Search results for query: *

Eg. access-list 199 permit tcp any host 192.168.1.6 eq www A firm beleiver of the "Keep it Simple" philosophy Cheers /T

I'm gonna asume this to be your outside interface: interface GigabitEthernet0/1 ip address X.X.X.242 255.255.255.248 ip access-group 199 in Please look at these two lines: access-list 199 permit tcp any host X.X.X.243 eq www access-list 199 permit tcp any host X.X.X.244 eq www Are either of...

Sweet :) A firm beleiver of the "Keep it Simple" philosophy Cheers /T

Verify these statement: This should allow SMTP traffic to flow unhindered towards your mailserver host-address. A firm beleiver of the "Keep it Simple" philosophy Cheers /T

Hiya encinitas. This line might be worth investigating: Is this the old peer-address or the new one? Furthermore, I'd suggest going over the cryptomap, isakmp statements and any ACL's you may have (especially ACL 101 as this one tunnels the traffic between your offices): crypto map tooffice...

Hi Doug. A few minor suggestions: Do not employ these lines: access-list inbound permit icmp any any access-list inbound permit tcp any host 66.67.68.69 eq 3389 The first line announces you to the world. The second line opens up your server for anyone using Remote Desktop. It's generally a...

Causemaker: Just a friendly tip :) The Ethernet ports on a switch are already "crossed". Interfaces on routers are not. Same goes for PIX-interfaces. Hence the need for a crossover. I second NG's advise. I've done this a few times myself and it should work flawlessly. A firm beleiver of the...

Is ACL 100 located on your outside interface? A firm beleiver of the "Keep it Simple" philosophy Cheers /T

It wont hurt to regenerate the keys, if you use keys. Did you clear the cryptos? A firm beleiver of the "Keep it Simple" philosophy Cheers /T

Add these lines to your PIX config: logging enable logging timestamp logging standby logging console errors logging monitor errors logging buffered debugging logging trap debugging logging history warnings logging host inside [inside IP-address] Then download either KIWI syslog or 3CDaemon...

Check your config on the 515 and see if this line is in the crypto statements: crypto map toPIX501 10 match address 110 (or use nonat as these two are identical) This line tells the PIX to encrypt matching traffic. Without it the traffic wont go through the tunnel but rather on the outside...

Yes, you need to "translate" your internal address to an external one. This is because the address you mention is from the private address-range and is not routed or reachable from the Internet. You need to provide a public address, or a second address if you will. Unless you have a public...

Have you tried to delete the user and make a new one? And you should also check the VPN profile of the user. Some users have a tendency to be "creative"... A firm beleiver of "Keep it Simple" philosophy Cheers /T

At 1st glance I can't see anything wrong. Just make sure that you employ NAT-0 on both VPN end-points. And allow ICMP echo replies from the VPN subnet on the outside interface aswell :) This is only a quick look, but I hope I gave you some hints. A firm beleiver of "Keep it Simple" philosophy...

Yup. In v7 you need to type in: sh run xlate sh run nat :) A firm beleiver of "Keep it Simple" philosophy Cheers /T

Here's a basic config which can be applied to both sites (asuming you're not using private addresses): SITE1 access-list SITE1-to-SITE2 permit ip [IP address and mask from SITE1] [IP address and mask from SITE2] This line forces all traffic originating from the inside of site1 with site2 as...

Setting up the PIX to allow VPN users to connet to it, means it will have to get VPN requests relayed by the DSL router. This because the DSL router holds your "outside" address. Should work if your ISP forwards the VPN requests (UDP 500) to your PIX. It gets a bit more complicated this way, but...

Or from the outside: Telnet [IP address of mailserver] 25 If you get a connection, the port is active and open. A firm beleiver of "Keep it Simple" philosophy Cheers /T

You're looking at one really big ACL. And problem is that some "blocks" don't necessarily mean they originate from the same country. Either way, you're going to run into major issues if you decide to "block" spam by blocking IP adresses. Spam doesn't always originate from the "blocked" range and...

Yup. But to be sure you don't alter any config by accident, just copy, edit and paste the lines you do want to change. Eg. the 3 lines specified earlier :) A firm beleiver of "Keep it Simple" philosophy Cheers /T