Re: Please help with Pix 501
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Sun, 30 Oct 2005 16:05:03 +0000 (UTC)
In article <1130683967.200307.10580@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
millsusaf <ebrianmills@xxxxxxxxx> wrote:
:->The only code I can find on Cisco is 6.3(5) and from what I have read
:it is the latest code for the Pix 501. Is this right?
Yes. But people who stick with x.y(1) often do not have access to
the software downloads, so I reported on the newest version that one
can update to for free. 6.3(5) is a bug-fix release, not a security
release, so it isn't covered by Cisco's free-update policies.
:->I know that the DHCP outside int isn't ideal, but my cable modem bill
:would more than double for a static so I unfortunately I have to deal
:with it. I am getting around it by if I can't connect (once working
:totally) I will have the wife check on the IP by telneting to the PIX
:and the show IP command, getting that new address and changing it in my
:VPN client.
Consider using dyndns
:-> >ip local pool ipool 172.26.69.10-172.26.69.25
:As for the ip mask, I read the doc and they way I read it; it states
:that by default the pix puts a /24 mask if nothing is entered (bases on
:class of network). However I have tried to manually add a /24, but it
:is not allowing me to.
What syntax did you use? PIX 6.x does not accept the slash
notation for masks in any context.
:->As for my ACL, can someone scrub over this attempt? I don't think it
:is correct.
:global (outside) 1 interface access-list 101
You are right, the ACL is mostly wrong, probably because you are
fuzzy on what you are trying to do with it. The 'global' command
does not accept access lists.
Some specific hints for ACLs
- use 'any' instead of '0.0.0.0 0.0.0.0'
- use 'interface outside' instead of 'outside'
- the only place you need to write ACLs to explicitly match both
forward and reverse traffic, is for use with 'capture'. For all other
cases, you write it in one direction only, and the PIX knows how
to read it "backwards" if it needs to.
- every ACL ends with a default deny of everything, so you do not
need to put one in (unless you want hitcounts or want to 'log'
it differently.)
:->According to this I have AES, I will just have to figure out how to
:turn it on.
:VPN-3DES-AES: Enabled
Add another transform set that uses esp-aes-256 hmac-sha and
on your 'crypto map MAP # set transform-set' line give the name of that
transform set first. Also, create an additional isakmp policy with
a lower number than your existing one, that uses aes-256 sha group 5 .
--
Is there any thing whereof it may be said, See, this is new? It hath
been already of old time, which was before us. -- Ecclesiastes
.
- Follow-Ups:
- Re: Please help with Pix 501
- From: millsusaf
- Re: Please help with Pix 501
- References:
- Re: Please help with Pix 501
- From: Walter Roberson
- Re: Please help with Pix 501
- From: millsusaf
- Re: Please help with Pix 501
- Prev by Date: Re: Please help with Pix 501
- Next by Date: Re: Spoke and Hub having problems with exchange server
- Previous by thread: Re: Please help with Pix 501
- Next by thread: Re: Please help with Pix 501
- Index(es):
Relevant Pages
|
