Really really need someone who knows the Cisco PIX 501

[stealthn]

SO what was the outcome? Did you have a backup of the configuration, and a copy of the changes you made last?

A couple things in your statement confuse me; you said refusing LAN connections then you said you SSH'd into the Public IP? Can you ssh to the private IP from the LAN?

As well why would you only use a password on the public interface? (I know this doesn't help but I had to ask).

If you had HTTPs enabled on the inside interface can you get to it that way? As well, as stated, did you try the default username pass? What was the aaa method set to in the past?

Good luck, let us know

<-- CCSP working on CCIE now

[spuggy]

Quote:

Originally Posted by masraum

The hardest part of a console cable (assuming you don't have the blue cisco premade) is the DB9 snap adapter.

My local Rat Shack sells unmade-up DB9-RJ45 adapters, for like, $4. Pin them up anyway you want - e.g. so you can run an oddball console cable with off-the-shelf patch cables.

Just need a pin insert/extraction tool (although you can get by without one if you don't mess up assembling it)...

[mikester]

Quote:

Originally Posted by stealthn

SO what was the outcome? Did you have a backup of the configuration, and a copy of the changes you made last?

A couple things in your statement confuse me; you said refusing LAN connections then you said you SSH'd into the Public IP? Can you ssh to the private IP from the LAN?

As well why would you only use a password on the public interface? (I know this doesn't help but I had to ask).

If you had HTTPs enabled on the inside interface can you get to it that way? As well, as stated, did you try the default username pass? What was the aaa method set to in the past?

Good luck, let us know

<-- CCSP working on CCIE now

It sounds like he's hosting some old Cisco VPN clients with this very old PIX 501. I don't believe they support many clients but I don't recall all the licensing options from them. The 501s have been end of life and end of support for at least 3 years now (since the 7.0 code was released). If he's hosting VPN and maybe a website or two - he should only be allowing those protocols inbound on the outside interface.

This would not affect any outbound traffic like web browsing and so forth as that comes from the inside interface to the outside. The inside interface has a higher security level than the outside so traffic (unless otherwise denied by an inbound ACL) is by default permitted in that direction.

SSH access to the outside - ideally - should not be allowed from the public internet (also I believe that the old 6.x code may not support more than SSHv1 which is not bad but not great. In less than ideal circumstances SSH access from the outside should be protected by more than just the enable password. At the very least a local user should be configured. Better would be a tacacs server but we're talking less than ideal situations here.

I'm not criticizing so please don't take it that way, I know that ultimately it comes down to money. I have worked for companies that you would not believe were unwilling to spend a dime on the network yet had expectations that were sky high. Unreal - seriously. If management won't spend the money then you end up with less than ideal circumstances and it is so easy to get there.

Feel free to pick my brain on the PIX configuration or routing or switching or wireless for that matter.

A few years back I tried to get the CCSP, I passed all the tests except the IDS test. This was when the 4 code was still in use and being tested on (if memory serves). After 3 attempts (at the time something like $125 a pop) at that one test I gave up.

I will never take another CCxP level exam again. I will only take CCIE level exams which keep my current certs online and hopefully advance my career potential. I'm hoping to take the R&S lab around april when I will be going to one of those 5 day boot camps (for free).

[mikester]

no update?