cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
10
Helpful
49
Replies

ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Management for IDS and Firewalls with Cisco expert Nadeem Khawaja. Nadeem supports Security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Introduction Systems. He is a computer graduate and is a double CCIE in Routing & Switching and in Security. Feel free to post any questions relating to Management for IDS and Firewalls. Remember to use the rating system to let Nadeem know if you’ve received an adequate response.

 

Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 1. Visit this forum often to view responses to your questions and the questions of other community members.

 

49 Replies 49

Hi Mcklair,

I have to check this out from developers, but I doubt that work is going on, on this syslog issue. This is mainly becuase of CSPM being replaced with new tools e.g. Firewall Management Console (VMS).

Both the CSPM and PIX have come out with new codes and this issue is still there, so I don't think it will be fixed. But I can double check this out.

Please send an email to me offline.

Thanks

Nadeem Khawaja

nkhawaja@cisco.com

cdoyle
Level 1
Level 1

Hi Nadeem,

We’ve recently installed VMS 2.1 but are unable to add our PIX to the managed device list in PIX MC via the “import configuration from existing device” option. The import process reports errors regarding “unrecognized commands” for the NTP and daylight savings time related lines as well as for several static commands and ultimately will not add the device. The static commands it doesn’t like involve static translations of entities on a low interface to a higher one.

Are you aware if support for these lines will be included in a future VMS release?

Is it possible to manage the device from PIX MC if it won’t import its configuration?

Thanks in advance,

Craig.

Hi Craig,

In PIXMC1.0 there were some unsupported commands.e.g.

Site-to-site VPNs

Termination of remote-access VPN on the Cisco PIX Firewall

Point-to-Point Protocol over Ethernet (PPPoE)

Dual NAT

Turbo access control lists (ACLs)

Lightweight Directory Access Protocol (LDAP) fix-up

H323/Port Address Translation (PAT)

Trivial File Transfer Protocol (TFTP) settings for the Cisco IP Phone

Object groupings on the Cisco PIX Firewall

LAN failover

More information can be found at

http://cco/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/pix/sup_dev/dev_supt.htm

Now the workarounds are

1. remove the problem commands from the pix and import the Configs

2. copy the entire Configs from the pix into a txt file; remove the problem commands from this txt file , insert the "removed" commands in

the "ending commands" under pix mc--> configure-->settings-->Configs' additions.

Then import the Configs

However some of the new commands are supported in PIXMC1.1.2

Further information can be found at

http://cco/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix_111/pxdvc112.htm

Thanks

Nadeem Khawaja

jmprats
Level 4
Level 4

Hi,

I have a problem with the pix clock. I have configured NTP exactly in the primary and in the secondary pix, but in the secondary clock is 30 minuts slow. Do I need configure timezones? Where can i found description of the timezone used by the pix? This is my ntp configuration and status:

#sh ntp

ntp server ip_address source inside prefer

#sh clock det

13:55:58.938 UTC Tue Jul 22 2003

Time source is NTP

# sh ntp asso deta

ip_address_ntp configured, insane, invalid, stratum 2

ref ID 192.5.41.41, time c2c764f4.7ee5de15 (07:23:32.495 UTC Tue Jul 22 2003)

our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024

root delay 0.00 msec, root disp 1000.02, reach 377, sync dist 1746.078

delay 0.27 msec, offset -8247528.5871 msec, dispersion 745.93

precision 2**7, version 3

org time c2c79e1e.1eb851eb (11:27:26.119 UTC Tue Jul 22 2003)

rcv time c2c7be55.a612e5a2 (13:44:53.648 UTC Tue Jul 22 2003)

xmt time c2c7be55.a600b77d (13:44:53.648 UTC Tue Jul 22 2003)

filtdelay = 0.27 0.31 0.27 0.27 0.31 0.27 0.29 0.29

filtoffset = -824752 -824713 -824675 -824638 -824598 -824561 -824521 -824484

filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.77 109.39

Thanks

Hello

I have a customer that would like a VPN connection to the VP's home office to be always on. At the branch office he will be useing a pix 501 and at the VP's home he will be useing a 1700. Do you know of any good white papers for this. Also at the branch office there are vlans. Is there going to be a problem with the VP accessing the servers on the different vlans?

Thanks

Anthony

Hi Anthony,

Thanks for your question. you can find some refrence at this link

http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html

Basically the solution is confiuging Network Extension mode on the PIX501 going to any Easy VPN Server, as soon as you bring up the PIX501 in NEM it will initiate a tunnel to the head end and will keep it up.

As long as you have routing among the VLANs, you should not be having any issues for VP's connectivity with servers on different VLANS.

Thanks

Nadeem Khawaja

Hi Nadeem,

We had an issue about IPSec via UDP with PAT on CSS11051

We can't get connected to a concentrator from a remote LAN, regular clients directly connected to the internet can connect without a problem, the topology looks like this:

client--CSS--PIX--CSS(doing pat)--PIX--CSS--internet router-------internet----PIX--concentrator.

We were finally able to get it to work with IPSec/TCP after opening TCP port 10000. we still could not get it to work with UDP port 10000. The CSS that is doing the pat'ing does not build a flow for the return packet, the PIX in front of the CSS is sending the packet according to the debugs, but the CSS is blocking it for some reason.

Cisco VPN Client : 4.0.1 (Rel)

3030 Concentrator: 4.0

PIX : 6.2(2)

CSS11051: 6.1(ap0610004)

Please advise.

Thanks

Richard

nkhawaja
Cisco Employee
Cisco Employee

Hi Richard,

Thanks for your question.

We have seen issues in the past regarding IPSec/udp on the client....

Can you please check the LOGS to see what message it gives for disconnection on the Concentrator side:

Here is the bug ID CSCea19984

Internally found severe defect: Verified (V)

Concentrator reports -unsupported message length- during client conn

Log would be needed. A bug can be filed based on the log messages.

Thanks

Nadeem Khawaja

Hi,

Thanks for the question. TimeZone can be configured through this command.

clock timezone []

But i don't think this is a time zone config issue, it seems to me as a hardware issue on the secondary.

what does the "show ntp asso" says on the secondary PIX?

Thanks

Nadeem Khawaja

This is the sh ntp asso in the secondary. But the clock that isn't sync is the primary.

sh ntp asso

address ref clock st when poll reach delay offset disp

~ip_address 192.5.41.41 2 501 1024 377 0.3 -68828 694.2

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Hello Mr. Khawaja ,

My question is not about network management it is about pix firewall configuration . I have 2 proxy servers one is inside the network and one is on my proxy interface of pix firewall . Inside proxy ip address is 10.0.0.189 and IP address of other proxy server which is on my proxy interface is 168.187.120.163 .

I have 15 MB link to remote site untill last week everything was working perfectly then suddenly the connections started dropping and i was able to use only 2 MB bandwidth out of 15 MB. ISP is working perfectly . I had put my laptop on proxy interface with outside proxy server it worked perfectly like before but when i access something from inside firewall it goes upto maximum 2.5 MB then the connection drops . Can you please check my PIX configurations and tell me where could be the problem ? Your help in this matter will be appreciated .

My email is haseeb_eng@hotmail.com

sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security70

nameif ethernet3 proxy security50

nameif ethernet4 myfailover security40

nameif ethernet5 intf5 security25

object-group network ho-group

network-object 10.0.0.0 255.255.252.0

network-object 168.187.131.0 255.255.255.0

network-object 168.187.214.0 255.255.255.0

object-group network shu-group

network-object 172.16.0.0 255.255.0.0

network-object 168.187.132.0 255.255.255.0

network-object 168.187.74.64 255.255.255.192

network-object 168.187.126.128 255.255.255.224

object-group network ho-nts

network-object host 168.187.131.30

object-group network honts5

network-object host 168.187.131.192

object-group network admingrp

network-object host 10.0.3.249

network-object host 10.0.3.250

network-object host 10.0.3.248

network-object host 10.0.3.246

network-object host 10.0.3.247

network-object host 10.0.1.27

object-group network ho-lan

network-object 168.187.131.0 255.255.255.0

object-group network ho-lan2

network-object 168.187.214.0 255.255.255.0

object-group network bubyan-lan

network-object 168.187.128.0 255.255.255.128

object-group network ho-prv

network-object 10.0.0.0 255.255.252.0

object-group network proxy

network-object host 168.187.120.163

object-group network internet-users

group-object ho-group

group-object shu-group

object-group network Equate

network-object Equate-Olefins 255.255.255.0

object-group network ho-server

network-object host 168.187.214.46

network-object host 168.187.214.47

network-object host 168.187.214.48

network-object host 168.187.214.49

network-object host 168.187.214.50

network-object host 168.187.214.51

network-object host 168.187.214.52

network-object host 168.187.214.53

network-object host 168.187.214.54

object-group network shu-lan

network-object 168.187.132.0 255.255.255.0

object-group network shbprv-lan

network-object 172.16.0.0 255.255.0.0

object-group network export-net

network-object 168.187.74.64 255.255.255.192

object-group network RAS

network-object 168.187.126.128 255.255.255.248

object-group network videocon

network-object host 168.187.131.50

object-group network kpcvideo

network-object host 192.168.69.3

object-group network internet-proxy-srv

description Internet proxy server

network-object 10.0.0.189 255.255.255.255

object-group network internet-proxy-srv_ref

network-object 10.0.0.189 255.255.255.255

object-group network erp-ibm-group

network-object host 10.0.3.1

network-object host 10.0.3.2

network-object host 10.0.3.3

network-object host 10.0.3.4

network-object host 10.0.3.5

network-object host 10.0.3.6

network-object host 10.0.3.7

network-object host 10.0.3.8

network-object host 10.0.3.9

network-object host 10.0.3.10

object-group network ibm-vpn-serverlist

network-object 32.107.0.0 255.255.0.0

object-group network pic-vpn

description PIC VPN Device

network-object host 168.187.131.181

object-group network passthru

network-object host 10.0.1.27

network-object host 168.187.131.40

access-list outgoing permit ip object-group honts5 any

access-list outgoing permit ip object-group ho-nts any

access-list outgoing permit ip object-group ho-group object-group shu-group

access-list outgoing permit ip object-group internet-users object-group proxy

access-list outgoing permit ip object-group internet-proxy-srv object-group Equate

access-list outgoing permit ip object-group ho-group object-group bubyan-lan

access-list outgoing permit ip object-group admingrp any

access-list outgoing permit icmp any any

access-list outgoing permit ip object-group videocon object-group kpcvideo

access-list outgoing permit tcp object-group erp-ibm-group any eq 5080

access-list outgoing permit ip object-group erp-ibm-group object-group ibm-vpn-serverlist

access-list outgoing permit ip object-group pic-vpn any

access-list proxyrule permit ip object-group proxy any

access-list proxyrule permit ip object-group proxy 168.187.131.0 255.255.255.0

access-list incoming permit tcp any object-group ho-nts eq domain

access-list incoming permit udp any object-group ho-nts eq domain

access-list incoming permit udp any object-group ho-nts eq dnsix

access-list incoming permit tcp any object-group ho-nts eq smtp

access-list incoming permit tcp any object-group ho-nts eq pop3

access-list incoming permit tcp any object-group ho-nts eq www

access-list incoming permit icmp any object-group ho-nts

access-list incoming permit tcp any object-group honts5 eq www

access-list incoming permit ip object-group shu-group object-group ho-group

access-list incoming permit tcp object-group Equate object-group ho-nts eq www

access-list incoming permit ip object-group Equate object-group internet-proxy-srv_ref

access-list incoming permit ip object-group bubyan-lan object-group ho-group

access-list incoming permit ip object-group kpcvideo object-group videocon

access-list incoming permit icmp any object-group videocon

access-list incoming permit icmp any object-group admingrp

access-list incoming permit ip any object-group pic-vpn

access-list incoming permit icmp any host 168.187.131.39

access-list incoming permit ip any object-group passthru

access-list incoming permit icmp any host 168.187.131.40

pager lines 24

logging on

logging standby

logging host inside 10.0.3.250

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full shutdown

interface ethernet3 100full

interface ethernet4 100full

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu proxy 1500

mtu myfailover 1500

mtu intf5 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.0.0.1 255.255.252.0

ip address dmz 192.168.3.1 255.255.255.0

ip address proxy 168.187.120.165 255.255.255.240

ip address myfailover 192.168.4.1 255.255.255.0

ip address intf5 127.0.0.1 255.255.255.255

nat (inside) 0 168.187.131.0 255.255.255.0 0 0

nat (inside) 0 168.187.214.0 255.255.255.0 0 0

nat (inside) 0 10.0.0.0 255.255.252.0 0 0

nat (proxy) 0 168.187.120.163 255.255.255.255 0 0

static (inside,outside) 168.187.131.181 168.187.131.181 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.214.48 168.187.214.48 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.2.26 10.0.2.26 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.2.28 10.0.2.28 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.0.189 10.0.0.189 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.192 168.187.131.192 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.103 10.0.3.249 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.39 10.0.3.250 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.38 10.0.3.248 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.129 10.0.3.1 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.130 10.0.3.2 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.131 10.0.3.3 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.132 10.0.3.4 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.133 10.0.3.5 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.134 10.0.3.6 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.135 10.0.3.7 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.136 10.0.3.8 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.137 10.0.3.9 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.74.138 10.0.3.10 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.36 10.0.3.246 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.37 10.0.3.247 netmask 255.255.255.255 0 0

static (inside,outside) 168.187.131.40 10.0.1.27 netmask 255.255.255.255 0 0

access-group incoming in interface outside

access-group outgoing in interface inside

access-group proxyrule in interface proxy

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 168.187.131.0 255.255.255.0 10.0.0.19 1

route inside 168.187.132.0 255.255.255.0 10.0.0.19 1

route inside 168.187.214.0 255.255.255.0 10.0.0.19 1

route inside 172.16.0.0 255.255.0.0 10.0.0.19 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

Hi Haseeb,

Thanks for your question. I was wondering since all your connections goes through the proxy server, could it be the inside Proxy Server, cause of this latency? Have you tried bypassing the proxy server?

Does Syslog messages on PIX show anything?

How about the "show interface" output, do you see any packet drops?

We need further information here, e.g. SYSLOG messages, messages on the Proxy Server, and may be sniffer traces on the inside/outside of the PIX.

Thanks

Nadeem Khawaja

Hi,

I still think this is a hardware issue. For further assisstance you would need to open up TAC case.

Thanks

Nadeem Khawaja

jmprats
Level 4
Level 4

Is it possible set a password to pix console access?

Thanks

Hi,

Thanks for your question. You have to configure AAA authentication on the console. Here is a link for your refrence.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e71.shtml#consoleport

Thanks

Nadeem Khawaja

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: