I am having trouble with xlate timeouts on a pix firewall. I have a static translation from our C7-DMZ network to our C7-INTERNAL network. I have added and access list which currently allows all icmp and ip traffic in the C7-DMZ interface. After clearing the xlate, an initial ping from a C7-DMZ host to a C7-INTERNAL host returns a "request timed out". However, a ping from an internal host to the C7-DMZ host works and after this successful ping the C7-DMZ server is now able to ping the C7-INTERNAL host...Until the xlate times out that is. I thought that the static statement would setup the xlate with traffic going in or out as long as the access-list allows it. Is this incorrect?
Here is the Pix config with a few modifications for anonimity:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan5 physical
interface ethernet1 vlan10 logical
interface ethernet2 100full
interface ethernet2 vlan9 physical
interface ethernet2 vlan11 logical
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 stateful-fo security30
nameif vlan10 C7-inside security99
nameif vlan11 C7-DMZ security51
hostname labpix
domain-name companyname.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
--------------Other access lists removed for simplicity----------------
access-list DMZ permit icmp any any
access-list DMZ permit ip any any
access-list C7-DMZ permit icmp any any
access-list C7-DMZ permit ip any any
access-list C7-DMZ deny ip any any
pager lines 24
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu stateful-fo 1500
ip address outside A.B.F.155 255.255.255.240
ip address inside 10.0.5.1 255.255.255.0
ip address dmz A.B.F.193 255.255.255.240
ip address stateful-fo 192.168.0.1 255.255.255.0
ip address C7-inside 10.0.10.1 255.255.255.0
ip address C7-DMZ A.B.C.33 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 8
failover ip address outside A.B.F.156
failover ip address inside 10.0.5.3
failover ip address dmz A.B.F.194
failover ip address stateful-fo 192.168.0.2
failover ip address C7-inside 10.0.10.2
failover ip address C7-DMZ A.B.C.34
failover link stateful-fo
pdm history enable
arp timeout 14400
static (dmz,outside) A.B.F.196 A.B.F.196 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.F.197 A.B.F.197 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.F.198 A.B.F.198 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.F.199 A.B.F.199 netmask 255.255.255.255 0 0
static (inside,outside) A.B.F.202 10.0.5.82 netmask 255.255.255.255 0 0
static (inside,outside) A.B.F.203 10.0.5.66 netmask 255.255.255.255 0 0
static (inside,outside) A.B.F.205 10.0.5.79 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.F.206 A.B.F.206 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.5.0 10.0.5.0 netmask 255.255.255.0 0 0
static (dmz,outside) A.B.F.204 A.B.F.204 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
static (inside,dmz) A.B.C.64 A.B.C.64 netmask 255.255.255.224 0 0
static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) A.B.F.195 A.B.F.195 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.F.200 A.B.F.200 netmask 255.255.255.255 0 0
static (inside,C7-DMZ) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
static (inside,C7-DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
static (inside,C7-DMZ) A.B.C.64 A.B.C.64 netmask 255.255.255.224 0 0
static (inside,C7-DMZ) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (C7-DMZ,outside) A.B.C.40 A.B.C.40 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.41 A.B.C.41 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.50 A.B.C.50 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.51 A.B.C.51 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.52 A.B.C.52 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.53 A.B.C.53 netmask 255.255.255.255 0 0
static (C7-inside,C7-DMZ) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
static (C7-DMZ,dmz) A.B.C.32 A.B.C.32 netmask 255.255.255.224 0 0
static (C7-DMZ,outside) A.B.C.55 A.B.C.55 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.56 A.B.C.56 netmask 255.255.255.255 0 0
static (C7-DMZ,outside) A.B.C.57 A.B.C.57 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group DMZ in interface dmz
access-group C7-DMZ in interface C7-DMZ
route outside 0.0.0.0 0.0.0.0 A.B.F.145 1
route inside 10.0.0.0 255.255.255.0 10.0.5.2 1
route inside 10.0.1.0 255.255.255.0 10.0.5.2 1
route inside A.B.C.64 255.255.255.224 10.0.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
You will notice that I have a static mapping,
static (C7-inside,C7-DMZ) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
an access-list which allows everything,
access-list C7-DMZ permit icmp any any
access-list C7-DMZ permit ip any any
and have applied that access list to the correct interface.
access-group C7-DMZ in interface C7-DMZ
Yet the server in the C7-DMZ at IP address A.B.C.52 is unable to ping 10.0.10.10 unless the 10.0.10.10 host pings it first.
Any suggestions?
Danny
Start Free Trial
