Recent content by sh0x

Enabling IPSEC over NAT won't do you any good if you're tunnel end-point is a PIX. That feature only works with the VPN Concentrators. Are you sure the VPN client completes a connection to the PIX? Try setting up your DLINK firewall to forward all traffic to your system (probably under DMZ setup...

It's not going to work, the PIX isn't a router although it does have some routing functionality in order to function as a firewall. Don't plan on Cisco fixing this. I'd point those clients to the router connecting one of the other offices and setup the routes accordingly. Don't use statics on...

Yes, but i'd only do this if absolutely necessary. I prefer to use SSH and the CLI. http://www.cisco.com/warp/public/110/pdm_vpntun.html

Yes. By default, you're DMZ will not be able to initiate connections to the internal network because of the security levels assigned to the interface. However, the internal network will be able to initiate connections to the DMZ. To allow UDP traffic in the reverse order, you'll have to add a...

The PIX firewall is a device, not a software package that you install on Windows 2000. If you're not familiar with the PIX interface, the initial setup maybe complicated for you. However, the PIX is very easy to setup and can provide outbound internet access with about 6 commands. Cisco's...

HSRP doesn't load balance, it's used for failover. You CAN setup two internet connections on the PIX, but you'll have to manually switch the default route if your primary goes down, this would be the cheapist solution. If you want to automate this, use HSRP as described above. It's not...

Take note that conduit's will be phased out of future PIX releases and should be converted to ACLs. These cannot be used in conjunction with eachother either.

Same here, it's one I want to take in the near future. Any input would be appreciated! Another good site for feedback on this is cramsession.com. Jason jlong@menders.com

Let me know if you still need help with this. I'll need a bit more details on your exisiting infrastructure but I can help. Jason jlong@menders.com

Are you still having this problem? Let me know, I can probably help. I'll need to know how you tested your connection to the remote office to be of more assistance. Check your PIX config and make sure the following line exists: sysopt connection permit ipsec Jason jlong@menders.com

You can add the entry to your exisiting ACL.

The PIX won't do ICMP redirects, that's why it's impossible.

If all you're doing is a client VPN solution then don't worry about the routers. Whatever your reading is probably talking about a point-to-point VPN between your PIX and a Cisco router. You should be able to knock out the PIX client side VPN in a couple of minutes. Email me if you need a...

Since you only have one IP address, you'll want to use version 6 of the PIX OS, otherwise you wont be able to do NAT. If you have any machines that need services exposed to the Internet you'll need to setup port forwarding.

Use the 'outbound' command as detailed on Cisco's website: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid358447 Jason Long