PIX 515e replacing Linksys DSL Router
customer has static DSL circuit with a linksys router currently configured
as follows
WAN IP 64.174.111.89
WAN SUBNET 255.255.255.248
WAN GATEWAY 64.174.111.94
DNS 206.13.29.12
DNS 206.13.30.12
Current Internal IP scheme is 10.10.10.xxx subnet 255.255.255.0
I have a DHCP server running internally and also have some workstations
static.
Linksys Router IP is 10.10.10.252
it has UPNP port forwarding for External Port 990 (TCP Protocol) to Internal
Port 990 to IP address 10.10.10.198
--this is for a secure FTP static route to a HL7 interface PC I need
Also it has port range forwarding for:
port 3389-3389 TCP to 10.10.10.2 for Terminal Server Access
port 2000-2010 TCP/UDP to 10.10.10.198 for Servu-FTP software access
I need to now how to program the PIX to be programmed exactly the same way as the linksys with
everything else blocked.
Let me know the best way to proceed
as follows
WAN IP 64.174.111.89
WAN SUBNET 255.255.255.248
WAN GATEWAY 64.174.111.94
DNS 206.13.29.12
DNS 206.13.30.12
Current Internal IP scheme is 10.10.10.xxx subnet 255.255.255.0
I have a DHCP server running internally and also have some workstations
static.
Linksys Router IP is 10.10.10.252
it has UPNP port forwarding for External Port 990 (TCP Protocol) to Internal
Port 990 to IP address 10.10.10.198
--this is for a secure FTP static route to a HL7 interface PC I need
Also it has port range forwarding for:
port 3389-3389 TCP to 10.10.10.2 for Terminal Server Access
port 2000-2010 TCP/UDP to 10.10.10.198 for Servu-FTP software access
I need to now how to program the PIX to be programmed exactly the same way as the linksys with
everything else blocked.
Let me know the best way to proceed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore,
thank you for the feedback, thats exactly what I was looking for, Im onsite right now and will cut and paste this config in and test it.
Question on access lists for VPN connectivity. This pix will be used for VPN connections and I dont know whether to have the access list on the pix or on the domain, do you have any input on this? Im very new to cisco & vpn but completely understand you post on the config.
Also this is supposed to have a GUI interface, I have connect my laptop directly to a hub then hub to E1 (which i think should be 10.10.10.252) I cannot ping 10.10.10.252 or open with a browser, am I missing something?
One last item, beings i just signed up with experts-exchange with the premium $99 per year subscription, how do the points work? I have answered some other post that were worth 50 points last night,,,
Thanks
Butch
thank you for the feedback, thats exactly what I was looking for, Im onsite right now and will cut and paste this config in and test it.
Question on access lists for VPN connectivity. This pix will be used for VPN connections and I dont know whether to have the access list on the pix or on the domain, do you have any input on this? Im very new to cisco & vpn but completely understand you post on the config.
Also this is supposed to have a GUI interface, I have connect my laptop directly to a hub then hub to E1 (which i think should be 10.10.10.252) I cannot ping 10.10.10.252 or open with a browser, am I missing something?
One last item, beings i just signed up with experts-exchange with the premium $99 per year subscription, how do the points work? I have answered some other post that were worth 50 points last night,,,
Thanks
Butch
ASKER
one more the customers domain name is 3tinc.com, the pix does not like the number, is there anyway around this?
Let me answer some of your questions. How about we get the PIX up and running first, then you can post a new question to get the VPN going?
If you have E1 plugged into a hub, and your laptop also plugged into the hub, and you get green lights on both ports, then you should be able to ping 10.10.10.252 (assuming you went through the setup routine). If you can't ping it, then the port may not be enabled. To enable a port, issue this command:
>interface ethernet1 auto
To get to the web gui, use https://<ip address>
^^
Just say yes to any Security alerts..
There are two different types of points. Question points (which you pay for and should get unlimited), and Expert points. Whenever you post a question worth xx points, and you are satisfied that you have solved the issue, you have to use the "accept" button next to the comment that helped you most. You will then be asked to assign a grade A, B or C. The expert will be awarded the question points, multiplied by the grade. For example, this Q has a value of 500 points. If you accept one of my comments and assign an A, I will received 2000 (4x value) expert points. Accumulation of Expert points puts us up the ladder in the point standings within specific topic areas, and in the overall "hall of fame". That is all we recieve for our efforts. A grade of "B" gives us 3x value, and most experts feel that a "C" is a "failing" grade and might complain, even though they will still get 2x the point value. We are all volunteers and work for points only.
The PIX domain name is virtually irrelevent. You can put in threetinc.com in that space if you want. The only reason it needs it is to generate a RSA key which you then import into your browser to keep from seeing the security alerts whenever you open the GUI... it serves no other purpose.
If you have E1 plugged into a hub, and your laptop also plugged into the hub, and you get green lights on both ports, then you should be able to ping 10.10.10.252 (assuming you went through the setup routine). If you can't ping it, then the port may not be enabled. To enable a port, issue this command:
>interface ethernet1 auto
To get to the web gui, use https://<ip address>
^^
Just say yes to any Security alerts..
There are two different types of points. Question points (which you pay for and should get unlimited), and Expert points. Whenever you post a question worth xx points, and you are satisfied that you have solved the issue, you have to use the "accept" button next to the comment that helped you most. You will then be asked to assign a grade A, B or C. The expert will be awarded the question points, multiplied by the grade. For example, this Q has a value of 500 points. If you accept one of my comments and assign an A, I will received 2000 (4x value) expert points. Accumulation of Expert points puts us up the ladder in the point standings within specific topic areas, and in the overall "hall of fame". That is all we recieve for our efforts. A grade of "B" gives us 3x value, and most experts feel that a "C" is a "failing" grade and might complain, even though they will still get 2x the point value. We are all volunteers and work for points only.
The PIX domain name is virtually irrelevent. You can put in threetinc.com in that space if you want. The only reason it needs it is to generate a RSA key which you then import into your browser to keep from seeing the security alerts whenever you open the GUI... it serves no other purpose.
ASKER
RESULTS AND ERROR OF CUT AND PASTE
Use this configuration and write to flash? yes
Building configuration...
Cryptochecksum: a65562ce 67c6a228 18876ffc 3d0cb727
[OK]
MYPIX(config)# interface ethernet0 auto
MYPIX(config)# interface ethernet1 auto
MYPIX(config)#
MYPIX(config)# ip address outside 64.174.111.89 255.255.255.248
MYPIX(config)# ip address inside 10.10.10.252 255.255.255.0
MYPIX(config)# global (outside) 1 interface
global for this range already exists
MYPIX(config)# nat (inside) 1 10.10.10.0 255.255.255.0
MYPIX(config)#
MYPIX(config)# route outside 0.0.0.0 0.0.0.0 64.174.111.94
MYPIX(config)#
MYPIX(config)# static (inside,outside) tcp interface 990 10.10.10.198 990
MYPIX(config)# static (inside,outside) tcp interface 3389 10.10.10.2 3389
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2000
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2001
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2002
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2003
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2004
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2005
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2006
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2007
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2008
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2009
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2010
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)#
MYPIX(config)#
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 3389
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 990
MYPIX(config)# access-list outside_in permit tcp any interface outside range 2$
MYPIX(config)#
MYPIX(config)# access-group outside_in in interface outside
MYPIX(config)#
Use this configuration and write to flash? yes
Building configuration...
Cryptochecksum: a65562ce 67c6a228 18876ffc 3d0cb727
[OK]
MYPIX(config)# interface ethernet0 auto
MYPIX(config)# interface ethernet1 auto
MYPIX(config)#
MYPIX(config)# ip address outside 64.174.111.89 255.255.255.248
MYPIX(config)# ip address inside 10.10.10.252 255.255.255.0
MYPIX(config)# global (outside) 1 interface
global for this range already exists
MYPIX(config)# nat (inside) 1 10.10.10.0 255.255.255.0
MYPIX(config)#
MYPIX(config)# route outside 0.0.0.0 0.0.0.0 64.174.111.94
MYPIX(config)#
MYPIX(config)# static (inside,outside) tcp interface 990 10.10.10.198 990
MYPIX(config)# static (inside,outside) tcp interface 3389 10.10.10.2 3389
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2000
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2001
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2002
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2003
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2004
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2005
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2006
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2007
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2008
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2009
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2010
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage: [no] static [(internal_if_name, external_if_name)]
{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [dns] [netmask <mask>]
[<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)#
MYPIX(config)#
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 3389
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 990
MYPIX(config)# access-list outside_in permit tcp any interface outside range 2$
MYPIX(config)#
MYPIX(config)# access-group outside_in in interface outside
MYPIX(config)#
D'OH! My bad...
Paste this in:
static (inside,outside) tcp interface 2001 10.10.10.198 2001
static (inside,outside) tcp interface 2002 10.10.10.198 2002
static (inside,outside) tcp interface 2003 10.10.10.198 2003
static (inside,outside) tcp interface 2004 10.10.10.198 2004
static (inside,outside) tcp interface 2005 10.10.10.198 2005
static (inside,outside) tcp interface 2006 10.10.10.198 2006
static (inside,outside) tcp interface 2007 10.10.10.198 2007
static (inside,outside) tcp interface 2008 10.10.10.198 2008
static (inside,outside) tcp interface 2009 10.10.10.198 2009
static (inside,outside) tcp interface 2010 10.10.10.198 2010
Paste this in:
static (inside,outside) tcp interface 2001 10.10.10.198 2001
static (inside,outside) tcp interface 2002 10.10.10.198 2002
static (inside,outside) tcp interface 2003 10.10.10.198 2003
static (inside,outside) tcp interface 2004 10.10.10.198 2004
static (inside,outside) tcp interface 2005 10.10.10.198 2005
static (inside,outside) tcp interface 2006 10.10.10.198 2006
static (inside,outside) tcp interface 2007 10.10.10.198 2007
static (inside,outside) tcp interface 2008 10.10.10.198 2008
static (inside,outside) tcp interface 2009 10.10.10.198 2009
static (inside,outside) tcp interface 2010 10.10.10.198 2010
ASKER
okay pasted that in with no errors
do I need to rerun previous config you sent?
How can I check to make sure all is well in pix configuration?
I did write mem and [OK]
do I need to rerun previous config you sent?
How can I check to make sure all is well in pix configuration?
I did write mem and [OK]
No need to re-run anything.
Use "show config" to make sure everything is in place, and "show interface" to make sure you get the interface "up"
If you can connect your pc and the PIX to the hub (make sure nothing else is plugged into the hub), and assign your PC an IP address in the same 10.10.10.x range, can you now ping the PIX IP 10.10.10.252? If yes, then you should be golden.
It'll be tricky to test out as long as the Linksys router is in place. You'll just have
Use "show config" to make sure everything is in place, and "show interface" to make sure you get the interface "up"
If you can connect your pc and the PIX to the hub (make sure nothing else is plugged into the hub), and assign your PC an IP address in the same 10.10.10.x range, can you now ping the PIX IP 10.10.10.252? If yes, then you should be golden.
It'll be tricky to test out as long as the Linksys router is in place. You'll just have
Oops.. didn't finish my thoughts here:
You'll just have to wait until you can shut off the Linksys and put the PIX in its place to test any further.
Note: don't try to use PING as test. We have not allowed the ping responses to come back in. You should be able to open up a browswer and go to any web page, or do anything else on the net.
Then you can test inbound traffic for the rules.
Note: you cannot test from inside the network using the public IP like you can with the Linksys. You must be on the outside of the network to test.
You'll just have to wait until you can shut off the Linksys and put the PIX in its place to test any further.
Note: don't try to use PING as test. We have not allowed the ping responses to come back in. You should be able to open up a browswer and go to any web page, or do anything else on the net.
Then you can test inbound traffic for the rules.
Note: you cannot test from inside the network using the public IP like you can with the Linksys. You must be on the outside of the network to test.
ASKER
How can I wipe the pix config clean and re-paste your configs?
there is some left over pppoe settings that show up when I do a show config
Configured my laptop to 10.10.10.251 and can ping 252 but still not broswer https://10.10.10.252?
-not a big deal, just wondering why I cannot get GUI to work
there is some left over pppoe settings that show up when I do a show config
Configured my laptop to 10.10.10.251 and can ping 252 but still not broswer https://10.10.10.252?
-not a big deal, just wondering why I cannot get GUI to work
You can wipe the existing config:
MYPIX#write erase
then reboot.
You need to add:
http server enable
http 10.10.10.251 255.255.255.255 inside
Then you should be able to use the browser..
MYPIX#write erase
then reboot.
You need to add:
http server enable
http 10.10.10.251 255.255.255.255 inside
Then you should be able to use the browser..
ASKER
making progress and just about ready to plug pix in
>you are sure that im not allowing any unauthorized access right :)
I did not wipe config clean, but I did get browser up and running and made sure pppoe was not enabled on the outside int
how can I delete http 10.10.10.251 255.255.255.255 inside and add http 10.10.10.203 255.255.255.255 inside
I get an error when I simply try to add 203 that exists
>you are sure that im not allowing any unauthorized access right :)
I did not wipe config clean, but I did get browser up and running and made sure pppoe was not enabled on the outside int
how can I delete http 10.10.10.251 255.255.255.255 inside and add http 10.10.10.203 255.255.255.255 inside
I get an error when I simply try to add 203 that exists
you can delete just about any line with "no" in front:
no http 10.10.10.251 255.255.255.255 inside
^
>you are sure that im not allowing any unauthorized access right :)
That depends on the existing config since this was not a new out-of-the-box PIX.
However, default behavior of PIX is to block ALL unsolicited incoming traffic unless and until it is explicitly permitted by an access-list. Only those ports defined in the access-list will be permitted in, of course, with the exception of any responses back to inside hosts, ie. go to https://www.experts-exchange.com and the returning traffic from that site will be let in automagically...
no http 10.10.10.251 255.255.255.255 inside
^
>you are sure that im not allowing any unauthorized access right :)
That depends on the existing config since this was not a new out-of-the-box PIX.
However, default behavior of PIX is to block ALL unsolicited incoming traffic unless and until it is explicitly permitted by an access-list. Only those ports defined in the access-list will be permitted in, of course, with the exception of any responses back to inside hosts, ie. go to https://www.experts-exchange.com and the returning traffic from that site will be let in automagically...
ASKER
would you suggest that I do a write erase and paste your configs to make sure all is blocked?
by default is dhcp server enabled after a write erase?
How do I give you 10000 points?, you have been a huge help with this?
by default is dhcp server enabled after a write erase?
How do I give you 10000 points?, you have been a huge help with this?
Yes, I personally would start from a clean slate.
The 515 does not enable the DHCP server by default
500 is the max points for any one question, but you are welcome to ask as many questions as you want...
The 515 does not enable the DHCP server by default
500 is the max points for any one question, but you are welcome to ask as many questions as you want...
ASKER
so I got a clean config, do I simply just add the second config statements you sent me to the first and run them all?
Will I get the same errors as before, is there anything I should correct in the 1st config before I run it again to resolve the errors?
Will I get the same errors as before, is there anything I should correct in the 1st config before I run it again to resolve the errors?
ASKER
one more, How can I see what IP is configured for http inside browser access?
ASKER
lrmoore, im connected thru the pix sending you this message
working good so far, much faster than the linksys
still cannot get browser to work with new IP, but going to connect console cable to check
working good so far, much faster than the linksys
still cannot get browser to work with new IP, but going to connect console cable to check
ASKER
more to update
internet is up
Secure FTP on port 900 is not working
Also found that I have an internal pc 10.10.10.249 that uses extranet vpn client to connect to the outside(63.136.96.3) and it fails.
Can I telnet into the pix from a inside workstation?
telnet 10.10.10.252 prompts me for password but I did not think I had a password
internet is up
Secure FTP on port 900 is not working
Also found that I have an internal pc 10.10.10.249 that uses extranet vpn client to connect to the outside(63.136.96.3) and it fails.
Can I telnet into the pix from a inside workstation?
telnet 10.10.10.252 prompts me for password but I did not think I had a password
ASKER
browser is working now, still no go on extranet vpn client and secure ftp
are there logs I can check to see what is trying to access outside so I can build a rule
for now Im going to plug linksys back in to get customer back up
thanks
are there logs I can check to see what is trying to access outside so I can build a rule
for now Im going to plug linksys back in to get customer back up
thanks
Good job!
Sorry about that, I had to leave for a while..
>extranet vpn client and secure ftp
Try adding the command (same as IPSEC passthrough on the Linksys):
MYPIX(config)# isakmp nat-traversal 30
>are there logs I can check to see what is trying to access outside so I can build a rule
First, you have to enable logging to buffer:
MYPIX(config)# logging on
MYPIX(config)# logging buffered informational
Then you can use "show log" to see if anything in particular is being denied...
>How can I see what IP is configured for http inside browser access
just add the following:
MYPIX(config)# http server enable
MYPIX(config)# http 10.10.10.0 255.255.255.0 inside <== any system on the inside can http to it.
When you get prompted for username/password, leave the username blank and use the enable password. Didn't set an enable password? Just hit enter..
>prompts me for password but I did not think I had a password
You have to set a telnet password:
MYPIX(config)# passwd <password>
Sorry about that, I had to leave for a while..
>extranet vpn client and secure ftp
Try adding the command (same as IPSEC passthrough on the Linksys):
MYPIX(config)# isakmp nat-traversal 30
>are there logs I can check to see what is trying to access outside so I can build a rule
First, you have to enable logging to buffer:
MYPIX(config)# logging on
MYPIX(config)# logging buffered informational
Then you can use "show log" to see if anything in particular is being denied...
>How can I see what IP is configured for http inside browser access
just add the following:
MYPIX(config)# http server enable
MYPIX(config)# http 10.10.10.0 255.255.255.0 inside <== any system on the inside can http to it.
When you get prompted for username/password, leave the username blank and use the enable password. Didn't set an enable password? Just hit enter..
>prompts me for password but I did not think I had a password
You have to set a telnet password:
MYPIX(config)# passwd <password>
ASKER
ok, I had to hook back up linksys and will try to return back to this client tomorrow to add changes in config.
how do I give you points? (click on accept in your answers?)
if I end up going onsite sunday night, will you be available for help to get this going?
are you on PST
Thanks again
how do I give you points? (click on accept in your answers?)
if I end up going onsite sunday night, will you be available for help to get this going?
are you on PST
Thanks again
Yes, you can simply click on "accept" on any one comment.
Yes, I should be available Sunday p.m. I'm on CST..
Glad I could be of assistance!
Yes, I should be available Sunday p.m. I'm on CST..
Glad I could be of assistance!
ASKER
irmoore, I will be onsite @ customers this sunday about 6pm pst, I will add statements to config and see if vpn and ftp work, I will let you know
Thanks
Thanks
ASKER
Irmoore, Its sunday night 645pm pst Im onsite are you available?
So sorry I missed your post... how'd it go?
Using the PDM? File | show running config in new window
Cut/paste into EE, edit, then submit..
Cut/paste into EE, edit, then submit..
I just need to know where to start. I can post a complete config that you can pretty much cut/paste if you want...