Firewall Wizards (firewall-wizards) Mailing List

Cisco ASA 8.0(3) with RSA SecurID

Mon, 15 Sep 2008 13:59:47 -0400

Posted by Todd Simons on Sep 15

Hello All

We're starting to evaluate the ASA 5500 series to replace our existing
firewalls. On our current firewalls we use RSA tokens for
Authentication and WindowsAD for group Authorization. Is this possible
with the ASA?

~Todd

Re: VPNDMZ problem

Fri, 5 Sep 2008 15:52:29 +0530

Posted by aditya mukadam on Sep 5

Ian,

If you can get to the LAN resources and not to the DMZ resources, you
would need to check on :

1) Split tunneling : DMZ subnets should be allowed.
2) NAT 0 statement should be configured for traffic between DMZ and pool IP
3) Make sure there is a return route on the destination ( jus to...

Re: PIX515 Inside NAT to private addresses through P2PTunnel

Fri, 5 Sep 2008 15:57:10 +0530

Posted by aditya mukadam on Sep 5

Dave,

As correctly suggested by the group you would need to use *policy
based static NAT*. Keep in mind, NATing happens first and then will
hit the crypto map.So, define your crypto ACLs accordingly. Make sure
there is no conflicting NAT-0 statement for the crypto traffic as,
NAT-0 will take...

Re: VPNDMZ problem

Fri, 05 Sep 2008 12:07:09 +0100

Posted by Ian Rarity on Sep 05

Yep, that was it. The VPN split-tunnel uses a different ACL, which I'd
forgotten to update. Everything's working now; thanks for responding.

Ta,
IR.

*********************************
Ian Rarity
Technical Engineer
ESPC (UK) Ltd.
T: (44)131 624 8000
F: (44)131 624 8509
...

Re: Question on PIX replication

Sat, 6 Sep 2008 13:07:28 +0300

Posted by Farrukh Haroon on Sep 6

This happened to me while working for one customer. It appeared to be a
combination of failover link problems and perhaps even a software bug. I had
to clear both boxes (write erase) and reload the configurations.

You can run the 'debug fover ...' commands to get more meaningful results as
to...

Re: Question on PIX replication

Thu, 4 Sep 2008 00:21:06 -0500

Posted by Christopher J. Wargaski on Sep 4

Hey Steve--

I haven't seen this one before, but be prepared to make those
configuration changes again.

I would try the following:
1a) power cycle the PIX that is in standby mode
1b) do a write standby

2a) failing 1, try a manual fail-back to the primary...

Re: PIX 6.1 xlate issues

Thu, 4 Sep 2008 00:14:42 -0500

Posted by Christopher J. Wargaski on Sep 4

Hello Shiv--

I recently saw a PIX 515E become so overwhelmed with the number of NAT
translations that it exhausted the memory it had and pretty much stopped
passing traffic until the dynamic NAT table was cleared. It turns out that a
virus on the inside had infected a...

Re: VPNDMZ problem

Thu, 4 Sep 2008 00:07:50 -0500

Posted by Christopher J. Wargaski on Sep 4

Hey Ian--

Are you using split-tunneling with the VPN? If so, make sure that the ACL
permits the DMZ.

On Tue, Sep 2, 2008 at 5:06 AM, Ian Rarity <Ian.Rarity_at_espc.com> wrote:

> Hi,
>
> We're having a problem with our VPN; we have a PIX 515E with 4
>...

Re: PIX515 Inside NAT to private addresses through P2PTunnel

Thu, 4 Sep 2008 22:13:14 +0200

Posted by Robby Cauwerts on Sep 4

Hi,

You can nat both source and destination at your site.

Have a look at the following example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

Keep in mind that when using this setup you will need to publish the natted
address on your...

Re: PIX 6.1 xlate issues

Wed, 3 Sep 2008 19:18:41 -0400

Posted by kevin horvath on Sep 3

this sounds odd. if it was an xlate issue with it getting overwhelmed
then not just the dns server but other devices would also have
connectivity issues. You should increase you logging level to
informational and see what the logs say when you encounter this issue.
I did have a...

Re: PIX515 Inside NAT to private addresses through P2PTunnel

Thu, 4 Sep 2008 17:13:52 -0500

Posted by Chris Myers on Sep 4

Will you be having bi-directional traffic? If so, then you will need
to do the reverse of this in the other direction. Outbound you need to
source NAT your 10.195.x.x (i.e local network) addresses to say
10.2.2.x, so the remote network does not see the src as its own
subnet, so they...

Re: VPNDMZ problem

Thu, 4 Sep 2008 06:37:57 -0500

Posted by Chris Myers on Sep 4

Hi Ian,

What is the revision you are running? If 6.3 then make sure that
there is a 'nat 0 access-list nonat' . This matches the ACL/ACLS
below depending on how many you need to build for nonat. You need a
nat 0 statement above for each...

Question on PIX replication

Wed, 20 Aug 2008 16:23:13 -0400

Posted by Steven Pfister on Aug 20

I've got a pair of PIX 525 in an active/standby configuration. I recently made some fairly large configuration changes to the active pix. Ever since then, I'm getting some errors when writing the config to the standby unit. The error looks something like:

"At <date/time>, this active...

PIX515 Inside NAT to private addresses through P2PTunnel

Tue, 26 Aug 2008 14:02:36 -0400 (EDT)

Posted by Dave Arroyo on Aug 26

I am not a PIX super user but know enough to get in trouble...
I have a PIX515 that has a site to site tunnel to a client location where we will be accessing Citrix servers, they are using a 10.195.x.x network that overlaps with other private ranges allready in use throughout our network. I can...

PIX 6.1 xlate issues

Wed, 20 Aug 2008 09:02:25 +0300

Posted by B Shivanthan on Aug 20

Hello there,
I am using a PIX 6.1 (I know its quite old and replacement procedures already in place) and facing problems with xlates getting
overwhelmed. I have this firewall serving our corporate network, where I have a proxy server, SMTP server, DNS server and about 1500 users
browsing the...