Questions:
1) I lost my enable password, what do I do?
2) Traffic is not flowing between interfaces even though I have rules and xlation set up.
3) I get the error "regular translation creation failed"
4) One ping works, then all the rest fail.
5) Internet email only works from some sites.
6) I can't ping through the firewall.
7) Web traffic hangs. Everything else is OK, though.
8) How do I build an IKE encrypted tunnel to a FW-1?
9) What network cards does PIX use?
10) How do I enable SSH?
11) Is there any way I can more graphically display my rules and objects?
12) Web sites through the firewall are slow, and I get error about MSS exceeded
Answers:
1) I lost my enable password, what do I do?
You must get a boot disk image from your VAR or from CCO (if you are a member) at ftp://<your_cco_username>@cco.cisco.com/cisco/internet/pix/special/<image>.bin, and boot off of it. It will erase your existing passwords.
Note: different version of OS have different images, eg np50.bin, np44.bin, etc. Consult Technical Assistance Center (TAC) for details.
2) Traffic is not flowing between interfaces even though I have rules and xlation set up.
- Make sure that your nameif commands did not give the same security level to source and destination burbs. This will stop traffic.
- If you are using v5.0 and higher, make sure you have enabled your interfaces ("interface ethernet0 auto"). If you do a "sh int <interface>" and get a "line protocol up, administratively down", then your interface is plugged in, but you didn't enable your interfaces.
- If you are dealing with inbound connections, make sure you have conduit statements.
3) I get the error "regular translation creation failed"
You have used all of your global xlation slots up. Either create a bigger global pool, or use port address translation. Alternately, you can reboot or lower the xlate timeout on the PIX.
4) One ping works, then all the rest fail.
You may have created a global pool of addresses that overlap IPs that are being used (IP address conflict). The reply packets are being sent elsewhere.
5) Internet email only works from some sites.
Your mail server may be old and doesn't understand the format that PIX is handing off to it via the originator of the mail. Turn off application filtering on the PIX (security hazard):
"no fixup protocol smtp 25"
6) I can't ping through the firewall.
By default, everything is allowed out, nothing in. ICMP echo requests are allowed out, but unlike TCP and UDP traffic, the replys are not allowed back in. Add a conduit statement: "conduit permit icmp any any echo-reply." (Note: not stateful, may allow DoS attacks).
7) Web traffic hangs. Everything else is OK, though.
If you are using a Websense URL filter, and the filter isn't working/can't connect/etc, ALL web traffic will die. Try disabling URL filtering until issue is resolved.
9) What network cards does PIX use?
i82558 or i82559 (Intel) chipsets
Only SSHv1 is currently supported. On PIX, version 5.2 or higher is required. To enable, type:
ssh <allowed IP to connect to PIX> <mask>
domain-name <your domainname>
ca generate rsa key 1024
ca save all
Then you should be able to connect with an SSH client such as putty. For a router, you would need IOS 12.0(5)S or 12.1(1)T or higher.
hostname <hostname> (if not already assigned)
aaa new-model (uses local username/passwords. Can also use "login local")
username <username> password 0 <passwd>
ip domain-name <domainname>
crypto key generate rsa
line vty 0 4
transport input SSH (for vtys 0-4, use SSH, not telnet)
11) Is there any way I can more graphically display my rules and objects?
Sure, take a look at this free tool we make available. It is designed to work with 6.x versions of PIX.
12) Web sites through the firewall are slow, and I get error about MSS exceeded
%ASA-4-419001: Dropping TCP packet from dmz:10.1.1.1/80 to outside:24.111.111.111/4603, reason: MSS exceeded, MSS 1260, data 1460
If you get an error like the one above, what is most likely happening is that the client (24.111.111.111) is sending a client Maximum Segment Size of 1260, and the server (10.1.1.1) is ignoring the request, instead sending a larger payload (1460 bytes). This is not kosher behavior, and the server SHOULD NOT send MSS payloads larger than 1260 bytes. Ideally fix the server, but if you can't, you can create a workaround on the PIX.
PIX version 7.0 and higher blocks packets where the payload is larger than the requested MSS (security thing). However, you can create a policy map that causes the firewall to ignore the MSS exceeded packets. In order to do this, create the following commands:
access-list msslist permit tcp any host 10.1.1.1 # create ACL to match requests to the web server access-list msslist permit tcp any host 11.1.1.1 # ... as well as the web server's PUBLIC IP if NATed! class-map classmap1 # more Cisco map gibberish. Everything is a map these days! match access-list msslist # match the ACL exit tcp-map mss-map exceed-mss allow # allow MSS exceeds exit policy-map global_policy # create a policy map and link to previous maps class classmap1 set connection advanced-options mss-map
If you do a "show asp drop | grep MSS", you will see the number of packets dropped because of this MSS issue. At this point, it should no longer increment as you hit the web server. Server pages should serve faster as well. For more details, see the Cisco document 65436. Also, Cisco document 13725 describes a similar type issue with browsing through a Cisco GRE tunnel.
DISCLAIMER: This support site is provided as a FREE service to our customers. Every effort is made to ensure it is complete and accurate. However, due to changing versions, typos, different environments, etc. information may be inaccurate for your site. Note that we do not assume responsibility for any problems you might encounter using information provided in these pages. Please inform us of any problems you encounter we will make every effort to correct this information. Thank you.
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.
No comments:
Post a Comment