RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
From: Steven A. Fletcher (sfletcher_at_integrityts.com)
Date: 03/15/04
- Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Maybe in reply to: Kyle King: "[fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Next in thread: Kyle King: "Re: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Reply: Kyle King: "Re: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kyle King" <KKing@Bankshill.com>, "FW Wizards" <firewall-wizards@honor.icsalabs.com> Date: Mon, 15 Mar 2004 16:44:55 -0600
Can you send the configuration for your PIX? I think that would be more
helpful in determining the problem. Of course, I would change all
external addresses, just to be safe.
Also, do you have a Smartnet contract on your PIX? If so, you might
want to try upgrading to a newer OS. The latest version (6.33) seems
pretty stable and has fixed numerous problems.
Steve Fletcher
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher@integrityts.com
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Kyle
King
Sent: Friday, March 12, 2004 7:02 PM
To: FW Wizards
Subject: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
Hello all again,
Well, after researching, configuring, reconfiguring, and just a bit
sweating, the company has finally agreed with me on not trying to
connect
the vpn client through the SecureWay firewall. We bought ourselves a
Cisco
PiX 501 with the understanding that it can act as the vpn client when
connecting to a concentrator. We got it yesterday around 10 am. 12 man
hours later, I am still trying to make it go.
The PiX is outside the firewall, on its own line/lines (explained in a
second). When it is configured to use DHCP to get its outside line, and
not
configured for anything else, the PCs behind it (the 3 that will connect
to
the vpn eventually) can access the internet fine. However, when I turn
on
the easy vpn client option, with the correct information (I have checked
it
many times) the internet dies. We also cannot connect to anything on
the
other end of the tunnel. In the past, when the PCs were outside the
firewall, without the Cisco PiX between them, when the vpn client was
enabled, the internet would still work for them. But besides all this,
I
also have another problem; our computers that access the outside line
(which
is now the PiX with the computers behind it) must use the last static IP
address we own, not DHCP.
When I configure one of the computers with the appropriate information
for a
static IP, the computer connects to the internet fine (this is when not
connected with the PiX between it). However, it requires that I supply
the
DNS servers. When I configure the PiX to access the internet using a
static
IP, no where do I find the command/option to input the DNS servers; and
besides that, when I use static IP, the computers behind the firewall
cannot
access the internet.
I have read and did as the manual describes 5 times in the last 2 days.
However, the manual seems to always assume that the PiX will connect to
a
router before accessing the internet, so all the configuration setups it
supplies assumes I can use either many outside IPs, or other effects to
that
nature. For example: It says to assign the NAT/PAT in this way -
global (outside) 1 x.x.x.201-x.x.x.211
global (outside) 1 x.x.x.212
This supposidly makes the NAT address's all run on the 201-211
address's,
and the PAT on the 212 address. However, since the PiX is accessing
only
the static address, I only have access to the one address. I have tried
setting the command "global (outside) 1 x.x.x.x" where x.x.x.x is the
static
IP I have, but it gives me an error saying something like, you cannot
use
this command because the that address is already assigned. Also I know
about the option during the startup wizard to have NAT/PAT just go
through
the outside address, but that seems to not help.
Anyway, I would appreciate any help you guys can offer. All I can say
is, I
feel like a real leach so far on here.... I havn't contributed yet....
but
I will.
Kyle King
Banks-Hill Systems Ltd.
email: KKing@bankshill.com
Phone: (780) 488 6100 ext. 242
Fax: (780) 488 4550
www.bankshill.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Maybe in reply to: Kyle King: "[fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Next in thread: Kyle King: "Re: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Reply: Kyle King: "Re: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
