We help IT Professionals succeed at work.

No Internet Access Through My Pix 501 Firewall (Help)!!!

stevem200872
stevem200872 asked
on
1,509 Views
Last Modified: 2013-11-16
Ok everything was working fine no problems at all, I then wanted to get OWA working, so I put in what was needed you will see the Exchange commands.

All looked ok and I could then from outside access the OWA so I thought YAY good job.

Anyway the next day we had no internet access and rremote users were unable to VPN top our W2k3 server.

I cant see whats changed, please look at the script below see if there is anthing I may have done wrong or is there something blocking these accesses.

Please help pix guru's,

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pjhghjhhhbg encrypted
passwd pjghghghggh encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
name 192.168.1.202 Exchange                          
name 135.196.176.231 Exchange_outside                                    
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.0 25                                                                            
255.255.128          
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.128                                                                              
access-list outside_access_in permit gre any any                                                
access-list outside_access_in permit tcp any interface outside eq smtp                                                                      
access-list outside_access_in permit tcp any interface outside eq pptp                                                                      
access-list outside_access_in permit tcp any interface outside eq 5900                                                                      
access-list outside_access_in permit tcp any eq smtp host Exchange_outside                                                                          
access-list outside_access_in permit tcp any host Exchange_outside                                                                  
access-list outgoing                    
access-list outgoing permit ip any any                                      
access-list outgoing permit icmp any any                                        
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside Exchange_outside 255.255.255.224                                                  
ip address inside 192.168.1.1 255.255.255.0                                          
ip audit info action alarm reset                                
ip audit attack action alarm reset                                  
ip local pool skyevpn 192.168.1.50-192.168.1.70                                              
pdm location 213.86.132.161 255.255.255.255 outside                                                  
pdm location 213.86.132.162 255.255.255.255 outside                                                  
pdm location 192.168.1.0 255.255.255.255 inside                                              
pdm location 192.168.1.49 2                        
pdm location Exchange_outside 255.255.255.255 inside                                                    
pdm location Exchange 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp Exchange_outside smtp Exchange smtp netmask 255.255.                                                                                
255.255 0 0          
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.25                                                                                
5.255 0 0        
static (inside,outside) tcp Exchange_outside 5900 192                                                    
255.255.255 0 0              
static (inside,outside) Exchange_outside Exchange netmask 255.255.255.255 0 0                                                                            
access-group outside_access_in in interface outside                                                  
access-group outgoing in interface inside                                        
route outside 0.0.0.0 0.0.0.0 81.178.42.14 1                                            
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map                                                                
crypto map outside_map interface outside                                        
isakmp enable outside                    
isakmp enable inside                    
isakmp policy 20 authentication pre-share                                        
isakmp policy 20 encryption 3des                                
isakmp policy 20 hash md5                        
isakmp policy 20 group 2                        
isakmp policy 20 lifetime 86400                              
vpngroup skye address-pool skyevpn                                  
vpngroup skye dns-server 192.168.1.49                                    
vpngroup skye idle-time 1800
vpngroup skye password ********
telnet 213.86.132.161 255.255.255.255 outside
telnet 213.86.132.162 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
vpnclient server 213.86.132.161
vpnclient mode client-mode
vpnclient vpngroup win2k password ********
terminal width 80
Cryptochecksum:c33fe327fa476226d3e9e6783b513f1d
: end

What do you think? Please help on this poeple....
Comment
Watch Question

Commented:
I think your problem is this combination:

>access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.0 255.255.255.128
>nat (inside) 0 access-list inside_outbound_nat0_acl

Try these:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.248
no access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.0 255.255.255.128
clear xlate

Author

Commented:
Thank you so much Thank you I will try this afternoon
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
>name 135.196.176.231 Exchange_outside  
>static (inside,outside) Exchange_outside Exchange netmask 255.255.255.255 0 0  
Can you confirm that this Exchange_outside IP address is NOT the same as the interface IP?

As a side note, you do not need an outbound acl
>access-group outgoing in interface inside                                        
Especially given that your ACL permits almost everything anyway:
>access-list outgoing permit ip any any              

Suggest you remove that acl from the inside interface
 no access-group outgoing in interface inside                                        

Another note:
>ip local pool skyevpn 192.168.1.50-192.168.1.70    
VPN connection work much, much better if you use a different IP subnet for your VPN users, for example, use 192.168.172.0
Also FYI, if you continue using 192.168.1.x as your inside subnet, you will have many VPN users complain that they can't access resources after they connect. Why? Simple. Your inside IP subnet is 192.168.1.0 and their home IP subnet is also 192.168.1.0
This is the single most widely used IP subnet in the world, especially for home users and SOHO routers/firewalls. I wish Cisco did not use this as the default out-of-the-box on the PIX's...
                   

Commented:
Ah, I missed that static / interface problem.  lrmoore got a good point there, you shouldn't make a 1-1 static with your interface address or you have limited Internet access to the exchange.
Make it into port forwarding, just as you have your other statics.

Author

Commented:
Thanks for everything, on this it was a wired one, but in the end I did a wri flash, and started from scratch, then script now looks like this and works fine, ineternet and mail now work again, wired one.

One last question though if I may and thanks by the way for all your help your a star...

This is the script now please see below... I dont have OWA working now what needs to be added...?

fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
name 192.168.1.202 Exchange                          
name 135.196.176.231 Exchange_outside                                    
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.0 25                                                                            
255.255.128          
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.128                                                                              
access-list outside_access_in permit gre any any                                                
access-list outside_access_in permit tcp any interface outside eq smtp                                                                      
access-list outside_access_in permit tcp any interface outside eq pptp                                                                      
access-list outside_access_in permit tcp any interface outside eq 5900                                                                      
access-list outside_access_in permit tcp any eq smtp host Exchange_outside                                                                          
access-list outside_access_in permit tcp any host Exchange_outside                                                                  
access-list outgoing                    
access-list outgoing permit ip any any                                      
access-list outgoing permit icmp any any                                        
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside Exchange_outside 255.255.255.224                                                  
ip address inside 192.168.1.1 255.255.255.0                                          
ip audit info action alarm reset                                
ip audit attack action alarm reset                                  
ip local pool skyevpn 192.168.1.50-192.168.1.70                                              
pdm location 213.86.132.161 255.255.255.255 outside                                                  
pdm location 213.86.132.162 255.255.255.255 outside                                                  
pdm location 192.168.1.0 255.255.255.255 inside                                              
pdm location 192.168.1.49 2                        
pdm location Exchange_outside 255.255.255.255 inside                                                    
pdm location Exchange 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp Exchange_outside smtp Exchange smtp netmask 255.255.                                                                                
255.255 0 0          
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.25                                                                                
5.255 0 0        
static (inside,outside) tcp Exchange_outside 5900 192                                                    
255.255.255 0 0              
static (inside,outside) Exchange_outside Exchange netmask 255.255.255.255 0 0                                                                            
access-group outside_access_in in interface outside                                                  
access-group outgoing in interface inside                                        
route outside 0.0.0.0 0.0.0.0 81.178.42.14 1                                            
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map                                                                
crypto map outside_map interface outside                                        
isakmp enable outside                    
isakmp enable inside                    
isakmp policy 20 authentication pre-share                                        
isakmp policy 20 encryption 3des                                
isakmp policy 20 hash md5                        
isakmp policy 20 group 2                        
isakmp policy 20 lifetime 86400                              
vpngroup skye address-pool skyevpn                                  
vpngroup skye dns-server 192.168.1.49                                    
vpngroup skye idle-time 1800
vpngroup skye password ********
telnet 213.86.132.161 255.255.255.255 outside
telnet 213.86.132.162 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
vpnclient server 213.86.132.161
vpnclient mode client-mode
vpnclient vpngroup win2k password ********
terminal width 80
Cryptochecksum:c33fe327fa476226d3e9e6783b513f1d
: end

What needs to be added for OWA, when I out the OWA in before thats when Internet access stopped working..
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you and I was on site and couldn't get internet access so didn't see the other part until I had re-written the script, something must ahve change as the internet access startde working again.. but thank you... this now works fine I'm really sorry on the above....

Thank you...:-)

One last thing the VPN????

When you try to access the VPN we get error 721....what part should I look at for this, is it the VPNGROUP SKYE PASSWORD ********
or the VPNCLIENT VPNGROUP WIN2K PASSWORD ******

Last one I promise and I really mean a big thank your a top guy..

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.