First of all, you need at least IPSO 3.9 or higher to run
NGx R60, and as far as I know, IP330 does NOT support IPSO
3.9 or higher. Secondly, the processor on the IP330 is an
AMD low end processor. After installing ipso and NGxR60,
you will 100% CPU utilization, even in distributed mode.
I am...
1) As stoo said, you should be using lynx if you have Nokia
2) You should be using "sysconfig" if you have SPLAT.
3) If you really know what you're doing, you can use "dbset"
to change IP address. to go even further, you can
even edit the /config/active file to accomplish what you
want...
do this:
static (inside,dmz) 192.168.64.0 192.168.64.0 netmask 255.255.255.0
access-list dmz_access_in permit icmp any any log
access-list dmz_access_in permit tcp 192.168.66.0 255.255.255.0 any log
access-group dmz_access_in in interface dmz
After that, you can telnet from inside to dmz
I've never dealt with Pix501 so I am not sure if pfs is supported. I only dealt with 506, 506E, 515, 515E and higher model and I know pfs is supported because I've done
it many times.
you need this statement:
isakmp identity address
crypto map monovpnmap 10 set pfs group1
that will enable psf on phase II to match with the other
side.
you can use the following:
source = your network
destination = yahoo.com, msn.com (create objects with domain)
Service = Any
Action = Drop
Just make sure you have DNS Server entries on the Nokia
Enforcement module (i.e. when you do nslookup from
the nokia for www.yahoo.com, it can resolve to...
hi,
do this:
isakmp nat 10
You need to tell the pix 501 that the client may be behind
a firewall. That way, pix will use nat-T and it will work.
Try it and let us know.
wirelesspeap
CCIE security
Hi There,
What you are trying to do is perfectly achievable.
That being said, I think you need NGx to do that.
What you are trying to do is "according to cisco"
OSPF via GRE and tunnel everything via IPSec. I know how
to do that with Cisco but I don't know how do that with
Checkpoint...
Hi,
You have to perform "double NAT" on both end of the
tunnels. It is a pain in the ass to setup. I've setup
quite a few and if you're not careful, you can bring down
your network altogether.
I would strongly suggest that you throw away the Pix
firewall and go with Checkpoint Firewall...
Hi,
In order to accomplish what you described, you need third
party applications such as Websense or N2h2 for that.
The other alternative is to throw away the Pix firewall
and put in checkpoint. Cisco Pix firewall is overrated.
wirelesspeap
CCIE Security
on the pix, type in this command:
isakmp nat 10
that will enable nat-traversal and it will use udp
port 4500 instead of ESP if the client is coming from
behind a firewall.
destination address should be your internal network.
if you do NOT change the "sysopt connection permit-ipsec",
it means that he can initiate traffics from his end also.
"sysopt connection permit-ipsec" is a dangerous command.
It allows the IPSec traffics to bypass ALL of your ACL.
In other...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.