Dial up Modem to Pix Console Port

what are you trying to do/achieve here lannym??

Sorry,

I would like to be able to dial the modem as a backup, to get into the Pix Console when offsite.

(I realize the security concerns here, a user would connect the phone line, and I would go in and configure the connection remotely. When the internet / vpn is not working correctly)

Does the PIX have an AUX port?  Cisco routers have both, and the AUX has features which make it a better choice for a modem.

Note that the serial ports on modems are wired DCE rather than DTE.  You may need to insert a crossover if you're using a console cable.  (I believe some Cisco routers come with three connectors for the rolled cable:  9-pin DTE, 25-pin DTE, and 25-pin DCE.)

I'll have to look for some connectors, but I'm sure the pix didn't come with any... I did get a gender changer to connect the blue console cable to the modem serial port... but that is it.

This can be done but is not supported by cisco.......and I wouldn't recommend setting it up....IT IS A SERIOUS PAIN and will occasoinally fail!! The modem settings have to be just right and to tell you the truth I just plain don't remember them.
If you are looking for a way to remotely configure your pix in case it goes down.
Try using a computer on the inside
Set it's modem up to connect.....
it is better if you can connect to a WIN2K server and set up remote dial-in
and use tightVNC to get to the computer and
configure the pix via telnet or PDM from there......
Here is a link to tightVNC....
http://www.snapfiles.com/freeware/network/fwremote.html
Just one alternative....
Good Luck

Oops also fogot to mention the console cable of the pxi should be plugged in to the computer you are going to access.....This way you can get to the console if you have to....

Does this mean your dial up connection is going to terminate at the modem, then you'll Hypertrm from the modem to the PIX?? If not - is it going to terminate on the PIX? In which case can't you set up the PIX with a VTY session instead of having to do all the cable changing etc??

There are far more secure ways of accessing the PIX offsite.  For example, you could setup a VPN Client (using 3-DES or AES), or PIX PDM (which uses SSL) ?
Dial-up straight into a console port will give attackers UNLIMITED chances at cracking the passwords.
Also, it's VERY UNLIKELY will fail and only give you console access.  If a PIX goes down, it's usually down to a hardware fault.
If you're worried you'll lock yourself out after an unsuccessful config change, then all you have to do is reboot to restore the boot-up config, so as long as someone's on site, then not a problem.

I hate to spoil the fun, but offer this anyway.
Of course you can attach a modem directly to the console port. Depending on your particular modem, set it for 9600 baud only, no local echo, and auto answer. It could be dip switches, init strings, or a combination of both. I can provide the procedure for USR sportster modem.

You can mitigate the risks by using a "secure" modem that provides a first level username challenge/password before you get to the PIX console which should then be configured for yet another username/password challenge.
Use good password and local authentication for serial access and you should have no fear.

Alternatively, you can connect the console port to a router's AUX port. If you can get to the router, use a reverse telnet connection to the aux port and viola' you have console access to the PIX. This also gives you multiple levels of access control.

We resell managed services for routers and firewalls and a requirement is out of band access via modem. Depending on client requirements, it could be with a secure console port server with modem, or just a modem connected direct to the console port.

I have a USR Sportster modem, and if you could provide the procedure that would be great! I'd like to try it.

( ToAll: I appreciate your security concerns, however, this phone line likely would only be connected by a tech when I say so... then I can get in remotely should I not be able to get in any other way. )

Thanks for you help...

Lan

I'm trying the instructions on a PIX501... with no sucess... everthing looks ok as far as the modem config goes.

Here is a rundown of what I have... Pix 501 (blue cisco console RJ45 to serial cable).. connected to gender changer.. connected to cable to modem... sound right?

Modems connect... and after several minutes, still no response on the screen.

any ideas?

Thanks!
Lan

Probably wrong pinout if you are using a light blud cable that has RJ-45 on one end and 9pin on the other, with a 9-pin 25 pin adapter.
You need a 25-pin/rj45 modem connector adapter, and the black modem cable with rj-45 at both ends, or the black modem cable that comes with the new Cisco products that has RJ45 on one end and 25-pin on the other end.

I think you've got the cabling wrong... I recall that the pix series firewalls have a serial port that's wired the opposite to what you might expect.  (I had problems getting my pix-515 to talk to anything for a while.)  Try putting a null modem between your modem and the pix, or alternatively use an ethernet crossover cable into the rj45/db25 adapter that came with the pix.

Jon

Does anyone know the cisco part numbers of the required cables / adapters needed to connect the pix501 to a modem? I have the blue RJ45 (pix) to DB9 Serial (computer)

Thanks,
Lan

CAB-25AS-MMOD
Or you can get a generic 25-pin/RJ-45 Modem adapter
http://catalog.blackbox.com/BlackBox/Templates/blackbox/mainscreen.asp

Just an Update...

All is working well with the supplied PIX 501 (Blue flat rj45 to serial) cable and a Cisco 25pin to 9pin adapter (Cisco Part # 29-4043-01) attached to the USR Modem.

( I found the adapter with a Cisco router that was recently installed )

Thanks to everyone who helped.