Link to home
Start Free TrialLog in
Avatar of Manuel
ManuelFlag for United States of America

asked on

PIX FIREWALL VPN RECONFIGURATION

I am to reconfigure VPN access on a PIX firewall, so I am removing the old configuration lines from the PIX. However, there are a few which are listed below that the PIX does not allow me to remove. After I enter no in front of the lines they reappear when I do a sh running. How can I remove these lines?

isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800


Thank You

SOLUTION
Avatar of rsivanandan
rsivanandan
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Manuel
Manuel
Flag of United States of America image

ASKER

I tried and I am still not able to remove those lines.
Avatar of rsivanandan
rsivanandan
Flag of India image
Can you post your current config?


Cheers,
Rajesh
Avatar of Manuel
Manuel
Flag of United States of America image

ASKER

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any host x.x.x.236 eq smtp
access-list allow_inbound permit tcp any host x.x.x.236 eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host x.x.x.236 eq 9563
access-list allow_inbound permit tcp any host x.x.x.236 eq www
access-list allow_inbound permit tcp any host x.x.x.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 6346
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 4662
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack_Policy attack action alarm drop reset
ip audit name Info_Policy info action drop reset
ip audit interface outside Info_Policy
ip audit interface outside Attack_Policy
ip audit info action drop reset
ip audit attack action alarm drop reset
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 x.x.x.85 255.255.255.255
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 10.1.1.2 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 www 10.1.1.35 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 smtp 10.1.1.35 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 pop3 10.1.1.35 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.236 9563 10.1.1.251 telnet netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 xxxxx timeout 10
aaa authentication ssh console AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 idle-time 1800
vpngroup vmr2 idle-time 1800
vpngroup grace idle-time 1800
vpngroup <group_name> idle-time 1800
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username vmr2 password xxxxxxxxx encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:e4b9dff44ef46c9e0aaa14919da504ea
: end
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Manuel
Manuel
Flag of United States of America image

ASKER

Thanks batry_boy I got all the lines removed now.