Solved

2 Pix's Same Network

Posted on 2004-03-25
9
642 Views
Last Modified: 2013-11-16
I have 2 different networks one with PIX 506 and the other a PIX 501. Both are connected to a Switch. The switch is also connected to the Router. The router has 2 IPs set .1 and .17 with a mask of .240. The 506 is talking to the .1 and the 501 is talking to the .17. I am unable to reach a web server on the .1 side from the .17 side. Any outside person can reach this server. Any suggestions?
0
Comment
Question by:nhuhta
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680237
Is this a good depiction of your setup:

Web Server?
 |
  \   Net#1 -- PIX 506 --->switch ---> Router .1
                                     |
   /  Net#2 -- PIX 501 --->switch ---> Router .17
  |
Client trying to get to Web server?

Need more details. Does the PIX have the appropriate access granted for inbound to web server?
Are you doing NAT on the PIX's?

Do both the PIX506 and the PIX501 have an outside IP in the same subnet, with same .240 mask?
Any other subnets anywhere?

0
 

Author Comment

by:nhuhta
ID: 10680292
Yes great depiction.
Access list is good...I have outside people able to reach it.
Yes PAT is enabled on both Firewalls.

Firewalls..501 is set as .26 and 506 is .3

yes both are setup for the .240 mask...as well as the router has the 240 mask for both the .17 and .1
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10680432
configs would really help....we could draw a typology from the configs
I'm not seeing where your internet connection is or which direction the pix are pointing.....
is the outside of the 501 pointing toward the inside or outside of the 506...
etc....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680507
So, given the subnet
192.168.1.0 / 255.255.255.240
192.168.1.16 / 255.255.255.240
192.168.1.0 = Router .1 --> .3 = PIX506--> Net #1-- (1.1.1.x)--> web server
192.168.1.16 = Router .17 --> .26 = PIX 501 --> Net#2--(2.2.2.x)--> client

Can I assume that these router interfaces are on the same router, or are they on different routers?

#Assuming that you have a static NAT for the web server on the 506
static (inside,outside) tcp interface 80 1.1.1.x 80

#And access-list to permit traffic for port 80
access-list outside_in permit tcp any any eq 80

And, given that the client 2.2.2.x is trying to access web server using the NAT address http://192.168.1.3
and NOT the "real" address http://1.1.1.x

Client's source IP for http request = 2.2.2.x, destination 192.168.1.3
That get's Natt'd outbound by the PIX to 192.168.1.26
Now source = 192.168.1.26, destination 192.168.1.3
Router knows how to send packets between .0 and .16 subnets
Packet hits PIX 192.168.1.3, translated/forwarded to server 1.1.1.x
server responds with source IP 1.1.1.x, destination 192.168.1.26
PIX sets up outbound xlate, source changes to 192.168.1.3, destination 192.168.1.26
Router again knows how to route packets from .16 to .0 subnets
Return packet hits PIX, xlate is open, packet forwarded back to client.

That's how it is supposed to work, the keys being the router in the middle, the NAT statements, access-lists, and open xlates.

What is the default gateway of the server? Is it the inside IP of the PIX506?
What is the default geteway of the client? It is the inside IP of the PIX501?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:nhuhta
ID: 10680922
Yes they are both on the same router. And yes both the server and client are pointed to the gateway IP.
Here is the config for the 506:
Result of firewall command: "show tech" on 506
 
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
bbcorp-pix up 12 days 17 hours
Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000f.2497.dd1c, irq 10
1: ethernet1: address is 000f.2497.dd1d, irq 11
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited
This PIX has a Restricted (R) license.
Serial Number: 808061700 (0x302a0b04)
Running Activation Key: 0xa87b034a 0x21e76707 0x46993e3e 0xfb9d2450
Configuration last modified by  at 01:28:16.000 EST Thu Feb 7 2036
------------------ show clock ------------------
11:26:15.578 EST Thu Mar 25 2004
------------------ show memory ------------------
Free memory:        17570136 bytes
Used memory:        15984296 bytes
-------------     ----------------
Total memory:       33554432 bytes
------------------ show conn count ------------------
138 in use, 1125 most used
------------------ show xlate count ------------------
58 in use, 395 most used
------------------ show blocks ------------------
  SIZE    MAX    LOW    CNT
     4   1600   1592   1600
    80    400    396    398
   256    500    498    500
  1550    932    501    670
  2560    200    196    200
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.2497.dd1c
  IP address 216.79.131.3, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
      12092187 packets input, 277405317 bytes, 0 no buffer
      Received 186085 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      9651962 packets output, 2979182371 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      42 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/56)
      output queue (curr/max blocks): hardware (4/30) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.2497.dd1d
  IP address 192.168.203.3, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
      10249347 packets input, 3037315035 bytes, 0 no buffer
      Received 585137 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      11571245 packets output, 35509415 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      1 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/31)
      output queue (curr/max blocks): hardware (0/74) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 0%; 1 minute: 5%; 5 minutes: 2%
------------------ show process ------------------
    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e83d9 00834e34 0054e008          0 00833eac 3628/4096 arp_timer
Lsi 001ed55d 00857f6c 0054e008          0 00856ff4 3816/4096 FragDBGC
Lwe 00119bbf 008bb2c4 00551768          0 008ba45c 3688/4096 dbgtrace
Lwe 003dab25 008bd454 0054e4d0        460 008bb50c 6776/8192 Logger
Hrd 003deb7d 008c054c 0054dff0          0 008be5d4 7644/8192 tcp_fast
Hsi 003dea1d 008c25fc 0054e008          0 008c0684 7580/8192 tcp_slow
Lsi 002f8891 009f696c 0054e008          0 009f59e4 3944/4096 xlate clean
Lsi 002f879f 009f7a0c 0054e008          0 009f6a94 3548/4096 uxlate clean
Mwe 002efa7f 00b6bddc 0054e008          0 00b69e44 7908/8192 tcp_intercept_timer_process
Lsi 0043016d 00c16634 0054e008          0 00c156ac 3900/4096 route_process
Hsi 002e0c1c 00c176c4 0054e008          0 00c1675c 2572/4096 PIX Garbage Collector
Hwe 002141c9 00c213f4 0054e008          0 00c1d48c 14628/16384 isakmp_time_keeper
Lsi 002de99c 00c3a75c 0054e008          0 00c397d4 3944/4096 perfmon
Mwe 0020ba01 00c64b8c 0054e008          0 00c62c14 7860/8192 IPsec timer handler
Hwe 0039164b 00c7945c 00569030          0 00c77514 7032/8192 qos_metric_daemon
Mwe 0025d61d 00c8fff4 0054e008          0 00c8f88c 1436/2048 IP Background
Lwe 002f0582 00d42704 00564348          0 00d4188c 3704/4096 pix/trace
Lwe 002f079e 00d437b4 00564a78          0 00d4293c 3704/4096 pix/tconsole
Hwe 0011f5b7 00d4d694 004f8bc8          0 00d49bcc 14732/16384 ci/console
Csi 002e94bb 00d4ebd4 0054e008          0 00d4dc7c 3540/4096 update_cpu_usage
Hwe 002d64a1 00df2a6c 0052d3b8          0 00deebe4 15884/16384 uauth_in
Hwe 003dd66d 00df4b6c 0086f808          0 00df2c94 7896/8192 uauth_thread
Hwe 003f326a 00df5cbc 00546f38          0 00df4d44 3960/4096 udp_timer
Hsi 001e0092 00df796c 0054e008          0 00df69f4 3928/4096 557mcfix
Crd 001e0047 00df8a2c 0054e480  778238180 00df7aa4 3684/4096 557poll
Lsi 001e00fd 00df9acc 0054e008          0 00df8b54 3700/4096 557timer
Cwe 001e1c71 00e0fb4c 0078bb38     266590 00e0dc54 5900/8192 pix/intf0
Mwe 003f2fda 00e10c3c 008b8030          0 00e0fd04 3868/4096 riprx/0
Msi 0039a8c9 00e11d4c 0054e008          0 00e10dd4 3888/4096 riptx/0
Cwe 001e1c71 00e17e84 007165c8     217480 00e15f8c 6104/8192 pix/intf1
Mwe 003f2fda 00e18f94 008b7fe8          0 00e1805c 3896/4096 riprx/1
Msi 0039a8c9 00e1a0a4 0054e008          0 00e1912c 3888/4096 riptx/1
Hwe 003dd901 00e46104 0085b5c0         70 00e45e5c  300/1024 listen/http0
Hwe 003dd901 00e46614 0085b4c8         20 00e4636c  300/1024 listen/http1
Hwe 003dd901 00e46b84 0085ae00          0 00e4693c  188/1024 listen/pfm
Hwe 003dd901 00e47434 0085aef8          0 00e46dec 1212/2048 listen/telnet_1
Mwe 0012cd31 00e49614 0054e008          0 00e4769c 7888/8192 DHCPD Timer
Mwe 00367a62 00e4eb3c 0054e008          0 00e4cbc4 7640/8192 Crypto CA
Hwe 003c49b5 00e93c24 00e6d1a4       5410 00e91dfc 5956/8192 isakmp_receiver
Mwe 002cbd84 00e573b4 0052d140          0 00e53aac 12812/16384 http0
M*  003de2d7 0009ff2c 0054e040          0 00f1ef74 11452/16384 http0
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
      received (in 1100448.000 secs):
            12092187 packets      277405317 bytes
            3 pkts/sec      2 bytes/sec
      transmitted (in 1100448.000 secs):
            9651962 packets      2979182371 bytes
            0 pkts/sec      2000 bytes/sec
inside:
      received (in 1100448.010 secs):
            10249347 packets      3037315035 bytes
            1 pkts/sec      2002 bytes/sec
      transmitted (in 1100448.010 secs):
            11571245 packets      35509415 bytes
            2 pkts/sec      1 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          1/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup           68/s          3/s
TCPIntercept         0/s          0/s
HTTP Fixup          21/s          1/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname bbcorp-pix
domain-name bbins.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.203.7 Citrix1
access-list outside_access_in permit tcp any host 216.79.131.5 eq citrix-ica
access-list outside_access_in permit tcp any host 216.79.131.5 eq www
access-list inside_outb
access-list inside_outbound_nat0_acl permit ip 192.168.203.0 255.255.255.0 192.168.203.96 255.255.255.240
pager lines 24
logging on
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.79.131.3 255.255.255.240
ip address inside 192.168.203.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Citrix1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.79.131.5 Citrix1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.79.131.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 1:00:00 udp 1:00:00 rpc 1:00:00 h225 1:00:00
timeout h323 1:00:00 mgcp 1:00:00 sip 1:00:00 sip_media 1:00:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.203.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.203.4-192.168.203.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:ac563970a559a3b8f0c6aa489905cbdf
: end

501 Configuration:
Result of firewall command: "show tech"
 
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
macduffpix up 20 days 20 hours
Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000f.247e.4ff5, irq 9
1: ethernet1: address is 000f.247e.4ff6, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       50
Throughput:         Unlimited
IKE peers:          10
This PIX has a Restricted (R) license.
Serial Number: 808061511 (0x302a0a47)
Running Activation Key: 0xbc5ce716 0x95dd64db 0xbea73949 0x05843b06
Configuration last modified by  at 01:28:16.000 EST Thu Feb 7 2036
------------------ show clock ------------------
11:28:31.333 EST Thu Mar 25 2004
------------------ show memory ------------------
Free memory:         5396648 bytes
Used memory:        11380568 bytes
-------------     ----------------
Total memory:       16777216 bytes
------------------ show conn count ------------------
17 in use, 1761 most used
------------------ show xlate count ------------------
11 in use, 200 most used
------------------ show blocks ------------------
  SIZE    MAX    LOW    CNT
     4    600    596    600
    80    400    397    399
   256    100     98    100
  1550    932    476    670
  2560     10      8     10
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.247e.4ff5
  IP address 216.79.131.26, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
      11600980 packets input, 3545891065 bytes, 0 no buffer
      Received 297953 broadcasts, 0 runts, 0 giants
      1 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
      9944916 packets output, 3387711814 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      79 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/61)
      output queue (curr/max blocks): hardware (3/101) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.247e.4ff6
  IP address 192.168.0.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
      10367603 packets input, 3465956731 bytes, 0 no buffer
      Received 397834 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      11160392 packets output, 3498868258 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/101)
      output queue (curr/max blocks): hardware (0/68) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 2%; 1 minute: 3%; 5 minutes: 1%
------------------ show process ------------------
    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e83d9 007b7934 0054e008          0 007b69ac 3628/4096 arp_timer
Lsi 001ed55d 007daa6c 0054e008          0 007d9af4 3816/4096 FragDBGC
Lwe 00119bbf 0082f36c 00551768          0 0082e504 3688/4096 dbgtrace
Lwe 003dab25 008314fc 0054e4d0       4000 0082f5b4 6776/8192 Logger
Hsi 003deb7d 008345f4 0054e008          0 0083267c 7708/8192 tcp_fast
Hsi 003dea1d 008366a4 0054e008          0 0083472c 7644/8192 tcp_slow
Lsi 002f8891 008b56fc 0054e008          0 008b4774 3944/4096 xlate clean
Lsi 002f879f 008b679c 0054e008          0 008b5824 3548/4096 uxlate clean
Mwe 002efa7f 008d576c 0054e008          0 008d37d4 7908/8192 tcp_intercept_timer_process
Lsi 0043016d 008e600c 0054e008          0 008e5084 3900/4096 route_process
Hsi 002e0c1c 008e709c 0054e008         10 008e6134 2572/4096 PIX Garbage Collector
Hwe 002141c9 008eb564 0054e008          0 008e75fc 15552/16384 isakmp_time_keeper
Lsi 002de99c 008fb97c 0054e008          0 008fa9f4 3944/4096 perfmon
Mwe 0020ba01 0090744c 0054e008          0 009054d4 7116/8192 IPsec timer handler
Hwe 0039164b 0091bd1c 00569030         10 00919dd4 6928/8192 qos_metric_daemon
Mwe 0025d61d 009328b4 0054e008          0 0093214c 1436/2048 IP Background
Lwe 002f0582 009e4fc4 00564348          0 009e414c 3704/4096 pix/trace
Lwe 002f079e 009e6074 00564a78          0 009e51fc 3704/4096 pix/tconsole
Hwe 0011f5b7 009eff54 004f8bc8          0 009ec48c 14732/16384 ci/console
Csi 002e94bb 009f1494 0054e008         10 009f053c 3448/4096 update_cpu_usage
Hwe 002d64a1 00a15f24 0052d3b8          0 00a1209c 15884/16384 uauth_in
Hwe 003dd66d 00a18024 007f2308          0 00a1614c 7896/8192 uauth_thread
Hwe 003f326a 00a19174 00546f38          0 00a181fc 3960/4096 udp_timer
Hsi 001e0092 00a1ae24 0054e008          0 00a19eac 3928/4096 557mcfix
Crd 001e0047 00a1bee4 0054e480 1086333810 00a1af5c 3640/4096 557poll
Lsi 001e00fd 00a1cf84 0054e008          0 00a1c00c 3700/4096 557timer
Cwe 001e1c71 00a33004 006c60c8    2034630 00a3110c 5800/8192 pix/intf0
Mwe 003f2fda 00a340f4 0082caf8          0 00a331bc 3896/4096 riprx/0
Msi 0039a8c9 00a35204 0054e008          0 00a3428c 3888/4096 riptx/0
Cwe 001e1c71 00a3b33c 0073b638    1920760 00a39444 6056/8192 pix/intf1
Mwe 003f2fda 00a3c44c 0082cab0          0 00a3b514 3896/4096 riprx/1
Msi 0039a8c9 00a3d55c 0054e008          0 00a3c5e4 3888/4096 riptx/1
Hwe 003dd901 00a69124 007ddaf0         40 00a68e7c  300/1024 listen/http0
Hwe 003dd901 00a69634 007dddd8        170 00a6938c  136/1024 listen/http1
Hwe 003dd901 00a69ba4 007dd900          0 00a6995c  188/1024 listen/pfm
Hwe 003dd901 00a6a454 007dd9f8          0 00a69e0c 1212/2048 listen/telnet_1
Mwe 0012cd31 00a6c634 0054e008          0 00a6a6bc 7888/8192 DHCPD Timer
Mwe 00367a62 00a71b5c 0054e008          0 00a6fbe4 7640/8192 Crypto CA
Mwe 002cbd84 00a7c44c 0052d140         20 00a78b44 12828/16384 http0
M*  003de2d7 0009ff2c 0054e040         20 00aaf00c 11452/16384 http0
Hwe 003c49b5 00aac634 00aacae4      15860 00aaa80c 6224/8192 isakmp_receiver
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
      received (in 1803521.310 secs):
            11600980 packets      3545891065 bytes
            1 pkts/sec      1001 bytes/sec
      transmitted (in 1803521.310 secs):
            9944916 packets      3387711814 bytes
            0 pkts/sec      1002 bytes/sec
inside:
      received (in 1803521.310 secs):
            10367603 packets      3465956731 bytes
            0 pkts/sec      1000 bytes/sec
      transmitted (in 1803521.310 secs):
            11160392 packets      3498868258 bytes
            1 pkts/sec      1001 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup           25/s          1/s
TCPIntercept         0/s          0/s
HTTP Fixup          18/s          2/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname macduffpix
domain-name macduff-fla.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 216.79.131.26 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.9 255.255.255.255 inside
pdm location 192.168.0.22 255.255.255.255 inside
pdm location 216.79.131.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.79.131.17 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d76379607b69e520cd668194c60330f0
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680985
You have applied two different access-lists that don't appear to be defined on the 501:
May not be the problem, but can't help anything, either. They appear to have just been copied from the 506 config

nat (inside) 0 access-list inside_outbound_nat0_acl   <-- there is no acl defined
access-group outside_access_in in interface outside  <-- there is no acl defined




0
 

Author Comment

by:nhuhta
ID: 10681455
They are both different...her is the full list again...1st one is the 506 second one is 501:

506:
Result of firewall command: "show tech" on 506
 
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
bbcorp-pix up 12 days 17 hours
Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000f.2497.dd1c, irq 10
1: ethernet1: address is 000f.2497.dd1d, irq 11
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited
This PIX has a Restricted (R) license.
Serial Number: 808061700 (0x302a0b04)
Running Activation Key: 0xa87b034a 0x21e76707 0x46993e3e 0xfb9d2450
Configuration last modified by  at 01:28:16.000 EST Thu Feb 7 2036
------------------ show clock ------------------
11:26:15.578 EST Thu Mar 25 2004
------------------ show memory ------------------
Free memory:        17570136 bytes
Used memory:        15984296 bytes
-------------     ----------------
Total memory:       33554432 bytes
------------------ show conn count ------------------
138 in use, 1125 most used
------------------ show xlate count ------------------
58 in use, 395 most used
------------------ show blocks ------------------
  SIZE    MAX    LOW    CNT
     4   1600   1592   1600
    80    400    396    398
   256    500    498    500
  1550    932    501    670
  2560    200    196    200
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.2497.dd1c
  IP address 216.79.131.3, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
      12092187 packets input, 277405317 bytes, 0 no buffer
      Received 186085 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      9651962 packets output, 2979182371 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      42 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/56)
      output queue (curr/max blocks): hardware (4/30) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.2497.dd1d
  IP address 192.168.203.3, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
      10249347 packets input, 3037315035 bytes, 0 no buffer
      Received 585137 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      11571245 packets output, 35509415 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      1 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/31)
      output queue (curr/max blocks): hardware (0/74) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 0%; 1 minute: 5%; 5 minutes: 2%
------------------ show process ------------------
    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e83d9 00834e34 0054e008          0 00833eac 3628/4096 arp_timer
Lsi 001ed55d 00857f6c 0054e008          0 00856ff4 3816/4096 FragDBGC
Lwe 00119bbf 008bb2c4 00551768          0 008ba45c 3688/4096 dbgtrace
Lwe 003dab25 008bd454 0054e4d0        460 008bb50c 6776/8192 Logger
Hrd 003deb7d 008c054c 0054dff0          0 008be5d4 7644/8192 tcp_fast
Hsi 003dea1d 008c25fc 0054e008          0 008c0684 7580/8192 tcp_slow
Lsi 002f8891 009f696c 0054e008          0 009f59e4 3944/4096 xlate clean
Lsi 002f879f 009f7a0c 0054e008          0 009f6a94 3548/4096 uxlate clean
Mwe 002efa7f 00b6bddc 0054e008          0 00b69e44 7908/8192 tcp_intercept_timer_process
Lsi 0043016d 00c16634 0054e008          0 00c156ac 3900/4096 route_process
Hsi 002e0c1c 00c176c4 0054e008          0 00c1675c 2572/4096 PIX Garbage Collector
Hwe 002141c9 00c213f4 0054e008          0 00c1d48c 14628/16384 isakmp_time_keeper
Lsi 002de99c 00c3a75c 0054e008          0 00c397d4 3944/4096 perfmon
Mwe 0020ba01 00c64b8c 0054e008          0 00c62c14 7860/8192 IPsec timer handler
Hwe 0039164b 00c7945c 00569030          0 00c77514 7032/8192 qos_metric_daemon
Mwe 0025d61d 00c8fff4 0054e008          0 00c8f88c 1436/2048 IP Background
Lwe 002f0582 00d42704 00564348          0 00d4188c 3704/4096 pix/trace
Lwe 002f079e 00d437b4 00564a78          0 00d4293c 3704/4096 pix/tconsole
Hwe 0011f5b7 00d4d694 004f8bc8          0 00d49bcc 14732/16384 ci/console
Csi 002e94bb 00d4ebd4 0054e008          0 00d4dc7c 3540/4096 update_cpu_usage
Hwe 002d64a1 00df2a6c 0052d3b8          0 00deebe4 15884/16384 uauth_in
Hwe 003dd66d 00df4b6c 0086f808          0 00df2c94 7896/8192 uauth_thread
Hwe 003f326a 00df5cbc 00546f38          0 00df4d44 3960/4096 udp_timer
Hsi 001e0092 00df796c 0054e008          0 00df69f4 3928/4096 557mcfix
Crd 001e0047 00df8a2c 0054e480  778238180 00df7aa4 3684/4096 557poll
Lsi 001e00fd 00df9acc 0054e008          0 00df8b54 3700/4096 557timer
Cwe 001e1c71 00e0fb4c 0078bb38     266590 00e0dc54 5900/8192 pix/intf0
Mwe 003f2fda 00e10c3c 008b8030          0 00e0fd04 3868/4096 riprx/0
Msi 0039a8c9 00e11d4c 0054e008          0 00e10dd4 3888/4096 riptx/0
Cwe 001e1c71 00e17e84 007165c8     217480 00e15f8c 6104/8192 pix/intf1
Mwe 003f2fda 00e18f94 008b7fe8          0 00e1805c 3896/4096 riprx/1
Msi 0039a8c9 00e1a0a4 0054e008          0 00e1912c 3888/4096 riptx/1
Hwe 003dd901 00e46104 0085b5c0         70 00e45e5c  300/1024 listen/http0
Hwe 003dd901 00e46614 0085b4c8         20 00e4636c  300/1024 listen/http1
Hwe 003dd901 00e46b84 0085ae00          0 00e4693c  188/1024 listen/pfm
Hwe 003dd901 00e47434 0085aef8          0 00e46dec 1212/2048 listen/telnet_1
Mwe 0012cd31 00e49614 0054e008          0 00e4769c 7888/8192 DHCPD Timer
Mwe 00367a62 00e4eb3c 0054e008          0 00e4cbc4 7640/8192 Crypto CA
Hwe 003c49b5 00e93c24 00e6d1a4       5410 00e91dfc 5956/8192 isakmp_receiver
Mwe 002cbd84 00e573b4 0052d140          0 00e53aac 12812/16384 http0
M*  003de2d7 0009ff2c 0054e040          0 00f1ef74 11452/16384 http0
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
      received (in 1100448.000 secs):
            12092187 packets      277405317 bytes
            3 pkts/sec      2 bytes/sec
      transmitted (in 1100448.000 secs):
            9651962 packets      2979182371 bytes
            0 pkts/sec      2000 bytes/sec
inside:
      received (in 1100448.010 secs):
            10249347 packets      3037315035 bytes
            1 pkts/sec      2002 bytes/sec
      transmitted (in 1100448.010 secs):
            11571245 packets      35509415 bytes
            2 pkts/sec      1 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          1/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup           68/s          3/s
TCPIntercept         0/s          0/s
HTTP Fixup          21/s          1/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password MCgmMAUrtOKyP7Fq encrypted
passwd MCgmMAUrtOKyP7Fq encrypted
hostname bbcorp-pix
domain-name bbins.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.203.12 TopGun
name 192.168.203.8 Citrix2
name 192.168.203.25 OracleWeb
name 192.168.203.7 Citrix1
name 192.168.203.17 Oracle
name 192.168.203.15 SQL
name 192.168.203.22 Soxley
name 192.168.203.20 Backup
name 192.168.203.19 Exchange
name 216.79.131.29 MacDuff
name 216.79.131.26 MCDuff
access-list outside_access_in permit tcp any host 216.79.131.5 eq citrix-ica
access-list outside_access_in permit tcp any host 216.79.131.5 eq www
access-list outside_access_in permit tcp any host 216.79.131.6 eq citrix-ica
access-list outside_access_in permit tcp any host 216.79.131.6 eq www
access-list outside_access_in permit tcp any host 216.79.131.8 eq www
access-list outside_access_in permit tcp any host 216.79.131.10 eq www
access-list outside_access_in permit tcp any host 216.79.131.10 eq smtp
access-list outside_access_in permit tcp any host 216.79.131.12 eq www
access-list outside_access_in permit ip any host 216.79.131.13
access-list outside_access_in permit tcp host 66.193.53.137 any
access-list outside_access_in permit tcp host 66.193.53.138 any
access-list bbcorporacle_splitTunnelAcl permit ip host Oracle any
access-list inside_outbound_nat0_acl permit ip host Oracle host 192.168.203.100
access-list inside_outbound_nat0_acl permit ip host SQL host 192.168.203.101
access-list inside_outbound_nat0_acl permit ip 192.168.203.0 255.255.255.0 192.168.203.96 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any host 192.168.203.100
access-list sql_splitTunnelAcl permit ip host SQL any
access-list outside_cryptomap_dyn_40 permit ip any host 192.168.203.101
access-list bbcorpadmin_splitTunnelAcl permit ip 192.168.203.0 255.255.255.0 any
access-list outside_cryptomap_dyn_60 permit ip any 192.168.203.96 255.255.255.240
pager lines 24
logging on
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.79.131.3 255.255.255.240
ip address inside 192.168.203.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool oracle 192.168.203.100
ip local pool sql 192.168.203.101
ip local pool bbcorpadmin 192.168.203.102-192.168.203.106
pdm location 66.193.53.137 255.255.255.255 outside
pdm location 66.193.53.138 255.255.255.255 outside
pdm location Citrix1 255.255.255.255 inside
pdm location Citrix2 255.255.255.255 inside
pdm location TopGun 255.255.255.255 inside
pdm location OracleWeb 255.255.255.255 inside
pdm location Oracle 255.255.255.255 inside
pdm location Backup 255.255.255.255 inside
pdm location SQL 255.255.255.255 inside
pdm location Soxley 255.255.255.255 inside
pdm location Exchange 255.255.255.255 inside
pdm location MacDuff 255.255.255.255 outside
pdm location MCDuff 255.255.255.255 outside
pdm location 216.79.131.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.79.131.5 Citrix1 netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.6 Citrix2 netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.8 TopGun netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.10 Exchange netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.12 OracleWeb netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.14 Oracle netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.13 Soxley netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.79.131.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 1:00:00 udp 1:00:00 rpc 1:00:00 h225 1:00:00
timeout h323 1:00:00 mgcp 1:00:00 sip 1:00:00 sip_media 1:00:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 66.193.53.137 255.255.255.255 outside
http 66.193.53.138 255.255.255.255 outside
http 192.168.203.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup bbcorporacle address-pool oracle
vpngroup bbcorporacle dns-server 192.168.203.23
vpngroup bbcorporacle default-domain bbcorporate.com
vpngroup bbcorporacle split-tunnel bbcorporacle_splitTunnelAcl
vpngroup bbcorporacle idle-time 1800
vpngroup bbcorporacle password ********
vpngroup sql address-pool sql
vpngroup sql dns-server 192.168.203.23
vpngroup sql default-domain bbcorporate.com
vpngroup sql split-tunnel sql_splitTunnelAcl
vpngroup sql idle-time 1800
vpngroup sql password ********
vpngroup bbcorpadmin address-pool bbcorpadmin
vpngroup bbcorpadmin dns-server Exchange
vpngroup bbcorpadmin default-domain bbcorporate.com
vpngroup bbcorpadmin split-tunnel bbcorpadmin_splitTunnelAcl
vpngroup bbcorpadmin idle-time 1800
vpngroup bbcorpadmin password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.203.4-192.168.203.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:ac563970a559a3b8f0c6aa489905cbdf
: end

501:
Result of firewall command: "show tech" on 501
 
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
macduffpix up 20 days 20 hours
Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000f.247e.4ff5, irq 9
1: ethernet1: address is 000f.247e.4ff6, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       50
Throughput:         Unlimited
IKE peers:          10
This PIX has a Restricted (R) license.
Serial Number: 808061511 (0x302a0a47)
Running Activation Key: 0xbc5ce716 0x95dd64db 0xbea73949 0x05843b06
Configuration last modified by  at 01:28:16.000 EST Thu Feb 7 2036
------------------ show clock ------------------
11:28:31.333 EST Thu Mar 25 2004
------------------ show memory ------------------
Free memory:         5396648 bytes
Used memory:        11380568 bytes
-------------     ----------------
Total memory:       16777216 bytes
------------------ show conn count ------------------
17 in use, 1761 most used
------------------ show xlate count ------------------
11 in use, 200 most used
------------------ show blocks ------------------
  SIZE    MAX    LOW    CNT
     4    600    596    600
    80    400    397    399
   256    100     98    100
  1550    932    476    670
  2560     10      8     10
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.247e.4ff5
  IP address 216.79.131.26, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
      11600980 packets input, 3545891065 bytes, 0 no buffer
      Received 297953 broadcasts, 0 runts, 0 giants
      1 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
      9944916 packets output, 3387711814 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      79 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/61)
      output queue (curr/max blocks): hardware (3/101) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.247e.4ff6
  IP address 192.168.0.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
      10367603 packets input, 3465956731 bytes, 0 no buffer
      Received 397834 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      11160392 packets output, 3498868258 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/101)
      output queue (curr/max blocks): hardware (0/68) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 2%; 1 minute: 3%; 5 minutes: 1%
------------------ show process ------------------
    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e83d9 007b7934 0054e008          0 007b69ac 3628/4096 arp_timer
Lsi 001ed55d 007daa6c 0054e008          0 007d9af4 3816/4096 FragDBGC
Lwe 00119bbf 0082f36c 00551768          0 0082e504 3688/4096 dbgtrace
Lwe 003dab25 008314fc 0054e4d0       4000 0082f5b4 6776/8192 Logger
Hsi 003deb7d 008345f4 0054e008          0 0083267c 7708/8192 tcp_fast
Hsi 003dea1d 008366a4 0054e008          0 0083472c 7644/8192 tcp_slow
Lsi 002f8891 008b56fc 0054e008          0 008b4774 3944/4096 xlate clean
Lsi 002f879f 008b679c 0054e008          0 008b5824 3548/4096 uxlate clean
Mwe 002efa7f 008d576c 0054e008          0 008d37d4 7908/8192 tcp_intercept_timer_process
Lsi 0043016d 008e600c 0054e008          0 008e5084 3900/4096 route_process
Hsi 002e0c1c 008e709c 0054e008         10 008e6134 2572/4096 PIX Garbage Collector
Hwe 002141c9 008eb564 0054e008          0 008e75fc 15552/16384 isakmp_time_keeper
Lsi 002de99c 008fb97c 0054e008          0 008fa9f4 3944/4096 perfmon
Mwe 0020ba01 0090744c 0054e008          0 009054d4 7116/8192 IPsec timer handler
Hwe 0039164b 0091bd1c 00569030         10 00919dd4 6928/8192 qos_metric_daemon
Mwe 0025d61d 009328b4 0054e008          0 0093214c 1436/2048 IP Background
Lwe 002f0582 009e4fc4 00564348          0 009e414c 3704/4096 pix/trace
Lwe 002f079e 009e6074 00564a78          0 009e51fc 3704/4096 pix/tconsole
Hwe 0011f5b7 009eff54 004f8bc8          0 009ec48c 14732/16384 ci/console
Csi 002e94bb 009f1494 0054e008         10 009f053c 3448/4096 update_cpu_usage
Hwe 002d64a1 00a15f24 0052d3b8          0 00a1209c 15884/16384 uauth_in
Hwe 003dd66d 00a18024 007f2308          0 00a1614c 7896/8192 uauth_thread
Hwe 003f326a 00a19174 00546f38          0 00a181fc 3960/4096 udp_timer
Hsi 001e0092 00a1ae24 0054e008          0 00a19eac 3928/4096 557mcfix
Crd 001e0047 00a1bee4 0054e480 1086333810 00a1af5c 3640/4096 557poll
Lsi 001e00fd 00a1cf84 0054e008          0 00a1c00c 3700/4096 557timer
Cwe 001e1c71 00a33004 006c60c8    2034630 00a3110c 5800/8192 pix/intf0
Mwe 003f2fda 00a340f4 0082caf8          0 00a331bc 3896/4096 riprx/0
Msi 0039a8c9 00a35204 0054e008          0 00a3428c 3888/4096 riptx/0
Cwe 001e1c71 00a3b33c 0073b638    1920760 00a39444 6056/8192 pix/intf1
Mwe 003f2fda 00a3c44c 0082cab0          0 00a3b514 3896/4096 riprx/1
Msi 0039a8c9 00a3d55c 0054e008          0 00a3c5e4 3888/4096 riptx/1
Hwe 003dd901 00a69124 007ddaf0         40 00a68e7c  300/1024 listen/http0
Hwe 003dd901 00a69634 007dddd8        170 00a6938c  136/1024 listen/http1
Hwe 003dd901 00a69ba4 007dd900          0 00a6995c  188/1024 listen/pfm
Hwe 003dd901 00a6a454 007dd9f8          0 00a69e0c 1212/2048 listen/telnet_1
Mwe 0012cd31 00a6c634 0054e008          0 00a6a6bc 7888/8192 DHCPD Timer
Mwe 00367a62 00a71b5c 0054e008          0 00a6fbe4 7640/8192 Crypto CA
Mwe 002cbd84 00a7c44c 0052d140         20 00a78b44 12828/16384 http0
M*  003de2d7 0009ff2c 0054e040         20 00aaf00c 11452/16384 http0
Hwe 003c49b5 00aac634 00aacae4      15860 00aaa80c 6224/8192 isakmp_receiver
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
      received (in 1803521.310 secs):
            11600980 packets      3545891065 bytes
            1 pkts/sec      1001 bytes/sec
      transmitted (in 1803521.310 secs):
            9944916 packets      3387711814 bytes
            0 pkts/sec      1002 bytes/sec
inside:
      received (in 1803521.310 secs):
            10367603 packets      3465956731 bytes
            0 pkts/sec      1000 bytes/sec
      transmitted (in 1803521.310 secs):
            11160392 packets      3498868258 bytes
            1 pkts/sec      1001 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup           25/s          1/s
TCPIntercept         0/s          0/s
HTTP Fixup          18/s          2/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bNfTAtkJDreIWrlh encrypted
passwd bNfTAtkJDreIWrlh encrypted
hostname macduffpix
domain-name macduff-fla.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.2 Exchange
object-group service TerminalServices tcp-udp
  port-object range 3389 3389
access-list outside_access_in permit tcp any host 216.79.131.29 eq smtp
access-list outside_access_in permit tcp any host 216.79.131.29 eq 3389
access-list outside_access_in permit tcp any host 216.79.131.29 eq www
access-list outside_access_in permit tcp any host 216.79.131.30 eq 3389
access-list outside_access_in permit tcp host 66.193.53.137 any
access-list outside_access_in permit tcp host 66.193.53.138 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 216.79.131.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 216.79.131.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 216.79.131.26 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 66.193.53.137 255.255.255.255 outside
pdm location 66.193.53.138 255.255.255.255 outside
pdm location Exchange 255.255.255.255 inside
pdm location 192.168.0.9 255.255.255.255 inside
pdm location 192.168.0.22 255.255.255.255 inside
pdm location 216.79.131.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.79.131.29 Exchange netmask 255.255.255.255 0 0
static (inside,outside) 216.79.131.30 192.168.0.9 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.79.131.17 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 66.193.53.137 255.255.255.255 outside
http 66.193.53.138 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 216.79.131.3
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 216.79.131.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address Exchange-192.168.0.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d76379607b69e520cd668194c60330f0
: end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10681989
>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 216.79.131.0 255.255.255.0
>nat (inside) 0 access-list inside_outbound_nat0_acl

Try removing these two lines from the 501
What is the reason to exclude local 192.168.0.0 traffic from NAT?

Does the router have a route statement like this?
ip route 192.168.0.0 255.255.255.0 216.79.131.26


0
 

Author Comment

by:nhuhta
ID: 10682101
Thank you everyone for your help!!! lrmoore i removed that first line and it worked perfectly!!!!!! Thanks again guys!!!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now