Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.
COURSE of the MONTH
14 days, 13 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to show access policy and forward policy on Cisco PIX 515E firewall device
Posted on 2012-12-21
I switched a new company with only Cisco PIX 515E as the firewall. I need list the access policy and change a domain name pointing from a web server on DMZ to a web server on LAN zone.
I have many years experiences for using sonic wall and junimper wall. But after I use putty login to the PIX 515E, I don't know how to enable the GUI interface, anybody can help me for the job.
1. list all access rules and NAT rules.
2. change the point to a new server.
3. enable the web interface so that I can manage it through a browser.
thank you for the help.
I have many years experiences for using sonic wall and junimper wall. But after I use putty login to the PIX 515E, I don't know how to enable the GUI interface, anybody can help me for the job.
1. list all access rules and NAT rules.
2. change the point to a new server.
3. enable the web interface so that I can manage it through a browser.
thank you for the help.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
8
- +1
11 Comments
after i login to the firewall 515E, I run the command write t, I can see a policy like this one:
"static (DMZ,outside) 209.58.242.157 10.0.3.12 netmask 255.255.255.255 tcp 7000 0"
Is this the policy forwarding http policy from public ip 209.58.242.157 to private ip 10.0.3.12.
if I moved the webserver from DMZ to LAN, can I just change this policy's ip to the new one.
which command do I need use to change, thank yohttp://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27975801.html#u.
"static (DMZ,outside) 209.58.242.157 10.0.3.12 netmask 255.255.255.255 tcp 7000 0"
Is this the policy forwarding http policy from public ip 209.58.242.157 to private ip 10.0.3.12.
if I moved the webserver from DMZ to LAN, can I just change this policy's ip to the new one.
which command do I need use to change, thank yohttp://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27975801.html#u.
Active 2 days ago
That is not the forwarding policy, that is the NAT policy. To see the running configuration you can do:
show running
to see the saved configuration that will be loaded if you restart the firewall you can do:
show start
On the pix any change you make to the config must be saved using the "write mem" command. This way if you make a change and it "breaks" something, you just reload the last saved config.
The running/startup configs show you all configuration settings.
What version of PIX are you running? There should be a version of Cisco's ASDM that will give you a GUI interface to manage the PIX. You don't need to ssh/telnet into the PIX to use the GUI interface.
show running
to see the saved configuration that will be loaded if you restart the firewall you can do:
show start
On the pix any change you make to the config must be saved using the "write mem" command. This way if you make a change and it "breaks" something, you just reload the last saved config.
The running/startup configs show you all configuration settings.
What version of PIX are you running? There should be a version of Cisco's ASDM that will give you a GUI interface to manage the PIX. You don't need to ssh/telnet into the PIX to use the GUI interface.
with the older PIX 515 you have you need to do this to have the web interface
">" and "#" and "(config)#" represent prompts on the PIX and things in [ comments ] are info. type what is after the prompts...
putty to PIX
>enable
[type in your password]
#config t
(config)#http server enable
(config)#http 192.168.100.0 255.255.255.0 inside
[you actually will need to use IP and mask from your inside net, not 192.16.100.0 etc.]
(config)#ctrl-z
[press key combination, not type]
#wri mem
at this point you should be able to point a web browser at the inside interface of your PIX. Unless it has been kept up to date, it may have PIX device manager instead of ASDM and you may need to update you OS and the image file for the device manager.
After you have the web interface up, changing the static NAT for the address of the server and listing access lists and the NAT translastions be a bit more intuitive.
from the enable prompt at the CLI, the "show run" command will give you the full config that contains the ACL's and NAT translations. If you have that, in config mode, doing an "no" before the static command you need to remove and then re-entering it changing the IP gets you there...
(config)# no static (inside, outside) 8.8.8.8 10.10.10.10 netmask 255.255.255.255
(config)# static (inside, outside) 8.8.8.8 10.10.10.20 netmask 255.255.255.255
would remove a mapping public IP of 8.8.8.8 to private 10.10.10.10 and then add one for public 8.8.8.8 to private 10.10.10.20
">" and "#" and "(config)#" represent prompts on the PIX and things in [ comments ] are info. type what is after the prompts...
putty to PIX
>enable
[type in your password]
#config t
(config)#http server enable
(config)#http 192.168.100.0 255.255.255.0 inside
[you actually will need to use IP and mask from your inside net, not 192.16.100.0 etc.]
(config)#ctrl-z
[press key combination, not type]
#wri mem
at this point you should be able to point a web browser at the inside interface of your PIX. Unless it has been kept up to date, it may have PIX device manager instead of ASDM and you may need to update you OS and the image file for the device manager.
After you have the web interface up, changing the static NAT for the address of the server and listing access lists and the NAT translastions be a bit more intuitive.
from the enable prompt at the CLI, the "show run" command will give you the full config that contains the ACL's and NAT translations. If you have that, in config mode, doing an "no" before the static command you need to remove and then re-entering it changing the IP gets you there...
(config)# no static (inside, outside) 8.8.8.8 10.10.10.10 netmask 255.255.255.255
(config)# static (inside, outside) 8.8.8.8 10.10.10.20 netmask 255.255.255.255
would remove a mapping public IP of 8.8.8.8 to private 10.10.10.10 and then add one for public 8.8.8.8 to private 10.10.10.20
Active today
Connecting to and Managing Cisco Firewalls
>>1. list all access rules and NAT rules.
Show run access-list
Show run nat
Show Run Global
Show run static
As for changing the Static NAT - jjester1 has already got that covered above
Pete
>>1. list all access rules and NAT rules.
Show run access-list
Show run nat
Show Run Global
Show run static
As for changing the Static NAT - jjester1 has already got that covered above
Pete
thank you experts, I really glad to see so many replies even in this biggest long holiday.
I will try the commands here next Wednesday when I go back to work.
Merry Christmas for all experts working here.
thanks.
I will try the commands here next Wednesday when I go back to work.
Merry Christmas for all experts working here.
thanks.
does "wri rem " has any negative effect on the sysem, do I need backup the configuration file and how to do it? I was gonna to enable the http server.
Got this WARNING message;
pix515e(config)# http server enable
pix515e(config)# http 10.10.4.48 255.255.252.0 inside
WARNING: IP address <10.10.4.48> and netmask <255.255.252.0> inconsistent
pix515e(config)#
Do I need keep goint and "wri rem", thanks.
pix515e(config)# http server enable
pix515e(config)# http 10.10.4.48 255.255.252.0 inside
WARNING: IP address <10.10.4.48> and netmask <255.255.252.0> inconsistent
pix515e(config)#
Do I need keep goint and "wri rem", thanks.
formely, this public ip was pointed to a web server on DMZ zone, but we want to point the Ip to a server on LAN (behind the firewall), is the command the same?
Hi, Jjerster:
Thank you for your reply, I appreciate your help and advise.
I tried to run the commands you provided, and the result is as follows. After running, I tried to open a browser and input the IP address of 10.10.4.5, but I still couldn't open the web interface, could you please take a look. the only abnormal thing is it gives me IP address and netmask inconsistent warning, I am not sure if it's the reason.
pix515e# config t
pix515e(config)# http server enable
pix515e(config)# http 10.10.4.5 255.255.252.0 inside
WARNING: IP address <10.10.4.5> and netmask <255.255.252.0> inconsistent
pix515e(config)#
pix515e# wri mem
Building configuration...
Cryptochecksum: 62a45e24 1ee2542b fd9611be a2a0da7f
27511 bytes copied in 0.980 secs
[OK]
Thank you for your reply, I appreciate your help and advise.
I tried to run the commands you provided, and the result is as follows. After running, I tried to open a browser and input the IP address of 10.10.4.5, but I still couldn't open the web interface, could you please take a look. the only abnormal thing is it gives me IP address and netmask inconsistent warning, I am not sure if it's the reason.
pix515e# config t
pix515e(config)# http server enable
pix515e(config)# http 10.10.4.5 255.255.252.0 inside
WARNING: IP address <10.10.4.5> and netmask <255.255.252.0> inconsistent
pix515e(config)#
pix515e# wri mem
Building configuration...
Cryptochecksum: 62a45e24 1ee2542b fd9611be a2a0da7f
27511 bytes copied in 0.980 secs
[OK]
I downloaded a cisco ASDM v 1.4 version and try to connect to the firewall, but it says invalid username or password, I was wondering where I can reset the password for remote management.
thank you.
ASDM-login.jpg
thank you.
ASDM-login.jpg
Featured Post
The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month14 days, 13 hours left to enroll
771 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.