Solved

PIX FIREWALL VPN RECONFIGURATION

Posted on 2007-03-18
6
477 Views
Last Modified: 2010-03-18
I am to reconfigure VPN access on a PIX firewall, so I am removing the old configuration lines from the PIX. However, there are a few which are listed below that the PIX does not allow me to remove. After I enter no in front of the lines they reappear when I do a sh running. How can I remove these lines?

isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800


Thank You

0
Comment
Question by:vreyesii
  • 3
  • 2
6 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 18743626
You'll have to disable the isakmp on the outside interface first if you want to remove those lines;

First do this;

no isakmp enable outside

and then try the above.

Cheers,
Rajesh
0
 

Author Comment

by:vreyesii
ID: 18743680
I tried and I am still not able to remove those lines.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18743696
Can you post your current config?


Cheers,
Rajesh
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:vreyesii
ID: 18743734
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any host x.x.x.236 eq smtp
access-list allow_inbound permit tcp any host x.x.x.236 eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host x.x.x.236 eq 9563
access-list allow_inbound permit tcp any host x.x.x.236 eq www
access-list allow_inbound permit tcp any host x.x.x.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 6346
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 4662
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack_Policy attack action alarm drop reset
ip audit name Info_Policy info action drop reset
ip audit interface outside Info_Policy
ip audit interface outside Attack_Policy
ip audit info action drop reset
ip audit attack action alarm drop reset
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 x.x.x.85 255.255.255.255
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 10.1.1.2 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 www 10.1.1.35 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 smtp 10.1.1.35 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 pop3 10.1.1.35 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 9563 10.1.1.251 telnet netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 xxxxx timeout 10
aaa authentication ssh console AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username vmr2 password xxxxxxxxx encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:e4b9dff44ef46c9e0aaa14919da504ea
: end
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 450 total points
ID: 18743795
I can't see any reason why you shouldn't be able to remove those lines.  You should be able to remove all of the isakmp lines with one command since they are all referencing the same policy number:

no isakmp policy 10

You should also be able to remove th vpngroup lines with the following commands:

no vpngroup vpn3000
no vpngroup vmr2
no vpngroup grace
no vpngroup <group_name>                         <---substitute the name of the vpn group

Do you get any errors when you try to remove them?  If you issue the "no" form of the commands and then do a "write mem", do they show up in the saved config (show startup-config)?
0
 

Author Comment

by:vreyesii
ID: 18743844
Thanks batry_boy I got all the lines removed now.


0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now