synopsis: I recently upgraded our PIX515e to PIX IOS 7.0(1). After FTP data connections are not working and H323 will only send audio and video out. I think that there is some problem with the PIX connecting the outgoing session with the incoming data.
ftp detail: you can ftp to a site, log in and transverse directorys. If you try a ls command or a data transfer, it hangs and times out. I have not tested sending a file to a remote server.
h323 detail: you can make a connection to a remote site with either our polycom viewstation FX cameras or netmeeting. They (outside) can see and hear you, but you can't see or hear them.
Here is the good stuff:
______________________________________________
Result of the command: "show tech-support"
Cisco PIX Security Appliance Software Version 7.0(1)
Device Manager Version 5.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
PIX up 1 day 2 hours
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0 : media index 0: irq 10
1: Ext: Ethernet1 : media index 1: irq 11
2: Ext: Ethernet2 : media index 2: irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 806262769
Running Activation Key: 0x7a31e916 0x39afcdc3 0x5fd6afe4 0xc3e4a8ea
Configuration last modified by enable_15 at 12:14:26.885 EDT Fri Sep 23 2005
------------------ show clock ------------------
12:55:07.885 EDT Fri Sep 23 2005
------------------ show memory ------------------
Free memory: 99147688 bytes (74%)
Used memory: 35070040 bytes (26%)
------------- ----------------
Total memory: 134217728 bytes (100%)
------------------ show conn count ------------------
435 in use, 1104 most used
------------------ show xlate count ------------------
473 in use, 1220 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 100 98 99
80 100 97 100
256 1612 1581 1612
1550 1960 1489 1572
2560 40 40 40
4096 30 30 30
8192 60 60 60
16384 104 104 104
65536 10 10 10
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
MAC address 0009.b75f.8d9a, MTU 1500
IP address 12.152.xxx.xxx, subnet mask 255.255.255.240
4892700 packets input, 3951027417 bytes, 0 no buffer
Received 80489 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4183151 packets output, 797573339 bytes, 0 underruns
0 output errors, 184695 collisions, 0 interface resets
0 babbles, 0 late collisions, 458474 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/15)
output queue (curr/max blocks): hardware (0/45) software (0/1)
Received 4894344 VLAN untagged packets, 3878001316 bytes
Transmitted 4184608 VLAN untagged packets, 713579441 bytes
Dropped 230832 VLAN untagged packets
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Ethernet1 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0009.b75f.8d9b, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
4469821 packets input, 866522684 bytes, 0 no buffer
Received 262501 broadcasts, 0 runts, 0 giants
1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort
4950638 packets output, 4098375212 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/44)
output queue (curr/max blocks): hardware (0/33) software (0/1)
Received 4471157 VLAN untagged packets, 788925752 bytes
Transmitted 4950638 VLAN untagged packets, 4021617273 bytes
Dropped 64395 VLAN untagged packets
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Ethernet2 "DMZ", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
MAC address 0002.b3ac.57d4, MTU 1500
IP address 192.168.100.1, subnet mask 255.255.255.0
900905 packets input, 599621055 bytes, 0 no buffer
Received 1470 broadcasts, 10 runts, 0 giants
5 input errors, 0 CRC, 5 frame, 0 overrun, 0 ignored, 0 abort
892545 packets output, 489889560 bytes, 0 underruns
0 output errors, 21986 collisions, 0 interface resets
0 babbles, 0 late collisions, 9383 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/21)
output queue (curr/max blocks): hardware (0/37) software (0/1)
Received 901057 VLAN untagged packets, 585223365 bytes
Transmitted 892732 VLAN untagged packets, 474100591 bytes
Dropped 3998 VLAN untagged packets
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 1%; 1 minute: 2%; 5 minutes: 2%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Lwe 00105689 00ffbe90 00db4a10 0 00ff9f08 8072/8192 block_diag
Mrd 001dbc16 011c63d0 00db4a78 27588340 011c2478 12296/16384 Dispatch Unit
Mwe 00112cf5 0120bec0 00db49c8 0 01209f48 7772/8192 Reload Control Thread
Mwe 00116edf 0120e410 00db5ff8 0 0120c4c8 8008/8192 aaa
Lwe 001db106 012168c0 00dbe540 0 01214948 7308/8192 dbgtrace
Msi 003cda1f 0121ab00 00db49c8 0 01218b88 7840/8192 557mcfix
Mrd 003cd97a 0121cc20 00db4a78 30294690 0121aca8 7608/8192 557poll
Msi 003cd9cb 0121ed40 00db49c8 0 0121cdc8 7776/8192 557statspoll
Mwe 00b6e13d 0122f5e0 00db49c8 0 0122d658 7788/8192 Chunk Manager
Msi 006f6c3e 01238cb8 00db49c8 0 01236d50 7684/8192 PIX Garbage Collector
Lsi 00a4d60d 0123adf8 00db49c8 0 01238e70 7428/8192 route_process
Mwe 006e73bd 012481b8 00d3a280 0 01246240 8056/8192 IP Address Assign
Mwe 008ce47d 0124dd80 00d441f0 0 0124be08 8056/8192 QoS Support Module
Mwe 0074ff85 0124fed8 00d3af64 0 0124df60 8056/8192 Client Update Task
Lwe 00b89581 012527b0 00db49c8 217640 01250838 7592/8192 Checkheaps
Mwe 00908601 01258b00 00db49c8 0 01256b98 7276/8192 Session Manager
Mwe 009eba89 012636b8 017b31a0 0 0125f7d0 15636/16384 uauth
Mwe 009e7911 01267910 00d5ad60 0 012659c8 7660/8192 SMTP
Mwe 009d8925 01269a40 00d5a730 83230 01267ae8 4540/8192 Logger
Mwe 009d9d31 0126bb80 00db49c8 0 01269c08 7292/8192 Thread Logger
Mwe 00ac127b 01278230 00d85390 0 012762c8 6956/8192 vpnlb_thread
Msi 00487913 0131e2a8 00db49c8 0 0131c330 7316/8192 arp_timer
Mwe 004907b1 013231d8 00dcca70 0 01321270 7964/8192 arp_forward_thread
Msi 009edf0b 0133e988 00db49c8 0 0133ca20 6300/8192 tcp_fast
Msi 009edcdf 013409a0 00db49c8 0 0133ea48 7716/8192 tcp_slow
Mwe 009f893b 01350d90 00d5b8f0 0 0134ee28 8040/8192 udp_timer
Mrd 005e39c6 0122b330 00db4a78 19927030 01229418 5128/8192 snp_timer_thread
Mwe 00166f31 01225ea8 00db49c8 0 01223f20 7976/8192 CTCP Timer process
Mwe 0017c064 01706aa0 01228d90 0 01704b38 7700/8192 IPsec message handler
Msi 00189b71 01708ac8 00db49c8 3090 01706b60 7252/8192 CTM message handler
Mwe 00a78685 0170aae0 00db49c8 0 01708b88 7928/8192 L2TP data daemon
Mwe 00a78475 0170cb18 00db49c8 0 0170abb0 7944/8192 L2TP mgmt daemon
Mwe 00a637df 01744c20 00d80128 0 01740cb8 16184/16384 ppp_timer_thread
Msi 00ac1b7a 01746c28 00db49c8 0 01744ce0 7792/8192 vpnlb_timer_thread
Mwe 00691e95 0175bc10 00db49c8 0 01757ca8 15240/16384 IP Background
Mwe 001d48dd 017a4c60 00d11ef0 210 01784d08 123076/131072 tmatch compile thread
Mwe 0081bbd9 017e3680 00db49c8 0 017df6f8 15980/16384 Crypto PKI RECV
Mwe 008212d4 017e5780 00db49c8 0 017e3818 7772/8192 Crypto CA
Lsi 0070b0a9 01885658 00db49c8 0 018836d0 7856/8192 uauth_urlb clean
Lsi 006f1020 01893c98 00db49c8 0 01891d20 7840/8192 perfmon
Mwe 0041eb69 01897030 00db49c8 0 018950b8 7804/8192 IKE Timekeeper
Mwe 004117a9 0189c6d0 00d2c9c0 0 01898a78 13180/16384 IKE Daemon
Mwe 009add91 0189f7d0 00d5a0f8 0 0189d858 8056/8192 RADIUS Proxy Event Daemon
Mwe 009838b4 018a1780 018de218 0 0189f978 7260/8192 RADIUS Proxy Listener
Mwe 009af891 018a3a20 00db49c8 0 018a1a98 7976/8192 RADIUS Proxy Time Keeper
Mwe 001e41e7 018cbf20 00bf4950 0 018c85f8 13756/16384 ci/console
Msi 0038e57f 018ceea0 00db49c8 0 018ccf68 7128/8192 fover_thread
Mwe 00a46fbe 018d0fd0 00e9f690 10 018cf088 7492/8192 lu_ctl
Csi 007260e9 018d3110 00db49c8 0 018d11a8 7340/8192 update_cpu_usage
Msi 007268bd 018d92f8 00db49c8 0 018d7420 7528/8192 NIC status poll
Mwe 00384fed 018e23c8 00dc73d0 0 018e0480 8008/8192 fover_rx
Mwe 00386a39 018e4420 00dc7428 0 018e24a8 8056/8192 fover_tx
Mwe 0038c329 018e6448 00dccae8 0 018e44d0 8012/8192 fover_ip
Mwe 00394851 018ea260 00dc743c 0 018e64f8 15644/16384 fover_rep
Mwe 003872d2 018ee188 00dc7444 0 018ea520 15416/16384 fover_parse
Mwe 0037baca 018f04a0 00dc55d8 0 018ee548 7976/8192 fover_ifc_test
Mwe 0037dd01 018f2598 00db49c8 0 018f0620 7960/8192 fover_health_monitoring_thread
Mwe 001e41e7 018f4100 00bf49a8 0 018f26f8 6616/8192 fover_serial_rx
Mwe 003a618d 018f6748 00dc61e8 0 018f47d0 8056/8192 fover_serial_tx
Mwe 003a1f9d 018faa48 00db49c8 0 018f8ad0 7960/8192 ha_trans_ctl_tx
Mwe 003a1f9d 0190db48 00db49c8 0 0190bbd0 7960/8192 ha_trans_data_tx
Mwe 0039af75 0190fc20 00db49c8 0 0190dca8 7020/8192 fover_FSM_thread
Mwe 00a473dd 01911cf8 00dccba8 0 0190fd80 7900/8192 lu_rx
Lwe 00a47369 01913e28 00e9f5c0 0 01911ea0 8072/8192 lu_dynamic_sync
Mwe 00a9ead8 01a07230 00d8457c 0 01a052d8 8024/8192 vpnfo_thread_msg
Msi 00aaa63b 01a09350 00db49c8 0 01a073f8 7808/8192 vpnfo_thread_timer
Mwe 00aa70f7 01a0b470 00d84688 0 01a09518 8024/8192 vpnfo_thread_sync
Msi 00aa9f28 01a0d5a0 00db49c8 0 01a0b638 7824/8192 vpnfo_thread_unsent
Mwe 0047fa05 01a1b660 00dccc78 6000 01a196f8 7480/8192 IP Thread
Mwe 004858b9 01a1d790 00dccc38 25080 01a1b818 4812/8192 ARP Thread
Mwe 003d20ad 01a1f8e0 00dccae0 300 01a1d968 6140/8192 icmp_thread
Mwe 009f8348 01a21940 0134ea68 0 01a1fab8 7816/8192 riprx
Msi 008e7e11 01a23b80 00db49c8 0 01a21c08 7500/8192 riptx
Mwe 009f8993 01a25c80 00db49c8 0 01a23d28 7752/8192 udp_thread
Mwe 009ee489 01a27ca0 00dccc70 4060 01a25e48 3916/8192 tcp_thread
Mwe 0074582d 01a81c08 00db49c8 0 01a7dca0 15948/16384 Time Range Process
Mwe 008b414c 01b76fb8 00e3c2c8 0 01b75060 7000/8192 qos_metric_daemon
Mwe 009ebebf 01b9eae8 01f5e448 30 01b9cc30 7444/8192 listen/https
Mwe 0025cf02 01ba2bb0 00db49c8 2310 01b9ec58 12004/16384 emweb/https
Mwe 002576e9 01eaf208 00db49c8 0 01ead290 7716/8192 Timekeeper
Mwe 009f8348 01eb45e8 0134e864 460 01eb2d50 4472/8192 snmp
Mwe 009838b4 01ef0b28 01f01648 0 01eeed20 7380/8192 IKE Receiver
Mwe 009ebebf 01f04010 01f4f078 0 01f021b8 7364/8192 listen/telnet
Mwe 00628dc9 01f12250 00db49c8 0 01f102d8 5100/8192 NTP
Mwe 006ceea8 0214cac0 01a86d1c 25660 02145128 28620/32768 accept/http
Mwe 006cd9c9 0215dd88 00db49c8 0 021561b0 29148/32768 accept/http
M* 006ab9f5 0009feec 00db4a78 0 02194ac8 24364/32768 accept/http
------------------ show failover ------------------
Failover Off
Cable status: My side not connected
Failover unit Secondary
Failover LAN Interface: not Configured
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
------------------ show traffic ------------------
outside:
received (in 93634.970 secs):
4894344 packets 3878001316 bytes
6 pkts/sec 41003 bytes/sec
transmitted (in 93634.970 secs):
4184608 packets 713579441 bytes
44 pkts/sec 7024 bytes/sec
inside:
received (in 93634.970 secs):
4471157 packets 788925752 bytes
1 pkts/sec 8012 bytes/sec
transmitted (in 93634.970 secs):
4950638 packets 4021617273 bytes
7 pkts/sec 42032 bytes/sec
DMZ:
received (in 93634.970 secs):
901057 packets 585223365 bytes
9 pkts/sec 6020 bytes/sec
transmitted (in 93634.970 secs):
892732 packets 474100591 bytes
9 pkts/sec 5017 bytes/sec
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0:
received (in 93634.970 secs):
4892700 packets 3951027417 bytes
6 pkts/sec 42012 bytes/sec
transmitted (in 93634.970 secs):
4183151 packets 797573339 bytes
44 pkts/sec 8013 bytes/sec
Ethernet1:
received (in 93634.970 secs):
4469821 packets 866522684 bytes
1 pkts/sec 9024 bytes/sec
transmitted (in 93634.970 secs):
4950638 packets 4098375212 bytes
7 pkts/sec 43035 bytes/sec
Ethernet2:
received (in 93634.970 secs):
900905 packets 599621055 bytes
9 pkts/sec 6036 bytes/sec
transmitted (in 93634.970 secs):
892545 packets 489889560 bytes
9 pkts/sec 5002 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 2/s 2/s
Connections 4/s 3/s
TCP Conns 4/s 2/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 2/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show mode ------------------
Security context mode: single
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Router
------------------ show running-config ------------------
: Saved
:
PIX Version 7.0(1)
names
name 192.168.4.0 TI
name 192.168.3.0 ML
name 192.168.50.0 vpn
name 192.168.1.0 SL1
name 192.168.0.0 SL2
name 192.168.100.10 webexchange
name 192.168.1.202 exchange02
name 192.168.1.211 NCCC00530
name 192.168.3.250 ML_Polycom
name 192.168.1.252 CS_Camera
name 12.152.xxx.xxx dlink_out
name 192.168.0.249 SL01_Poly
name 192.168.0.250 SL02_Poly_HH118
name 192.168.100.20 EZProxy
name 192.168.1.200 CAMS-SQL
name 192.168.1.201 CAMS-WEB
name xxx.xxx.xxx.xxx threerivers
name 192.168.3.222 pdc2
name 192.168.1.219 pdc
name xxx.xxx.xxx.xxx TwinState11
name xxx.xxx.xxx.xxx TwinState10
name xxx.xxx.xxx.xxx Daves_House
!
interface Ethernet0
nameif outside
security-level 0
ip address 12.152.xxx.xxx 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 10
ip address 192.168.100.1 255.255.255.0
!
enable password xxx/xxx encrypted
passwd xxx/xxx encrypted
hostname PIX
!
time-range alltime
!
domain-name misnet.tld
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq smtp
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq https
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq 995
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq www
access-list acl_out extended permit tcp any host ML_Polycom eq h323 time-range alltime
access-list acl_out extended permit tcp threerivers 255.255.255.224 host 12.152.xxx.xxx eq 3389
access-list acl_out extended permit tcp threerivers 255.255.255.224 host 12.152.xxx.xxx eq 3389
access-list acl_out extended permit tcp host TwinState10 host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host TwinState11 host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host Daves_House host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host Daves_House host 12.152.xxx.xxx eq telnet time-range alltime
access-list 101 extended permit ip SL1 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip ML 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip TI 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip SL2 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip any vpn 255.255.255.128
access-list 101 extended permit ip any vpn 255.255.255.240
access-list 101 extended permit ip any vpn 255.255.255.248
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq domain
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 88
access-list DMZ_access_in extended permit udp host webexchange host pdc eq 88
access-list DMZ_access_in extended permit icmp host webexchange any
access-list DMZ_access_in extended permit tcp host webexchange any eq ftp
access-list DMZ_access_in extended permit tcp host webexchange any eq ftp-data
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq kerberos
access-list DMZ_access_in extended permit udp host webexchange host pdc eq kerberos
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 135
access-list DMZ_access_in extended permit udp host webexchange host pdc eq netbios-dgm
access-list DMZ_access_in extended permit udp host webexchange host pdc eq netbios-ns
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq netbios-ssn
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq ldap
access-list DMZ_access_in extended permit udp host webexchange host pdc eq 389
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 445
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 3268
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 1025
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq 135
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq netbios-ssn
access-list DMZ_access_in extended permit udp host webexchange host exchange02 eq netbios-dgm
access-list DMZ_access_in extended permit udp host webexchange host exchange02 eq netbios-ns
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq www
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq smtp
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq 691
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq pop3
access-list DMZ_access_in extended permit udp host webexchange host pdc eq domain
access-list DMZ_access_in extended permit tcp host webexchange any eq smtp
access-list DMZ_access_in extended permit udp host webexchange host NCCC00530 eq 38293
access-list DMZ_access_in extended permit udp host webexchange host NCCC00530 eq 2967
access-list DMZ_access_in extended permit tcp host webexchange any eq www
access-list DMZ_access_in extended permit tcp host webexchange any eq https
access-list DMZ_access_in extended permit udp host webexchange host pdc eq ntp
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 1026
access-list DMZ_access_in extended permit tcp host webexchange host pdc2 eq ldap
access-list DMZ_access_in extended permit tcp host webexchange host pdc2 eq 3268
access-list DMZ_nat0_outbound extended permit ip any vpn 255.255.255.0
access-list VPNgroup_splitTunnelAcl standard permit any
access-list NewVPN_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any vpn 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging buffered informational
logging trap debugging
logging history alerts
logging asdm informational
logging host inside 192.168.1.250
no logging message 710003
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNpool 192.168.50.1-192.168.50.5 mask 255.255.255.255
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp deny any echo-reply outside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (DMZ,outside) 12.152.xxx.xxx webexchange netmask 255.255.255.255
static (inside,DMZ) exchange02 exchange02 netmask 255.255.255.255
static (inside,DMZ) SL2 SL2 netmask 255.255.248.0
static (inside,outside) 12.152.xxx.xxx ML_Polycom netmask 255.255.255.255
static (inside,outside) dlink_out CS_Camera netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx SL01_Poly netmask 255.255.255.255
static (DMZ,outside) 12.152.xxx.xxx EZProxy netmask 255.255.255.255 norandomseq
static (inside,outside) 12.152.xxx.xxx CAMS-SQL netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx CAMS-WEB netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx 192.168.1.254 netmask 255.255.255.255
access-group acl_out in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 12.152.xxx.xxx 1
route inside 192.168.14.0 255.255.255.0 192.168.1.254 1
route inside 192.168.103.0 255.255.255.0 192.168.1.254 1
route inside 192.168.102.0 255.255.255.0 192.168.1.254 1
route inside 192.168.101.0 255.255.255.0 192.168.1.254 1
route inside vpn 255.255.255.255 192.168.1.254 1
route inside TI 255.255.255.0 192.168.1.254 1
route inside ML 255.255.255.0 192.168.1.254 1
route inside SL2 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy VPNgroup internal
username jbray password XPRms.NZREwATXnR encrypted privilege 0
username dhenry password cFcDHp0Hzjj2Jt9q encrypted privilege 0
http server enable
http 192.168.1.250 255.255.255.255 inside
http 192.168.1.249 255.255.255.255 inside
http 192.168.1.224 255.255.255.255 inside
snmp-server host inside 192.168.1.250 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map dyn1 20 set transform-set ESP-3DES-SHA
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.250 255.255.255.255 inside
telnet 192.168.1.249 255.255.255.255 inside
telnet SL01_Poly 255.255.255.255 inside
telnet 192.168.1.224 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group VPNgroup type ipsec-ra
tunnel-group VPNgroup general-attributes
address-pool VPNpool
default-group-policy VPNgroup
tunnel-group VPNgroup ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
tunnel-group-map default-group VPNgroup
ntp server pdc source inside prefer
tftp-server inside 192.168.1.249 \pix.cfg
Cryptochecksum:4473587921639c6765a36f1c39d44233
: end
------------------ show startup-config errors ------------------
INFO: No configuration errors
ftp detail: you can ftp to a site, log in and transverse directorys. If you try a ls command or a data transfer, it hangs and times out. I have not tested sending a file to a remote server.
h323 detail: you can make a connection to a remote site with either our polycom viewstation FX cameras or netmeeting. They (outside) can see and hear you, but you can't see or hear them.
Here is the good stuff:
______________________________________________
Result of the command: "show tech-support"
Cisco PIX Security Appliance Software Version 7.0(1)
Device Manager Version 5.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
PIX up 1 day 2 hours
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0 : media index 0: irq 10
1: Ext: Ethernet1 : media index 1: irq 11
2: Ext: Ethernet2 : media index 2: irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 806262769
Running Activation Key: 0x7a31e916 0x39afcdc3 0x5fd6afe4 0xc3e4a8ea
Configuration last modified by enable_15 at 12:14:26.885 EDT Fri Sep 23 2005
------------------ show clock ------------------
12:55:07.885 EDT Fri Sep 23 2005
------------------ show memory ------------------
Free memory: 99147688 bytes (74%)
Used memory: 35070040 bytes (26%)
------------- ----------------
Total memory: 134217728 bytes (100%)
------------------ show conn count ------------------
435 in use, 1104 most used
------------------ show xlate count ------------------
473 in use, 1220 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 100 98 99
80 100 97 100
256 1612 1581 1612
1550 1960 1489 1572
2560 40 40 40
4096 30 30 30
8192 60 60 60
16384 104 104 104
65536 10 10 10
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
MAC address 0009.b75f.8d9a, MTU 1500
IP address 12.152.xxx.xxx, subnet mask 255.255.255.240
4892700 packets input, 3951027417 bytes, 0 no buffer
Received 80489 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4183151 packets output, 797573339 bytes, 0 underruns
0 output errors, 184695 collisions, 0 interface resets
0 babbles, 0 late collisions, 458474 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/15)
output queue (curr/max blocks): hardware (0/45) software (0/1)
Received 4894344 VLAN untagged packets, 3878001316 bytes
Transmitted 4184608 VLAN untagged packets, 713579441 bytes
Dropped 230832 VLAN untagged packets
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Ethernet1 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0009.b75f.8d9b, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
4469821 packets input, 866522684 bytes, 0 no buffer
Received 262501 broadcasts, 0 runts, 0 giants
1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort
4950638 packets output, 4098375212 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/44)
output queue (curr/max blocks): hardware (0/33) software (0/1)
Received 4471157 VLAN untagged packets, 788925752 bytes
Transmitted 4950638 VLAN untagged packets, 4021617273 bytes
Dropped 64395 VLAN untagged packets
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Ethernet2 "DMZ", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
MAC address 0002.b3ac.57d4, MTU 1500
IP address 192.168.100.1, subnet mask 255.255.255.0
900905 packets input, 599621055 bytes, 0 no buffer
Received 1470 broadcasts, 10 runts, 0 giants
5 input errors, 0 CRC, 5 frame, 0 overrun, 0 ignored, 0 abort
892545 packets output, 489889560 bytes, 0 underruns
0 output errors, 21986 collisions, 0 interface resets
0 babbles, 0 late collisions, 9383 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/21)
output queue (curr/max blocks): hardware (0/37) software (0/1)
Received 901057 VLAN untagged packets, 585223365 bytes
Transmitted 892732 VLAN untagged packets, 474100591 bytes
Dropped 3998 VLAN untagged packets
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 1%; 1 minute: 2%; 5 minutes: 2%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Lwe 00105689 00ffbe90 00db4a10 0 00ff9f08 8072/8192 block_diag
Mrd 001dbc16 011c63d0 00db4a78 27588340 011c2478 12296/16384 Dispatch Unit
Mwe 00112cf5 0120bec0 00db49c8 0 01209f48 7772/8192 Reload Control Thread
Mwe 00116edf 0120e410 00db5ff8 0 0120c4c8 8008/8192 aaa
Lwe 001db106 012168c0 00dbe540 0 01214948 7308/8192 dbgtrace
Msi 003cda1f 0121ab00 00db49c8 0 01218b88 7840/8192 557mcfix
Mrd 003cd97a 0121cc20 00db4a78 30294690 0121aca8 7608/8192 557poll
Msi 003cd9cb 0121ed40 00db49c8 0 0121cdc8 7776/8192 557statspoll
Mwe 00b6e13d 0122f5e0 00db49c8 0 0122d658 7788/8192 Chunk Manager
Msi 006f6c3e 01238cb8 00db49c8 0 01236d50 7684/8192 PIX Garbage Collector
Lsi 00a4d60d 0123adf8 00db49c8 0 01238e70 7428/8192 route_process
Mwe 006e73bd 012481b8 00d3a280 0 01246240 8056/8192 IP Address Assign
Mwe 008ce47d 0124dd80 00d441f0 0 0124be08 8056/8192 QoS Support Module
Mwe 0074ff85 0124fed8 00d3af64 0 0124df60 8056/8192 Client Update Task
Lwe 00b89581 012527b0 00db49c8 217640 01250838 7592/8192 Checkheaps
Mwe 00908601 01258b00 00db49c8 0 01256b98 7276/8192 Session Manager
Mwe 009eba89 012636b8 017b31a0 0 0125f7d0 15636/16384 uauth
Mwe 009e7911 01267910 00d5ad60 0 012659c8 7660/8192 SMTP
Mwe 009d8925 01269a40 00d5a730 83230 01267ae8 4540/8192 Logger
Mwe 009d9d31 0126bb80 00db49c8 0 01269c08 7292/8192 Thread Logger
Mwe 00ac127b 01278230 00d85390 0 012762c8 6956/8192 vpnlb_thread
Msi 00487913 0131e2a8 00db49c8 0 0131c330 7316/8192 arp_timer
Mwe 004907b1 013231d8 00dcca70 0 01321270 7964/8192 arp_forward_thread
Msi 009edf0b 0133e988 00db49c8 0 0133ca20 6300/8192 tcp_fast
Msi 009edcdf 013409a0 00db49c8 0 0133ea48 7716/8192 tcp_slow
Mwe 009f893b 01350d90 00d5b8f0 0 0134ee28 8040/8192 udp_timer
Mrd 005e39c6 0122b330 00db4a78 19927030 01229418 5128/8192 snp_timer_thread
Mwe 00166f31 01225ea8 00db49c8 0 01223f20 7976/8192 CTCP Timer process
Mwe 0017c064 01706aa0 01228d90 0 01704b38 7700/8192 IPsec message handler
Msi 00189b71 01708ac8 00db49c8 3090 01706b60 7252/8192 CTM message handler
Mwe 00a78685 0170aae0 00db49c8 0 01708b88 7928/8192 L2TP data daemon
Mwe 00a78475 0170cb18 00db49c8 0 0170abb0 7944/8192 L2TP mgmt daemon
Mwe 00a637df 01744c20 00d80128 0 01740cb8 16184/16384 ppp_timer_thread
Msi 00ac1b7a 01746c28 00db49c8 0 01744ce0 7792/8192 vpnlb_timer_thread
Mwe 00691e95 0175bc10 00db49c8 0 01757ca8 15240/16384 IP Background
Mwe 001d48dd 017a4c60 00d11ef0 210 01784d08 123076/131072 tmatch compile thread
Mwe 0081bbd9 017e3680 00db49c8 0 017df6f8 15980/16384 Crypto PKI RECV
Mwe 008212d4 017e5780 00db49c8 0 017e3818 7772/8192 Crypto CA
Lsi 0070b0a9 01885658 00db49c8 0 018836d0 7856/8192 uauth_urlb clean
Lsi 006f1020 01893c98 00db49c8 0 01891d20 7840/8192 perfmon
Mwe 0041eb69 01897030 00db49c8 0 018950b8 7804/8192 IKE Timekeeper
Mwe 004117a9 0189c6d0 00d2c9c0 0 01898a78 13180/16384 IKE Daemon
Mwe 009add91 0189f7d0 00d5a0f8 0 0189d858 8056/8192 RADIUS Proxy Event Daemon
Mwe 009838b4 018a1780 018de218 0 0189f978 7260/8192 RADIUS Proxy Listener
Mwe 009af891 018a3a20 00db49c8 0 018a1a98 7976/8192 RADIUS Proxy Time Keeper
Mwe 001e41e7 018cbf20 00bf4950 0 018c85f8 13756/16384 ci/console
Msi 0038e57f 018ceea0 00db49c8 0 018ccf68 7128/8192 fover_thread
Mwe 00a46fbe 018d0fd0 00e9f690 10 018cf088 7492/8192 lu_ctl
Csi 007260e9 018d3110 00db49c8 0 018d11a8 7340/8192 update_cpu_usage
Msi 007268bd 018d92f8 00db49c8 0 018d7420 7528/8192 NIC status poll
Mwe 00384fed 018e23c8 00dc73d0 0 018e0480 8008/8192 fover_rx
Mwe 00386a39 018e4420 00dc7428 0 018e24a8 8056/8192 fover_tx
Mwe 0038c329 018e6448 00dccae8 0 018e44d0 8012/8192 fover_ip
Mwe 00394851 018ea260 00dc743c 0 018e64f8 15644/16384 fover_rep
Mwe 003872d2 018ee188 00dc7444 0 018ea520 15416/16384 fover_parse
Mwe 0037baca 018f04a0 00dc55d8 0 018ee548 7976/8192 fover_ifc_test
Mwe 0037dd01 018f2598 00db49c8 0 018f0620 7960/8192 fover_health_monitoring_thread
Mwe 001e41e7 018f4100 00bf49a8 0 018f26f8 6616/8192 fover_serial_rx
Mwe 003a618d 018f6748 00dc61e8 0 018f47d0 8056/8192 fover_serial_tx
Mwe 003a1f9d 018faa48 00db49c8 0 018f8ad0 7960/8192 ha_trans_ctl_tx
Mwe 003a1f9d 0190db48 00db49c8 0 0190bbd0 7960/8192 ha_trans_data_tx
Mwe 0039af75 0190fc20 00db49c8 0 0190dca8 7020/8192 fover_FSM_thread
Mwe 00a473dd 01911cf8 00dccba8 0 0190fd80 7900/8192 lu_rx
Lwe 00a47369 01913e28 00e9f5c0 0 01911ea0 8072/8192 lu_dynamic_sync
Mwe 00a9ead8 01a07230 00d8457c 0 01a052d8 8024/8192 vpnfo_thread_msg
Msi 00aaa63b 01a09350 00db49c8 0 01a073f8 7808/8192 vpnfo_thread_timer
Mwe 00aa70f7 01a0b470 00d84688 0 01a09518 8024/8192 vpnfo_thread_sync
Msi 00aa9f28 01a0d5a0 00db49c8 0 01a0b638 7824/8192 vpnfo_thread_unsent
Mwe 0047fa05 01a1b660 00dccc78 6000 01a196f8 7480/8192 IP Thread
Mwe 004858b9 01a1d790 00dccc38 25080 01a1b818 4812/8192 ARP Thread
Mwe 003d20ad 01a1f8e0 00dccae0 300 01a1d968 6140/8192 icmp_thread
Mwe 009f8348 01a21940 0134ea68 0 01a1fab8 7816/8192 riprx
Msi 008e7e11 01a23b80 00db49c8 0 01a21c08 7500/8192 riptx
Mwe 009f8993 01a25c80 00db49c8 0 01a23d28 7752/8192 udp_thread
Mwe 009ee489 01a27ca0 00dccc70 4060 01a25e48 3916/8192 tcp_thread
Mwe 0074582d 01a81c08 00db49c8 0 01a7dca0 15948/16384 Time Range Process
Mwe 008b414c 01b76fb8 00e3c2c8 0 01b75060 7000/8192 qos_metric_daemon
Mwe 009ebebf 01b9eae8 01f5e448 30 01b9cc30 7444/8192 listen/https
Mwe 0025cf02 01ba2bb0 00db49c8 2310 01b9ec58 12004/16384 emweb/https
Mwe 002576e9 01eaf208 00db49c8 0 01ead290 7716/8192 Timekeeper
Mwe 009f8348 01eb45e8 0134e864 460 01eb2d50 4472/8192 snmp
Mwe 009838b4 01ef0b28 01f01648 0 01eeed20 7380/8192 IKE Receiver
Mwe 009ebebf 01f04010 01f4f078 0 01f021b8 7364/8192 listen/telnet
Mwe 00628dc9 01f12250 00db49c8 0 01f102d8 5100/8192 NTP
Mwe 006ceea8 0214cac0 01a86d1c 25660 02145128 28620/32768 accept/http
Mwe 006cd9c9 0215dd88 00db49c8 0 021561b0 29148/32768 accept/http
M* 006ab9f5 0009feec 00db4a78 0 02194ac8 24364/32768 accept/http
------------------ show failover ------------------
Failover Off
Cable status: My side not connected
Failover unit Secondary
Failover LAN Interface: not Configured
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
------------------ show traffic ------------------
outside:
received (in 93634.970 secs):
4894344 packets 3878001316 bytes
6 pkts/sec 41003 bytes/sec
transmitted (in 93634.970 secs):
4184608 packets 713579441 bytes
44 pkts/sec 7024 bytes/sec
inside:
received (in 93634.970 secs):
4471157 packets 788925752 bytes
1 pkts/sec 8012 bytes/sec
transmitted (in 93634.970 secs):
4950638 packets 4021617273 bytes
7 pkts/sec 42032 bytes/sec
DMZ:
received (in 93634.970 secs):
901057 packets 585223365 bytes
9 pkts/sec 6020 bytes/sec
transmitted (in 93634.970 secs):
892732 packets 474100591 bytes
9 pkts/sec 5017 bytes/sec
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0:
received (in 93634.970 secs):
4892700 packets 3951027417 bytes
6 pkts/sec 42012 bytes/sec
transmitted (in 93634.970 secs):
4183151 packets 797573339 bytes
44 pkts/sec 8013 bytes/sec
Ethernet1:
received (in 93634.970 secs):
4469821 packets 866522684 bytes
1 pkts/sec 9024 bytes/sec
transmitted (in 93634.970 secs):
4950638 packets 4098375212 bytes
7 pkts/sec 43035 bytes/sec
Ethernet2:
received (in 93634.970 secs):
900905 packets 599621055 bytes
9 pkts/sec 6036 bytes/sec
transmitted (in 93634.970 secs):
892545 packets 489889560 bytes
9 pkts/sec 5002 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 2/s 2/s
Connections 4/s 3/s
TCP Conns 4/s 2/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 2/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show mode ------------------
Security context mode: single
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Router
------------------ show running-config ------------------
: Saved
:
PIX Version 7.0(1)
names
name 192.168.4.0 TI
name 192.168.3.0 ML
name 192.168.50.0 vpn
name 192.168.1.0 SL1
name 192.168.0.0 SL2
name 192.168.100.10 webexchange
name 192.168.1.202 exchange02
name 192.168.1.211 NCCC00530
name 192.168.3.250 ML_Polycom
name 192.168.1.252 CS_Camera
name 12.152.xxx.xxx dlink_out
name 192.168.0.249 SL01_Poly
name 192.168.0.250 SL02_Poly_HH118
name 192.168.100.20 EZProxy
name 192.168.1.200 CAMS-SQL
name 192.168.1.201 CAMS-WEB
name xxx.xxx.xxx.xxx threerivers
name 192.168.3.222 pdc2
name 192.168.1.219 pdc
name xxx.xxx.xxx.xxx TwinState11
name xxx.xxx.xxx.xxx TwinState10
name xxx.xxx.xxx.xxx Daves_House
!
interface Ethernet0
nameif outside
security-level 0
ip address 12.152.xxx.xxx 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 10
ip address 192.168.100.1 255.255.255.0
!
enable password xxx/xxx encrypted
passwd xxx/xxx encrypted
hostname PIX
!
time-range alltime
!
domain-name misnet.tld
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq smtp
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq https
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq 995
access-list acl_out extended permit tcp any host 12.152.xxx.xxx eq www
access-list acl_out extended permit tcp any host ML_Polycom eq h323 time-range alltime
access-list acl_out extended permit tcp threerivers 255.255.255.224 host 12.152.xxx.xxx eq 3389
access-list acl_out extended permit tcp threerivers 255.255.255.224 host 12.152.xxx.xxx eq 3389
access-list acl_out extended permit tcp host TwinState10 host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host TwinState11 host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host Daves_House host 12.152.xxx.xxx eq telnet
access-list acl_out extended permit tcp host Daves_House host 12.152.xxx.xxx eq telnet time-range alltime
access-list 101 extended permit ip SL1 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip ML 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip TI 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip SL2 255.255.255.0 vpn 255.255.255.0
access-list 101 extended permit ip any vpn 255.255.255.128
access-list 101 extended permit ip any vpn 255.255.255.240
access-list 101 extended permit ip any vpn 255.255.255.248
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq domain
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 88
access-list DMZ_access_in extended permit udp host webexchange host pdc eq 88
access-list DMZ_access_in extended permit icmp host webexchange any
access-list DMZ_access_in extended permit tcp host webexchange any eq ftp
access-list DMZ_access_in extended permit tcp host webexchange any eq ftp-data
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq kerberos
access-list DMZ_access_in extended permit udp host webexchange host pdc eq kerberos
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 135
access-list DMZ_access_in extended permit udp host webexchange host pdc eq netbios-dgm
access-list DMZ_access_in extended permit udp host webexchange host pdc eq netbios-ns
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq netbios-ssn
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq ldap
access-list DMZ_access_in extended permit udp host webexchange host pdc eq 389
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 445
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 3268
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 1025
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq 135
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq netbios-ssn
access-list DMZ_access_in extended permit udp host webexchange host exchange02 eq netbios-dgm
access-list DMZ_access_in extended permit udp host webexchange host exchange02 eq netbios-ns
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq www
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq smtp
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq 691
access-list DMZ_access_in extended permit tcp host webexchange host exchange02 eq pop3
access-list DMZ_access_in extended permit udp host webexchange host pdc eq domain
access-list DMZ_access_in extended permit tcp host webexchange any eq smtp
access-list DMZ_access_in extended permit udp host webexchange host NCCC00530 eq 38293
access-list DMZ_access_in extended permit udp host webexchange host NCCC00530 eq 2967
access-list DMZ_access_in extended permit tcp host webexchange any eq www
access-list DMZ_access_in extended permit tcp host webexchange any eq https
access-list DMZ_access_in extended permit udp host webexchange host pdc eq ntp
access-list DMZ_access_in extended permit tcp host webexchange host pdc eq 1026
access-list DMZ_access_in extended permit tcp host webexchange host pdc2 eq ldap
access-list DMZ_access_in extended permit tcp host webexchange host pdc2 eq 3268
access-list DMZ_nat0_outbound extended permit ip any vpn 255.255.255.0
access-list VPNgroup_splitTunnelAcl standard permit any
access-list NewVPN_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any vpn 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging buffered informational
logging trap debugging
logging history alerts
logging asdm informational
logging host inside 192.168.1.250
no logging message 710003
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNpool 192.168.50.1-192.168.50.5 mask 255.255.255.255
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp deny any echo-reply outside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (DMZ,outside) 12.152.xxx.xxx webexchange netmask 255.255.255.255
static (inside,DMZ) exchange02 exchange02 netmask 255.255.255.255
static (inside,DMZ) SL2 SL2 netmask 255.255.248.0
static (inside,outside) 12.152.xxx.xxx ML_Polycom netmask 255.255.255.255
static (inside,outside) dlink_out CS_Camera netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx SL01_Poly netmask 255.255.255.255
static (DMZ,outside) 12.152.xxx.xxx EZProxy netmask 255.255.255.255 norandomseq
static (inside,outside) 12.152.xxx.xxx CAMS-SQL netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx CAMS-WEB netmask 255.255.255.255
static (inside,outside) 12.152.xxx.xxx 192.168.1.254 netmask 255.255.255.255
access-group acl_out in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 12.152.xxx.xxx 1
route inside 192.168.14.0 255.255.255.0 192.168.1.254 1
route inside 192.168.103.0 255.255.255.0 192.168.1.254 1
route inside 192.168.102.0 255.255.255.0 192.168.1.254 1
route inside 192.168.101.0 255.255.255.0 192.168.1.254 1
route inside vpn 255.255.255.255 192.168.1.254 1
route inside TI 255.255.255.0 192.168.1.254 1
route inside ML 255.255.255.0 192.168.1.254 1
route inside SL2 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy VPNgroup internal
username jbray password XPRms.NZREwATXnR encrypted privilege 0
username dhenry password cFcDHp0Hzjj2Jt9q encrypted privilege 0
http server enable
http 192.168.1.250 255.255.255.255 inside
http 192.168.1.249 255.255.255.255 inside
http 192.168.1.224 255.255.255.255 inside
snmp-server host inside 192.168.1.250 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map dyn1 20 set transform-set ESP-3DES-SHA
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.250 255.255.255.255 inside
telnet 192.168.1.249 255.255.255.255 inside
telnet SL01_Poly 255.255.255.255 inside
telnet 192.168.1.224 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group VPNgroup type ipsec-ra
tunnel-group VPNgroup general-attributes
address-pool VPNpool
default-group-policy VPNgroup
tunnel-group VPNgroup ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
tunnel-group-map default-group VPNgroup
ntp server pdc source inside prefer
tftp-server inside 192.168.1.249 \pix.cfg
Cryptochecksum:4473587921639c6765a36f1c39d44233
: end
------------------ show startup-config errors ------------------
INFO: No configuration errors