And then configure SSH to be allowed from the inside interface:

Now you will be able to login using the default username and password of pix/cisco, Or you can configure AAA and setup your own usernames. Doing this will make the pix username no longer work for SSH.

First, a username needs to be created:

And then configure AAA:

Done!

And then specified to not perform NAT:

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!

Then apply the access-list to the outside interface.

This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.

Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.

Now all we need to do is allow echo into the network.

Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.

Of course, you will need to have a static mapping for every server you want to have reachable from the internet.

Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.

global_policy:

To add icmp inspection.

We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.

Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.

Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.

Now, turn the port channel on.

That is it for the CatOS. The config for the IOS is quite a bit different. First, create a port channel interface and make it a trunk.

Assign ports to the port channel group.

Just connect the ports and everything should come up. To check on the CatOS.

Here, both ports 3/9 and 3/10 show as connected and on the same admin channel.

And for the IOS.

The last line is the important one. Notice that is shows both ports are in port channel 1.

To configure and IOS to IOS etherchannel, just repeat the exact steps for the IOS on the second switch.
That’s all there is to it.

Come to find out, Microsoft deprecated MSCHAP v1 from Vista! Vista only supports MSCHAP v2, CHAP, and PAP. Cisco does not support MSCHAP v2 in the 6.x line of software for the PIX. Unfortunately, I was connecting to a Pix 501 and did not have the option to upgrade to version 7.x software which does support MSCHAP v2.

Since the only option left is to use CHAP, I had reconfigured the VPN connection in Vista. To do this:

Go to Properties of the VPN connection

-> Security Tab

-> Select Advanced (custom settings)

-> Click Settings

-> Set Data encryption to optional

-> Then check CHAP under Allow these protocols

Now I am able to connect without any problems.

Please note that CHAP should not be considered secure. While it is better than PAP in that is uses encryption, it is only one-way and therefore should be used with caution.