Recent content by swj38

/me dusts of soapbox :-) For just protecting one box a PIX seems like overkill, to use a Pix in the setup you've described I'd put it between the whole network and the T1 router and have the webserver coming of a seperate interface on the Pix in a DMZ. (Sorry that is a bit soapboxy) For a...

You can do this with split-tunneling I think. Set up a split tunnel that denies smtp to the ISP system and allow everything else: access-list splitTunnelAclname deny smtp (internal Network) (ISP system) access-list splitTunnelAclname permit ip any any vpngroup (pool name) split-tunnel...

Yep ACL = Access-Lists Only having permits doesn't mean your not denying, each ACL has a default deny any at the end that doesn't show up when you look at it. So if for instance you have a list that went: Permit tcp 10.10.1.0 0.0.0.255 any eq 80 Permit tcp 10.10.1.0 0.0.0.255 any eq 25 What...

To check for netbios have a look at the ACL's for traffic leaving the network (usually the list is applied inbound to your Inside interface) You looking for something that's denying TCP/UDP port 137 to 139. HTH

are you blocking netbios out of the PIX's that might explain why nbtstat works but not network browsing.

The way I got round this is to enable split tunneling on the client and configure the ipsec netowrks on the Pix. Basically you just tell the clients what networks they should encrypt to and what they shouldn't. The reason the you can't get local access is because the local traffic is being...

This shouldn't be the cause of your problem, the logs are for ping traffic (icmp type 8, code 0 is an echo reply). What this traffic looks like is ping traffic trying to use your pix like a router it's coming in from an outside address destined for another outside address, the (No xlate)...

Thanks for the reply and the link. I had an inkling that this is what I'd have to do, I was just wondering if there was a specific way to turn on NAT logging like you can in IOS. Not too suprising if there isn't I couldn't find reference for it anywhere on the Cisco site. Thanks again

Hi All, I've got a system that I'm just bedding in and someones just asked about logging NAT translations. The setup I'm got is a 515e that then get's routed out a 3750 with the address translation being done on the Pix. Everything works as expected (at long last) the networks of seperate...

Are you using split tunneling or allowing local lan access? It could be that you are encypting everything out of the client but not all the traffic you are sending should be sent through the VPN tunnel. i.e if you don't have split tunneling on you could be encrypting spurious traffic that the...

Have you got TCP wrappers on the Red Hat box? You may need to check the hostallow statements on the Red Hat box as it's letting in the router but not the pix. It'll be in you /etc/hostallow file I think. Hope this helps

I've got a VPN Client to PIX setup and I had some problems with the VPN client locking up when it disconnected. It seemed to fix itself when I updated the PIXOS and Client so they were both on the newest available version. I think it was a conflict with the client and PixOS that made it...

Hi, I don't know if this is too late you be of any use to you but I'll post it in case it is. You're second post is correct access-list 100 deny ip 200.0.0.0 3.255.255.255 any Will deny between 200 and 203. To deny the range you stated in your first post you would need: access-list 100...

I can't see why 12.x.x.x address would be a problem but you need to sort out your access list 105. Becasue ACL's are hierachial the permit ip any any line will let everything through and the deny statements after it will not be queried. Steve

Ron, No problem, this can be done with a standard list to. If you want to block only one address use: router-config#access-list 10 permit any established router-config#access-list 10 deny 192.168.10.0 0.0.0.255 Router-config#access-list 10 permit any If you place this on the inbound...