Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
4
Replies

PCI compliance problem with PIX 501

tedlandrum
Level 1
Level 1

‎04-27-2011 01:47 PM

I am using two pix 501s to run two locations on an IBM AS400.  The PCs attached to this network are also used to run credit cards. I have to become PCI Compliant.  The compliant testing company, Trustwave, ran a scan of my network and issued failing response due to the VPN concentrator (the Pix 501) supporting Aggressive mode IKE. Can anyone give me a fix for this problem?

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-28-2011 12:33 PM

Ted,

Newer PIX versions have the option to disable AM processing:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2190486

AFAIR PIX 501 can only run PIX OS 6.3 which didn't have this option.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312

I have not been working with PIX for a while but I don't remember this option being there :{

Marcin

0 Helpful

tedlandrum
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-28-2011 02:07 PM

Marcin,

Thank you so much for your reply.  We are a small business and do not need expensive equipment to operate.  Could you tell the PIX model number that I would need to turn off the aggressive mode IKE.

Thanks again,

Ted Landrum

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to tedlandrum

‎04-28-2011 11:51 PM

Ted,

I'm not sure if you're aware but PIX has end of life announced.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2031/prod_eol_notice0900aecd80731dec.html

Now looking at upgrade guide for PIX from 6.3 to 7.0, I can see that PIX from 515 onwards can perform upgrade.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

The replacement for PIX is ASA, and the closest ASA model compared to PIX 501 is ASA 5505.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

As for parts number. Well not my part of the woods... here are all parts and I'll highlight the one you're interested in, but doublecheck that with someone.

ASA5505-UL-BUN-K8       ASA 5505 Appliance with SW, UL Users, 8 ports, DES
ASA5505-50-BUN-K8       ASA 5505 Appliance with SW, 50 Users, 8 ports, DES
ASA5505-PWR-AC= ASA 5505 Spare AC Power Supply Adapter
ASA5505-SEC-BUN-K8      ASA 5505 Sec Plus Appliance with SW, UL Users, HA, DES
ASA5505-K8      ASA 5505 Appliance with SW, 10 Users, 8 ports, DES
ASA5505-MEM-512=        512 MB Memory Upgrade for Cisco ASA 5505 <=== Only if you want to run latest ASA software (8.3 and 8.4 releases)

Hope this helps,

Marcin

0 Helpful

tedlandrum
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-29-2011 07:34 AM

Marcin,

Thanks again for your help. I will look into either the PIX 515 or the ASA5505.

Thank you so much for your help.

ted Landrum

0 Helpful
Customers Also Viewed These Support Documents