[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Configuring a Pix 501

Posted on 2009-04-01
Medium Priority
Last Modified: 2012-05-06

I have spent many hours reading and trying to figure this out. I recently picked up a Pix 501 to replace my Linksys BEFVP41 so I could access my works network from home through a vpn with a little more reliable connection.

 I have a PPPoE internet connection. Now after spending all this time working on the proper configurations for the pix. I put in place to see if it would work. I just flat out failed to initilize the PPPoE.

Here is my configuration for the pix. What am i doing wrong? If i have the PPPoE part wrong I think i may have the vpn client part wrong too maybe.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname ovcpix
domain-name company.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
access-list 101 permit ip any
no pager
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer XXX.XXX.XXX.XXX
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key mypresharekey address XXX.XXX.XXX.XXX netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet inside
telnet inside
telnet timeout 5
ssh inside
ssh inside
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxx@xxxx.net
vpdn group pppoex ppp authentication pap
vpdn username xxxxx@xxxx.net password *********
terminal width 80

Open in new window

Question by:Pyromanci
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 15

Assisted Solution

Voltz-dk earned 750 total points
ID: 24045280
Try running a debug of it.

debug pppoe packet
debug pppoe event
debug pppoe error
debug ppp negotiation

Then reapply the ip addr, and see what the debug gives you
ip address outside pppoe setroute
LVL 23

Expert Comment

ID: 24045290
Ok, for PPPoE use this doc:

vpdn group pppoex request dialout pppoe

!--- Associate the username that the ISP assigns to the VPDN group.

vpdn group pppoex localname cisco

!--- Define authentication protocol.

vpdn group pppoex ppp authentication pap

!--- Create a username and password pair for the PPPoE
!--- connection (which your ISP provides).

vpdn username cisco password *********

Do you have the PDM loaded? If you have web browser access, I'd use the wizard for a VPN client..

Author Comment

ID: 24046069
Well PDM is installed on the device. Problem is I am having a hard time figuring out which Java Version i need in order to access it. PDM on the device is version 3.0(2)
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

LVL 23

Expert Comment

ID: 24046190
try Java version 6 release 7, however I am running the new ADSM for version 7, yours might need release 5..
LVL 23

Expert Comment

ID: 24046196
just keep removing each release until you have the working version..

At least on this Workstation, it had them all incrementally installed..
LVL 15

Expert Comment

ID: 24049384
PDM is quite old, and you may experience alot of problems with java.  I suggest you actually disable Sun java in your iExplorer, and just run with the native one - that'll work.

Author Comment

ID: 24086445
debuggerau: I found it was version 5 release 5

Voltz-dk: what native one? I have disabled all my java plugins and it just kicks back to me saying i need java. Or were you talking about the cli?

I have finally got the PPOE to work. But now there is a new problem. None of my communication from the lan make it to the wan.

I have this nat setupup, but it doesn't seem to work:
global (outside) 1 interface
nat (inside) 1 0 0
LVL 15

Assisted Solution

Voltz-dk earned 750 total points
ID: 24088072
No I was talking about PDM, but I suppose it may only apply to iExplorer 6...

That nat & global you have are correct, so unless you have some static or NAT exemption to block it that should work.

If you do run a cli to the PIX, and do debug icmp trace.  Then try to ping from inside to wan (say gateway on wan), what would the debugging show?
LVL 23

Accepted Solution

debuggerau earned 750 total points
ID: 24092727
Check the ACL's for those LAN hosts.

access-group inside_access_in in interface inside
access-list inside_access_in allow ip any any

This will allow all hosts out..

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question