Solved

PIX FIREWALL VPN RECONFIGURATION

Posted on 2007-03-18
6
492 Views
Last Modified: 2010-03-18
I am to reconfigure VPN access on a PIX firewall, so I am removing the old configuration lines from the PIX. However, there are a few which are listed below that the PIX does not allow me to remove. After I enter no in front of the lines they reappear when I do a sh running. How can I remove these lines?

isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800


Thank You

0
Comment
Question by:vreyesii
  • 3
  • 2
6 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 18743626
You'll have to disable the isakmp on the outside interface first if you want to remove those lines;

First do this;

no isakmp enable outside

and then try the above.

Cheers,
Rajesh
0
 

Author Comment

by:vreyesii
ID: 18743680
I tried and I am still not able to remove those lines.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18743696
Can you post your current config?


Cheers,
Rajesh
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:vreyesii
ID: 18743734
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any host x.x.x.236 eq smtp
access-list allow_inbound permit tcp any host x.x.x.236 eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host x.x.x.236 eq 9563
access-list allow_inbound permit tcp any host x.x.x.236 eq www
access-list allow_inbound permit tcp any host x.x.x.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 6346
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 4662
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack_Policy attack action alarm drop reset
ip audit name Info_Policy info action drop reset
ip audit interface outside Info_Policy
ip audit interface outside Attack_Policy
ip audit info action drop reset
ip audit attack action alarm drop reset
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 x.x.x.85 255.255.255.255
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 10.1.1.2 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 www 10.1.1.35 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 smtp 10.1.1.35 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 pop3 10.1.1.35 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 9563 10.1.1.251 telnet netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 xxxxx timeout 10
aaa authentication ssh console AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username vmr2 password xxxxxxxxx encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:e4b9dff44ef46c9e0aaa14919da504ea
: end
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 450 total points
ID: 18743795
I can't see any reason why you shouldn't be able to remove those lines.  You should be able to remove all of the isakmp lines with one command since they are all referencing the same policy number:

no isakmp policy 10

You should also be able to remove th vpngroup lines with the following commands:

no vpngroup vpn3000
no vpngroup vmr2
no vpngroup grace
no vpngroup <group_name>                         <---substitute the name of the vpn group

Do you get any errors when you try to remove them?  If you issue the "no" form of the commands and then do a "write mem", do they show up in the saved config (show startup-config)?
0
 

Author Comment

by:vreyesii
ID: 18743844
Thanks batry_boy I got all the lines removed now.


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco VPN client v5 migration to Anyconnect VPN? 8 52
ISP Change 14 63
VTP servers with 3650 switches 5 27
NTP configuration on Cisco switch 3 14
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question