Solved

PIX 515 will NOT pass inbound traffic

Posted on 2003-12-01
7
2,027 Views
Last Modified: 2012-06-27
Holiday got in the way of this question, so I thought I'd repost:

I am working on a PIX 515 6.3(3) PMD Version 3.0(1) two interfaces

Client has been given the following public address range:
69.x.x.121 ~ 69.x.x.126 netmask 255.255.255.248

Router is plugged into a basic switch as is the PIX outside interface.

The first ip .121 has been defined as the ethernet port of the router.

Presently I have the PIX outside interface defined as 69.x.x.126 netmask 255.255.255.248 and gateway 69.x.x.121
I have the inside interface of the PIX definded as 10.4.10.254 netmask 255.255.255.0

If I configure the PIX for NAT utilizing the interface ip (PAT .126) everything works just fine for outbound internet access.
HOWEVER I am not successfull in defining a static NAT for one of the remaining public addesses to an internal address. I am returned the PIX 3-305006 error in the syslogs.
Of note is the fact that if I use the outside interface (.126) ip in my static definition to an internal host, the access from outside to a nat defined host on the inside works.
Access rules have been defined.

This led a friend of mine to suggest not using the ip address of the interface for my PAT. I left the outside interface as .126 and defined the PAT as .125. Does not work. I see nothing of interest in the logs, however outbound traffic fails.
I then attempted a Global pool with .124 & .125, still would not pass any traffic outbound.

Does the router need any configuration? I am told the isp utilizes RIP. I would simply like to have the internal network access the internet from one of the public ip addresses and also have the ability to configure www on an internal server that has a public NAT translation.

I have seen the documentation on the 305006 error and I cannot seem bridge the gap I am facing.

Thanks!

Vaxgen
0
Comment
Question by:Vaxgen
  • 4
  • 3
7 Comments
 

Author Comment

by:Vaxgen
ID: 9853468
Here is the current PIX config:
: Saved
: Written by enable_15 at 15:41:55.278 UTC Mon Dec 1 2003
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname xxxxxxxxx
domain-name xxxxxxxxxxx
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service DNS tcp-udp
  port-object eq domain
pager lines 24
logging on
logging monitor informational
logging buffered informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 69.x.x.126 255.255.255.248
ip address inside 10.4.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 0.0.0.0 255.255.255.248 outside
pdm location 198.x.x.1xx 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 69.x.x.xx 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 69.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
telnet 198.x.x.1xx 255.255.255.255 outside
telnet timeout 15
ssh 198.x.x.1xx 255.255.255.255 outside
ssh timeout 15
console timeout 0
dhcpd address 10.4.10.200-10.4.10.253 inside
dhcpd dns xxxxxxxxxxxxxxxxxxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxxxxxxxxxxxxxxx
dhcpd enable inside
terminal width 100
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9854599
I believe the problem to be with the line:

sysopt noproxyarp outside

From the command reference at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026942
=================
sysopt noproxyarp

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.
=================

So by disabling proxyarp on the outside interface, the PIX cannot respond to ARP requests for IP addresses other than it's own actual interface address. This is why NAT is not working when you use an IP address other than the interface.
0
 

Author Comment

by:Vaxgen
ID: 9860839
td_miles,

I think we are very close!

I enabled proxyarp and I am now able to use PAT with an IP address other than that of the interface IP. I still am not able to define at static that works. Here is the latest PIX config:
: Saved
: Written by enable_15 at 11:12:07.061 UTC Tue Dec 2 2003
PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100basetx
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxx
domain-name xxxxxxx
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.4.10.2 www
object-group service DNS tcp-udp
  port-object eq domain
object-group service www tcp
  port-object eq www
  port-object eq https
access-list outside_access_in permit tcp any host 69.x.x.123 object-group www
pager lines 24
logging on
logging monitor informational
logging buffered informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 69.x.x.126 255.255.255.248
ip address inside 10.4.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 0.0.0.0 255.255.255.248 outside
pdm location 198.x.x.1xx 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location www 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 69.x.x.125
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 69.x.x.123 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 198.x.x.1xx 255.255.255.255 outside
telnet timeout 15
ssh 198.x.x.1xx 255.255.255.255 outside
ssh timeout 15
console timeout 0
dhcpd address 10.4.10.200-10.4.10.253 inside
dhcpd dns xxxxxxxxxxxxxxxxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxxxxxxxxx
dhcpd enable inside
terminal width 100
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:td_miles
ID: 9863140
the config you have appears to be correct. I've gone through it line at a time, but that doesn't mean I didn't miss something. I haven't used the "object-group" stuff a lot, but it looks correct. As an alternative, you could change the ACL to something plainer (but that I know works):

access-list outside_access_in permit tcp any host 69.x.x.123 eq 80
access-list outside_access_in permit tcp any host 69.x.x.123 eq 443

The other thing I am not sure on is whether you should call your host "www", as this is a keyword that is used to refer to port 80. Just in case, I would remove the line that defines "www" and change the static to:

static (inside,outside) 69.x.x.123 10.4.10.2 netmask 255.255.255.255 0 0


After that, time to try some debugging:

1. From outside can you ping the IP 69.x.x.123 (the real IP of your NAT'ed web server) ?
2. Do a "show xlate". Does your static translation show up ?
3. Do a "show access-list outside_access_in" and note the "hitcnt". Does it go up when you try to access the web server ?
4. You are testing from a PC that is outside the firewall aren't you ?
0
 

Author Comment

by:Vaxgen
ID: 9867193
td_miles,

Success!!!!!!!!  Thank you very much.

I removed the name 'www' from the host entry, and bingo!
A poor choice on my part as you mentioned in that 'www' is a key word.

The proxyarp enabling is what really got the ball rolling. Thanks!

Based on your debugging notes I have one final little question, I notice from the inside, I cannot hit 69.x.x.123. I was always testing from the outside, but now that I know the outside access is working, I guess I just assumed access to the public ip from the inside would work and it does not.

How can I fix that?


0
 
LVL 13

Accepted Solution

by:
td_miles earned 500 total points
ID: 9870792
The reason that you cannot access the web server on its real IP address is that the traffic is effectively leaving the outside interface and then requiring to come straight back in. This is one thing that the PIX cannot do (route traffic leaving an interface back into the same interface).

One way around this is to use the "alias command:

alias 10.4.10.2 69.x.x.123 255.255.255.255

What it does, is to doctor the DNS lookup, so that when someone inside does a lookup for your web server "www.xyz.com" the DNS on the internet will return the IP address it is supposed to, which is "69.x.x.123". The alias command will then change this so that the actual address the PC gets is "10.4.10.2" for the DNS lookup (which it will then connect to).

You can read more about the alias command here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1083304

The other alternative is to run an internal DNS that returns the internet IP addresses that is only for the use of the devices on the "inside".
0
 

Author Comment

by:Vaxgen
ID: 9870853
Thanks TD_MILES!!!!
Also thanks to lrmoore for helping during my initial post.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now