04-27-2011 01:47 PM
I am using two pix 501s to run two locations on an IBM AS400. The PCs attached to this network are also used to run credit cards. I have to become PCI Compliant. The compliant testing company, Trustwave, ran a scan of my network and issued failing response due to the VPN concentrator (the Pix 501) supporting Aggressive mode IKE. Can anyone give me a fix for this problem?
04-28-2011 12:33 PM
Ted,
Newer PIX versions have the option to disable AM processing:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2190486
AFAIR PIX 501 can only run PIX OS 6.3 which didn't have this option.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312
I have not been working with PIX for a while but I don't remember this option being there :{
Marcin
04-28-2011 02:07 PM
Marcin,
Thank you so much for your reply. We are a small business and do not need expensive equipment to operate. Could you tell the PIX model number that I would need to turn off the aggressive mode IKE.
Thanks again,
Ted Landrum
04-28-2011 11:51 PM
Ted,
I'm not sure if you're aware but PIX has end of life announced.
Now looking at upgrade guide for PIX from 6.3 to 7.0, I can see that PIX from 515 onwards can perform upgrade.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
The replacement for PIX is ASA, and the closest ASA model compared to PIX 501 is ASA 5505.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
As for parts number. Well not my part of the woods... here are all parts and I'll highlight the one you're interested in, but doublecheck that with someone.
ASA5505-UL-BUN-K8 ASA 5505 Appliance with SW, UL Users, 8 ports, DES
ASA5505-50-BUN-K8 ASA 5505 Appliance with SW, 50 Users, 8 ports, DES
ASA5505-PWR-AC= ASA 5505 Spare AC Power Supply Adapter
ASA5505-SEC-BUN-K8 ASA 5505 Sec Plus Appliance with SW, UL Users, HA, DES
ASA5505-K8 ASA 5505 Appliance with SW, 10 Users, 8 ports, DES
ASA5505-MEM-512= 512 MB Memory Upgrade for Cisco ASA 5505 <=== Only if you want to run latest ASA software (8.3 and 8.4 releases)
Hope this helps,
Marcin
04-29-2011 07:34 AM
Marcin,
Thanks again for your help. I will look into either the PIX 515 or the ASA5505.
Thank you so much for your help.
ted Landrum
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide