Archive for June 10th, 2006
Saturday, June 10th, 2006
cisco pix
my oh so wonderful remembering experience with cisco firewalls has brought me to this conclusion, i needed to write the things i did down so i wouldnt forget them, last week i setup a failover pix 506e for our office co-location and these are the things i re-learned.
static routes from the outside interface need to be configured on the pix, they are not auto-detected.
(example, if you’re going to route the outside interface traffic from everyone through a router, you will need to setup 0.0.0.0 to point to your outside interface)
make sure you remember your vpn group name once you’ve set it up in the wizard mode, and don’t enable pre-authentication or individual usernames and passwords… unless you need them (i made the mistake of naming my vpn group ‘vpn’ and then forgetting that, tried to use the standard we always use)
if you are not using dhcp, remember you must configure an ip pool for clients to use
you must set the static outside interface address, its not dhcp. (to do this, launch pdm and go to configuration > system properties)
site-to-site vpn must be configured on both firewalls, and use the same hash and pre-shared keys (ie md5 must also use md5)
if your pdm always crashes, check the version of java you’re using.. for some reason cisco only likes a few versions.
remember to setup nat through ‘translation rules’ for ip addresses you want to use publicly.
remember to change your enable password through console, doing it in the device’s pdm will cause it to crash and wipe your firmware.
more to come when i remember, maybe i’ll get unlazy and post ss