07-18-2003 10:47 AM - edited 03-09-2019 04:06 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Management for IDS and Firewalls with Cisco expert Nadeem Khawaja. Nadeem supports Security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Introduction Systems. He is a computer graduate and is a double CCIE in Routing & Switching and in Security. Feel free to post any questions relating to Management for IDS and Firewalls. Remember to use the rating system to let Nadeem know if youve received an adequate response.
Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 1. Visit this forum often to view responses to your questions and the questions of other community members.
07-30-2003 08:28 AM
Hi Mcklair,
I have to check this out from developers, but I doubt that work is going on, on this syslog issue. This is mainly becuase of CSPM being replaced with new tools e.g. Firewall Management Console (VMS).
Both the CSPM and PIX have come out with new codes and this issue is still there, so I don't think it will be fixed. But I can double check this out.
Please send an email to me offline.
Thanks
Nadeem Khawaja
07-21-2003 07:41 PM
Hi Nadeem,
Weve recently installed VMS 2.1 but are unable to add our PIX to the managed device list in PIX MC via the import configuration from existing device option. The import process reports errors regarding unrecognized commands for the NTP and daylight savings time related lines as well as for several static commands and ultimately will not add the device. The static commands it doesnt like involve static translations of entities on a low interface to a higher one.
Are you aware if support for these lines will be included in a future VMS release?
Is it possible to manage the device from PIX MC if it wont import its configuration?
Thanks in advance,
Craig.
07-22-2003 04:50 PM
Hi Craig,
In PIXMC1.0 there were some unsupported commands.e.g.
Site-to-site VPNs
Termination of remote-access VPN on the Cisco PIX Firewall
Point-to-Point Protocol over Ethernet (PPPoE)
Dual NAT
Turbo access control lists (ACLs)
Lightweight Directory Access Protocol (LDAP) fix-up
H323/Port Address Translation (PAT)
Trivial File Transfer Protocol (TFTP) settings for the Cisco IP Phone
Object groupings on the Cisco PIX Firewall
LAN failover
More information can be found at
Now the workarounds are
1. remove the problem commands from the pix and import the Configs
2. copy the entire Configs from the pix into a txt file; remove the problem commands from this txt file , insert the "removed" commands in
the "ending commands" under pix mc--> configure-->settings-->Configs' additions.
Then import the Configs
However some of the new commands are supported in PIXMC1.1.2
Further information can be found at
http://cco/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix_111/pxdvc112.htm
Thanks
Nadeem Khawaja
07-22-2003 04:02 AM
Hi,
I have a problem with the pix clock. I have configured NTP exactly in the primary and in the secondary pix, but in the secondary clock is 30 minuts slow. Do I need configure timezones? Where can i found description of the timezone used by the pix? This is my ntp configuration and status:
#sh ntp
ntp server ip_address source inside prefer
#sh clock det
13:55:58.938 UTC Tue Jul 22 2003
Time source is NTP
# sh ntp asso deta
ip_address_ntp configured, insane, invalid, stratum 2
ref ID 192.5.41.41, time c2c764f4.7ee5de15 (07:23:32.495 UTC Tue Jul 22 2003)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 0.00 msec, root disp 1000.02, reach 377, sync dist 1746.078
delay 0.27 msec, offset -8247528.5871 msec, dispersion 745.93
precision 2**7, version 3
org time c2c79e1e.1eb851eb (11:27:26.119 UTC Tue Jul 22 2003)
rcv time c2c7be55.a612e5a2 (13:44:53.648 UTC Tue Jul 22 2003)
xmt time c2c7be55.a600b77d (13:44:53.648 UTC Tue Jul 22 2003)
filtdelay = 0.27 0.31 0.27 0.27 0.31 0.27 0.29 0.29
filtoffset = -824752 -824713 -824675 -824638 -824598 -824561 -824521 -824484
filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.77 109.39
Thanks
07-22-2003 09:21 AM
Hello
I have a customer that would like a VPN connection to the VP's home office to be always on. At the branch office he will be useing a pix 501 and at the VP's home he will be useing a 1700. Do you know of any good white papers for this. Also at the branch office there are vlans. Is there going to be a problem with the VP accessing the servers on the different vlans?
Thanks
Anthony
07-23-2003 10:39 AM
Hi Anthony,
Thanks for your question. you can find some refrence at this link
http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html
Basically the solution is confiuging Network Extension mode on the PIX501 going to any Easy VPN Server, as soon as you bring up the PIX501 in NEM it will initiate a tunnel to the head end and will keep it up.
As long as you have routing among the VLANs, you should not be having any issues for VP's connectivity with servers on different VLANS.
Thanks
Nadeem Khawaja
07-31-2003 12:50 PM
Hi Nadeem,
We had an issue about IPSec via UDP with PAT on CSS11051
We can't get connected to a concentrator from a remote LAN, regular clients directly connected to the internet can connect without a problem, the topology looks like this:
client--CSS--PIX--CSS(doing pat)--PIX--CSS--internet router-------internet----PIX--concentrator.
We were finally able to get it to work with IPSec/TCP after opening TCP port 10000. we still could not get it to work with UDP port 10000. The CSS that is doing the pat'ing does not build a flow for the return packet, the PIX in front of the CSS is sending the packet according to the debugs, but the CSS is blocking it for some reason.
Cisco VPN Client : 4.0.1 (Rel)
3030 Concentrator: 4.0
PIX : 6.2(2)
CSS11051: 6.1(ap0610004)
Please advise.
Thanks
Richard
08-01-2003 09:37 AM
Hi Richard,
Thanks for your question.
We have seen issues in the past regarding IPSec/udp on the client....
Can you please check the LOGS to see what message it gives for disconnection on the Concentrator side:
Here is the bug ID CSCea19984
Internally found severe defect: Verified (V)
Concentrator reports -unsupported message length- during client conn
Log would be needed. A bug can be filed based on the log messages.
Thanks
Nadeem Khawaja
07-22-2003 09:52 AM
Hi,
Thanks for the question. TimeZone can be configured through this command.
clock timezone
But i don't think this is a time zone config issue, it seems to me as a hardware issue on the secondary.
what does the "show ntp asso" says on the secondary PIX?
Thanks
Nadeem Khawaja
07-22-2003 10:41 PM
This is the sh ntp asso in the secondary. But the clock that isn't sync is the primary.
sh ntp asso
address ref clock st when poll reach delay offset disp
~ip_address 192.5.41.41 2 501 1024 377 0.3 -68828 694.2
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
07-22-2003 11:53 PM
Hello Mr. Khawaja ,
My question is not about network management it is about pix firewall configuration . I have 2 proxy servers one is inside the network and one is on my proxy interface of pix firewall . Inside proxy ip address is 10.0.0.189 and IP address of other proxy server which is on my proxy interface is 168.187.120.163 .
I have 15 MB link to remote site untill last week everything was working perfectly then suddenly the connections started dropping and i was able to use only 2 MB bandwidth out of 15 MB. ISP is working perfectly . I had put my laptop on proxy interface with outside proxy server it worked perfectly like before but when i access something from inside firewall it goes upto maximum 2.5 MB then the connection drops . Can you please check my PIX configurations and tell me where could be the problem ? Your help in this matter will be appreciated .
My email is haseeb_eng@hotmail.com
sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security70
nameif ethernet3 proxy security50
nameif ethernet4 myfailover security40
nameif ethernet5 intf5 security25
object-group network ho-group
network-object 10.0.0.0 255.255.252.0
network-object 168.187.131.0 255.255.255.0
network-object 168.187.214.0 255.255.255.0
object-group network shu-group
network-object 172.16.0.0 255.255.0.0
network-object 168.187.132.0 255.255.255.0
network-object 168.187.74.64 255.255.255.192
network-object 168.187.126.128 255.255.255.224
object-group network ho-nts
network-object host 168.187.131.30
object-group network honts5
network-object host 168.187.131.192
object-group network admingrp
network-object host 10.0.3.249
network-object host 10.0.3.250
network-object host 10.0.3.248
network-object host 10.0.3.246
network-object host 10.0.3.247
network-object host 10.0.1.27
object-group network ho-lan
network-object 168.187.131.0 255.255.255.0
object-group network ho-lan2
network-object 168.187.214.0 255.255.255.0
object-group network bubyan-lan
network-object 168.187.128.0 255.255.255.128
object-group network ho-prv
network-object 10.0.0.0 255.255.252.0
object-group network proxy
network-object host 168.187.120.163
object-group network internet-users
group-object ho-group
group-object shu-group
object-group network Equate
network-object Equate-Olefins 255.255.255.0
object-group network ho-server
network-object host 168.187.214.46
network-object host 168.187.214.47
network-object host 168.187.214.48
network-object host 168.187.214.49
network-object host 168.187.214.50
network-object host 168.187.214.51
network-object host 168.187.214.52
network-object host 168.187.214.53
network-object host 168.187.214.54
object-group network shu-lan
network-object 168.187.132.0 255.255.255.0
object-group network shbprv-lan
network-object 172.16.0.0 255.255.0.0
object-group network export-net
network-object 168.187.74.64 255.255.255.192
object-group network RAS
network-object 168.187.126.128 255.255.255.248
object-group network videocon
network-object host 168.187.131.50
object-group network kpcvideo
network-object host 192.168.69.3
object-group network internet-proxy-srv
description Internet proxy server
network-object 10.0.0.189 255.255.255.255
object-group network internet-proxy-srv_ref
network-object 10.0.0.189 255.255.255.255
object-group network erp-ibm-group
network-object host 10.0.3.1
network-object host 10.0.3.2
network-object host 10.0.3.3
network-object host 10.0.3.4
network-object host 10.0.3.5
network-object host 10.0.3.6
network-object host 10.0.3.7
network-object host 10.0.3.8
network-object host 10.0.3.9
network-object host 10.0.3.10
object-group network ibm-vpn-serverlist
network-object 32.107.0.0 255.255.0.0
object-group network pic-vpn
description PIC VPN Device
network-object host 168.187.131.181
object-group network passthru
network-object host 10.0.1.27
network-object host 168.187.131.40
access-list outgoing permit ip object-group honts5 any
access-list outgoing permit ip object-group ho-nts any
access-list outgoing permit ip object-group ho-group object-group shu-group
access-list outgoing permit ip object-group internet-users object-group proxy
access-list outgoing permit ip object-group internet-proxy-srv object-group Equate
access-list outgoing permit ip object-group ho-group object-group bubyan-lan
access-list outgoing permit ip object-group admingrp any
access-list outgoing permit icmp any any
access-list outgoing permit ip object-group videocon object-group kpcvideo
access-list outgoing permit tcp object-group erp-ibm-group any eq 5080
access-list outgoing permit ip object-group erp-ibm-group object-group ibm-vpn-serverlist
access-list outgoing permit ip object-group pic-vpn any
access-list proxyrule permit ip object-group proxy any
access-list proxyrule permit ip object-group proxy 168.187.131.0 255.255.255.0
access-list incoming permit tcp any object-group ho-nts eq domain
access-list incoming permit udp any object-group ho-nts eq domain
access-list incoming permit udp any object-group ho-nts eq dnsix
access-list incoming permit tcp any object-group ho-nts eq smtp
access-list incoming permit tcp any object-group ho-nts eq pop3
access-list incoming permit tcp any object-group ho-nts eq www
access-list incoming permit icmp any object-group ho-nts
access-list incoming permit tcp any object-group honts5 eq www
access-list incoming permit ip object-group shu-group object-group ho-group
access-list incoming permit tcp object-group Equate object-group ho-nts eq www
access-list incoming permit ip object-group Equate object-group internet-proxy-srv_ref
access-list incoming permit ip object-group bubyan-lan object-group ho-group
access-list incoming permit ip object-group kpcvideo object-group videocon
access-list incoming permit icmp any object-group videocon
access-list incoming permit icmp any object-group admingrp
access-list incoming permit ip any object-group pic-vpn
access-list incoming permit icmp any host 168.187.131.39
access-list incoming permit ip any object-group passthru
access-list incoming permit icmp any host 168.187.131.40
pager lines 24
logging on
logging standby
logging host inside 10.0.3.250
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full shutdown
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu proxy 1500
mtu myfailover 1500
mtu intf5 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.0.0.1 255.255.252.0
ip address dmz 192.168.3.1 255.255.255.0
ip address proxy 168.187.120.165 255.255.255.240
ip address myfailover 192.168.4.1 255.255.255.0
ip address intf5 127.0.0.1 255.255.255.255
nat (inside) 0 168.187.131.0 255.255.255.0 0 0
nat (inside) 0 168.187.214.0 255.255.255.0 0 0
nat (inside) 0 10.0.0.0 255.255.252.0 0 0
nat (proxy) 0 168.187.120.163 255.255.255.255 0 0
static (inside,outside) 168.187.131.181 168.187.131.181 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.214.48 168.187.214.48 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.2.26 10.0.2.26 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.2.28 10.0.2.28 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.189 10.0.0.189 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.192 168.187.131.192 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.103 10.0.3.249 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.39 10.0.3.250 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.38 10.0.3.248 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.129 10.0.3.1 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.130 10.0.3.2 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.131 10.0.3.3 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.132 10.0.3.4 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.133 10.0.3.5 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.134 10.0.3.6 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.135 10.0.3.7 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.136 10.0.3.8 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.137 10.0.3.9 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.74.138 10.0.3.10 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.36 10.0.3.246 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.37 10.0.3.247 netmask 255.255.255.255 0 0
static (inside,outside) 168.187.131.40 10.0.1.27 netmask 255.255.255.255 0 0
access-group incoming in interface outside
access-group outgoing in interface inside
access-group proxyrule in interface proxy
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 168.187.131.0 255.255.255.0 10.0.0.19 1
route inside 168.187.132.0 255.255.255.0 10.0.0.19 1
route inside 168.187.214.0 255.255.255.0 10.0.0.19 1
route inside 172.16.0.0 255.255.0.0 10.0.0.19 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
07-23-2003 08:20 AM
Hi Haseeb,
Thanks for your question. I was wondering since all your connections goes through the proxy server, could it be the inside Proxy Server, cause of this latency? Have you tried bypassing the proxy server?
Does Syslog messages on PIX show anything?
How about the "show interface" output, do you see any packet drops?
We need further information here, e.g. SYSLOG messages, messages on the Proxy Server, and may be sniffer traces on the inside/outside of the PIX.
Thanks
Nadeem Khawaja
07-24-2003 11:30 PM
Hi,
I still think this is a hardware issue. For further assisstance you would need to open up TAC case.
Thanks
Nadeem Khawaja
07-23-2003 11:32 PM
Is it possible set a password to pix console access?
Thanks
07-24-2003 08:29 AM
Hi,
Thanks for your question. You have to configure AAA authentication on the console. Here is a link for your refrence.
Thanks
Nadeem Khawaja
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: