0 inside-net
    > name X.X.X.41 fastweb-gw
    > object-group service public-services tcp
    > description public services
    > port-object eq www
    > port-object eq smtp
    > port-object eq 90
    > port-object eq pop3
    > port-object eq imap4
    > object-group service my-access-tcp tcp
    > description Service access TCP Protocol
    > port-object eq 24
    > port-object eq telnet
    > port-object eq 81
    > port-object eq 3389
    > access-list outside_access_in permit tcp any interface outside object-group public-services
    > access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp
    > access-list outside_access_in permit icmp any any
    > access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0
    > access-list inside_outbound_nat0_acl remark local traffic
    > access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net 255.255.255.0
    > access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0
    > pager lines 24
    > logging on
    > logging monitor debugging
    > logging buffered debugging
    > logging trap debugging
    > logging facility 21
    > logging device-id string fw
    > logging host dmz mail
    > logging host outside X.Y.Z.66
    > icmp permit any outside
    > icmp permit any inside
    > icmp permit any dmz
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside X.X.X.42 255.255.255.252
    > ip address inside 192.168.1.10 255.255.255.0
    > ip address dmz 10.10.10.1 255.255.255.0
    > ip verify reverse-path interface outside
    > ip verify reverse-path interface inside
    > ip verify reverse-path interface dmz
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpdn_pool 192.168.3.1-192.168.3.250
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > no failover ip address dmz
    > pdm location mail 255.255.255.255 dmz
    > pdm location www 255.255.255.255 dmz
    > pdm location www-vecchio 255.255.255.255 dmz
    > pdm location my-net 255.255.255.128 outside
    > pdm location rtec 255.255.255.255 dmz
    > pdm location switch1 255.255.255.255 dmz
    > pdm location Vpn 255.255.255.0 outside
    > pdm location dmz-net 255.255.255.0 dmz
    > pdm location inside-net 255.255.255.0 inside
    > pdm location fastweb-gw 255.255.255.255 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 150
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 inside-net 255.255.255.0 0 0
    > nat (dmz) 0 access-list dmz_outbound_nat0_acl
    > nat (dmz) 1 dmz-net 255.255.255.0 0 0
    > static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0
    > static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 fastweb-gw 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > aaa authentication ssh console LOCAL
    > aaa authentication telnet console LOCAL
    > ntp server 84.16.227.160 source outside
    > ntp server 194.100.206.70 source outside
    > ntp server 83.245.15.97 source outside
    > ntp server 85.214.43.186 source outside
    > ntp server 80.74.144.230 source outside
    > ntp server 192.36.143.150 source outside
    > ntp server 195.228.155.101 source outside
    > ntp server 80.203.145.142 source outside
    > http server enable
    > http my-net 255.255.255.128 outside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet inside-net 255.255.255.0 inside
    > telnet mail 255.255.255.255 dmz
    > telnet timeout 5
    > ssh my-net 255.255.255.128 outside
    > ssh timeout 60
    > console timeout 0
    > vpdn group pptp_vpn accept dialin pptp
    > vpdn group pptp_vpn ppp authentication chap
    > vpdn group pptp_vpn ppp authentication mschap
    > vpdn group pptp_vpn ppp encryption mppe 40 required
    > vpdn group pptp_vpn client configuration address local vpdn_pool
    > vpdn group pptp_vpn pptp echo 300
    > vpdn group pptp_vpn client authentication local
    > vpdn username XXXXXXXX password *********
    > vpdn enable outside
    > dhcpd address 192.168.1.200-192.168.1.254 inside
    > dhcpd dns mail
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd domain XXXXXXXX.it
    > dhcpd auto_config outside
    > dhcpd enable inside
    > username root password XXXXXXXXXXXXXX encrypted privilege 15
    > terminal width 80
     
    , Sep 1, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    pix 515 to pix 501

    Guest, Feb 4, 2004, in forum: Cisco
    Replies:
    2
    Views:
    653
    Guest
    Feb 5, 2004
  2. Michael Kiessling

    PIX 515 'PIX-1FE=' Problems

    Michael Kiessling, Jul 6, 2004, in forum: Cisco
    Replies:
    4
    Views:
    2,515
    Michael Kiessling
    Jul 13, 2004
  3. Replies:
    1
    Views:
    547
    Walter Roberson
    Sep 11, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    723
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    697
    mcaissie
    Nov 14, 2006
Loading...

Share This Page