PDA

View Full Version : Cisco Pix Help


Pages : [1] 2 3 4 5

zoomy942
04-26-07, 01:57 PM
I'm an Exchange and AD guy, so Cisco Pix's are a little foreign to me.

Once I'm in there I should be okay, but how the hell do i telnet into it?

seriously, the steps are what?

i've googles around and everything listed has to do with once i'm in there, and thats fine, but how do i even connect to it?

I feel so pwned. ask me to setup a small business network from the ground up, done... ask me to open a port in my corporate firewall and i'm pwned.

Q
04-30-07, 02:11 AM
I'm an Exchange and AD guy, so Cisco Pix's are a little foreign to me.

Once I'm in there I should be okay, but how the hell do i telnet into it?

seriously, the steps are what?

i've googles around and everything listed has to do with once i'm in there, and thats fine, but how do i even connect to it?

I feel so pwned. ask me to setup a small business network from the ground up, done... ask me to open a port in my corporate firewall and i'm pwned.

I think EvilChris has tons of Cisco certs. If he doesn't see this thread, you should PM him.

Bman212121
04-30-07, 02:28 PM
I'm an Exchange and AD guy, so Cisco Pix's are a little foreign to me.

Once I'm in there I should be okay, but how the hell do i telnet into it?

seriously, the steps are what?

i've googles around and everything listed has to do with once i'm in there, and thats fine, but how do i even connect to it?

I feel so pwned. ask me to setup a small business network from the ground up, done... ask me to open a port in my corporate firewall and i'm pwned.

If you have never used a piece of Cisco equipment, my first suggestion is to be careful. Make sure you understand what command you are telling it before you send it, as they can be very picky. I know a little bit about Cisco stuff and have used a pix, but I don't have enough knowledge you help you with access lists. Our pix was setup with a web interface enabled, so you just configured what you wanted from a browser. To get into it though, all Cisco equipment that I've seen comes with telnet disabled by default, so you need to connect via theconsole port on the back of the device to get into it. I'm assuming yours is already set up, but it is quite possible that whoever set it up didn't enable telnet for security purposes.

If that is the case you'll need either a special db9 to RJ-45 cable to connect a laptop to the port, or you can get a db9 to RJ-45 adapter, then make a cable to connect into it. The cable is called a rollover cable, and the reason why is basically you make the ends of the cables the same, but when you go to make the second end, you need to reverse the end so it is put on backward. IE this way pin 1 is connected to pin 8, pin 2 to pin 7, pin 3 to pin 6, pin 4 to pin 5, and pin 5 to pin 4. then you just open up a hyperterminal window and configure it for the serial port you are using, 9600 baud, 8 data bits, no parity, 1 stop bit, and I think flow control off, but that part I'm not 100% on. Once you have the cable connected from your computer to the port on the back of it labled console, and you have your terminal window open, you simply press enter and if it is there it should connect.

I would probably ask either Evilchris, or retsam as one of them should have a little more knowledge about it. If you can't get a reply, you can try what I suggested as that should get you into the device as well.

zoomy942
04-30-07, 02:39 PM
you mentioned the web interface..

how do i access that?

ive used the web interface but it was over a year ago and i cant remember a thing about it. I dont need to change any access lists or anything. just the VPN password.

Bman212121
04-30-07, 03:48 PM
you mentioned the web interface..

how do i access that?

ive used the web interface but it was over a year ago and i cant remember a thing about it. I dont need to change any access lists or anything. just the VPN password.

Pretty sure you can just type https://*the ip of the pix* and it should prompt you for a login. Do this in a web browser. I know that there are java issues though and if you can get a login, but it stops after that, chances are the java is the wrong version, or I'm also fairly sure that it doesn't like IE7. I know we had an issue where in order to get into the thing the first time we had to load a windows 2000 pc with the MS jvm because it was the only thing that would connect to it because the java was really old. Once we flashed it with a newer firmware, it worked a lot better.

zoomy942
05-16-07, 05:43 PM
okay, so i telneted into the PIX. now, i dont know where to go to set the MAIL FORWARDING. we got a spam and virus scan appliance and i need to tell the PIX to send the mail to that device instead of our email server.

assistance?

zoomy942
05-16-07, 06:35 PM
is this the line that forwards email?

static (inside,outside) tcp XX.XXX.XXX.XXX smtp 192.168.11.103 smtp netmask 255.255.255.255 0 0

if it is, i just need to delete that line and add the one with our device IP instead right? replace 192.168.11.103 with 192.168.11.253...

zoomy942
05-17-07, 01:32 PM
do i need to reboot the pix for any changes to take affect? or do i have to write it to flash?

evilghost
05-17-07, 01:37 PM
telnet [ip of pix]
[login]
en
[login with enable]
conf t
[remove the static NAT entry and re-add]
no static (inside,outside) tcp XX.XXX.XXX.XXX smtp 192.168.11.103 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.XXX.XXX.XXX smtp 192.168.11.253 smtp netmask 255.255.255.255 0 0
wr mem
copy running-config startup-config
exit
exit

EvilChris may be able to fix that better, I'm going off memory, don't have a PIX in front of me.

zoomy942
05-17-07, 01:43 PM
so no reboot needed? I might try that right now during the day to see if it works.

and what do you mean by remove the static NAT entry? the steps i didnt do are from wr mem on down.

evilghost
05-17-07, 01:46 PM
so no reboot needed? I might try that right now during the day to see if it works.

and what do you mean by remove the static NAT entry? the steps i didnt do are from wr mem on down.

no static (inside,outside) tcp XX.XXX.XXX.XXX smtp 192.168.11.103 smtp netmask 255.255.255.255 0 0 should remove the static NAT entry unless I'm mistaken, again, I'm going from memory. I'm trying to bounce this off my Cisco guy over IM to verify but he hasn't responded yet.

No reboot needed. You can exit out of 'conf t' and do 'sh run' to see the current active changes. 'wr mem' should write the running config to flash but I always do a 'copy running-config startup-config' just in case since the IOS can differ from device to device.

zoomy942
05-17-07, 01:49 PM
Okay. Because I haven't done the wr mem part yet, and right now the mail isnt going to my SPAM appliance yet.

evilghost
05-17-07, 01:51 PM
Do a "sh run" and look for the static NAT entries. If you didn't remove the older one then the one you added won't take precedence because it'll be at the bottom of the ACL.

evilghost
05-17-07, 01:52 PM
Okay. Because I haven't done the wr mem part yet, and right now the mail isnt going to my SPAM appliance yet.

When you reboot the 'startup-config' is loaded and the 'running-config' is lost, meaning, any changes you've made will be lost unless they are written to startup-config via 'wr mem' or 'copy running-config startup-config'.

zoomy942
05-17-07, 01:55 PM
here's half of what i am looking at.

Just look away from the Vista Business i have installed:)

zoomy942
05-17-07, 01:58 PM
heres the first half.

evilghost
05-17-07, 02:15 PM
Should work, check to make sure SMTP is listening and not firewalled on the spam appliance. As FYI, here's a vote for http://www.xwall.us it's what I use in WINE through Linux, I'm an admin over there :)

http://www.xwall.us/phpBB2/viewtopic.php?t=2720

zoomy942
05-17-07, 02:25 PM
I'll keep that site in mind. Right now, we are 30 day testing a Barracuda appliance. ANYTHING to get me away from Symantec AV for Exchange.

I'll check the appliance and look at SMTP... be right back.

evilghost
05-17-07, 02:28 PM
Xwall outperforms Barracuda, we actually used XWall in place of Ciphertrust's Ironmail as well based on performance and cutting-edge features (tar-pitting, greylisting, surbl, sls, etc)

zoomy942
05-17-07, 02:31 PM
Hmmm.. whats the investment in XWall?

evilghost
05-17-07, 02:32 PM
$400, unlimited user (no per user licenses) it's simply per-MTA licensing. Tons of features, and I mean tons. I'll help you get it setup. It's got a 30-day eval.

zoomy942
05-17-07, 02:35 PM
and it will perform AV and SPAM functions?

evilghost
05-17-07, 02:37 PM
Anti-Spam:
SURBL
SLS
Greylisting
Auto-IP Ban
SPF
Tar-Pitting
Heuristic analysis
Text/HTML analysis
Character coding (big-5, kr, etc)
Country/IP blocking
Host Blocking
Granular Whitelisting
TNEF reassembly, message reassembly, etc
Attachment blocking.
History/Archive

Man, too many to list.

AV/Spam = Yes. I actually paid $400 out of pocket for my home use, it's superior to everything I've seen on the market inclusive of SpamAssassin.

zoomy942
05-17-07, 02:39 PM
Right on. I am 100% game to try it. Once my eval of this Barracuda is up, I'll try it. I am kind of annoyed this barracuda wont get the mail

here is the internal test page

evilghost
05-17-07, 02:41 PM
Oh yeah, XWall integrates with AD for LDAP recipient verification so you're not accepting mail for invalid senders and generating NDRs (back-scatter).