Search results for query: *

Here is the background.... Users in several different administrative groups need to use the SSL VPN (i.e., Finance, Engineering, etc). When a user logs on how do they choose the group that they should belong to? I need to allocate specific IP ranges based upon their group assignment, etc...

You can't do that with the PIX if 6.3 or lower http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml You may be able to do it if you are running 7.0 by using policy maps (not 100% sure though) i.e., class-map match-any FILTER_P2P match protocol http...

This is a separate VPN device behind my firewall that will be configured to establish a VPN connection over the Internet to another site. So the sysopt command will take care of everything and is also for outbound only?" No not really, ESP is not stateful per-say. You will need to add permit...

try this on your OffSite PIX firewall sysopt connection permit-ipsec

the DS3 router is also the main gateway that allows LAN nodes to access local(??) and remote LAN....." So is the DS3 Router directly behind the PIX? Internet ---> PIX ----> DS3Router ----> LAN | | WAN...

Have you tried sniffing the traffic on the inside? Or even on the FTP server itself for that matter to see what is actually coming in. You may want to compare that with the output from a 'debug packet outside' on the router. If you sniff the traffic on the client and get ICMP Destination...

As far as verification commands I have listed some below. But, before we get off-track, can you SSH into the remote PIX? If so then great. You may be able to log in and debug it from both ends. I am sure you may already have a ssh client but if not...

BTW, I was a little puzzled by the license saying its not applicable....could this be it??" Sorry, but what do you mean by this? on which end do you get this? Also I think that some of the lower end PIX boxes limit the number of VPN tunnels. What model are you running at your main site? 506...

Do you know if the PIX boxes have both successfully negotiated and established the ISAKMP/IPSec VPN Connection? Are this branch connected to the Internet via DSL? If so, do you know if the DSL modem is in Routed Bridge Mode? If so this could cause issues if NAT-T is not allowed in the ACL on...

I would strongly take a look at the 1811 series router if I were you. You can setup VLANs to segment the networks, use the IOS Firewall feature set, do VPNs, and everything else you mentioned in this post. They typically run about $900. We have a few of these in potentially hostile environments...

You say you cannot authenticate, but you say that the port does seem to be getting redirected. Ok what happens? Do you get an authentication prompt? Have you tried from the command line? C:\>ftp ftp> open www.**********.net Connected to ************.net. 220-FTP Server Ready. 220-Guest logins...

Hello all, First off I would like to say that I am basically a Checkpoint newbie. Please bare with me. I am very good with Cisco PIX, but I am trying to learn Checkpoint and Netscreen to learn their strengths and weaknesses. Ok, I am currently learning using NG R55 VPN-1 Eval and I am using...

no. If i am not mistaken,it refers to ip routes. Like downloading to a client (pc) that "dials in" for instance. btw --> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftradrou.htm

You probably have the 3002 in EzVPN Client Mode. Change it to Network Extension Mode. In Client Mode, the 3002 acts as a PAT Firewall. This means all hosts behind it take on the ip address assigned to the 3002 by the Firewall's address pool. You can not ping it or ping through it. Network...

Only if PIX 525 and the software version on it does vlans. I am not sure if 525 does, but if so then here's how.... i.e., interface ethernet0 vlan10 physical interface ethernet0 vlan20 logical interface ethernet0 vlan30 logical nameif ethernet0 outside sec0 nameif vlan20 DMZ2 sec 50 nameif...

If you are using an internal DNS Server, then just adjust your DNS zone(s) as needed . If your dns server was external consider: static (inside,outside) 199.xxx.190.xxx 10.1.1.3 netmask 255.255.255.255 0 0 dns Do you have a DMZ network or are you just considering it at this point?

show crypto isakmp sa - if you see QM_IDLE (Quick Mode - Idle state) all is well show crypto ipsec sa - shows you the IPSec tunnel parameters

PAT nat (inside) 1 0 0 -or- nat (inside) 1 10.1.1.0 255.255.255.0 global (outside) 1 interface -or- global (outside) 1 12.34.56.78 "1" ties the statement set together the NAT statement suggests which internal IPs you want to translate. "0 0" means any (1st "0") with any subnet mask...

ON A CONTINUAL DAY TO DAY BASIS Generally we use an external application NTOP for this, it works great for eveyday use (figuring who's the top talkers, etc) as well as baselining and knowing when and where to think of vlan'ing. You just need a switch with a monitor/mirror/span port and a linux...

I take it that you basically have 1 internal address and 2 external addresses............ static (inside, outside) tcp EXTERNAL-IP-1 80 INTERNAL-IP 80 static (inside, outside) tcp EXTERNAL-IP-2 8080 INTERNAL-IP 8080 access-list FROM_OUTSIDE permit tcp any EXTERNAL-IP-1 eq 80 access-list...