• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 342
  • Last Modified:

Problems routing with a Cisco PIX 501e

Greetings, I hope im asking this in the right area, I recently bit the bullet and decided to invest in a hardware firewall for my leased dedicated server, it was setup and installed by the provider (godaddy) and appeared to be working just fine, RDC is working, etc.

however. none of the domains hosted on the server are able to be routed to, when pinging them, they all ping to 10.0.0.x ips, which is the internal ip since its behind a firewall.
in the firewall configuration, the following ips are forwarded to the following internal ips as shown below (changed for security purposes)

60.0.0.1 to 10.0.0.1
60.0.0.2 to 10.0.0.2
60.0.0.3 to 10.0.0.3

and the dns configuration for one of the domains is shown below:

10.0.0.3 / 24 PTR domain1.org.  
ftp.domain1.org. CNAME domain1.org.  
mail.domain1.org. A 10.0.0.3  
mssql.domain1.org. A 10.0.0.3  
ns.domain1.org. A 10.0.0.3  
domain1.org. A 10.0.0.3  
domain1.org. MX (10) mail.domain1.org.  
domain1.org. NS ns.domain1.org.  
sitebuilder.domain1.org. A 10.0.0.3  
webmail.domain1.org. A 10.0.0.3  
www.domain1.org. CNAME domain1.org.

I tried setting the global dns template in plesk to the Firewalls ip, so everything resolved to the ip of the firewall, and we were able to ping the firewall, etc, but was still unable to route to anything beyond the firewall.

I checked the configuration in the cisco PIX, and the correct ports are open, and the ips are being forwarded to the correct internal ips.

If anyone could offer some suggestions it would be greatly appreciated, because I'm in over my head, trying to learn this, and lost!

thanks.
0
arachnidservice
Asked:
arachnidservice
  • 12
  • 7
1 Solution
 
arachnidserviceAuthor Commented:
And when trying to route directly to 60.0.0.1 via HTTPS, it takes me to the firewall log in, and not the site and at that time 60.0.0.1 should have been forwarding to 10.0.0.1
0
 
jjoseph_xCommented:
It sounds like an address translation problem.

Could you post the PIX configuration (show run), with any public IPs scrubbed, so that we can see exactly what's going on?
0
 
arachnidserviceAuthor Commented:
Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100


hostname pixfirewall
domain-name obscured
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 60.0.0.55 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 60.0.0.1 255.255.255.255 outside
pdm location 60.0.0.2 255.255.255.255 outside
pdm location 60.0.0.3 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
static (outside,inside) 10.0.0.1 60.0.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 60.0.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.2 10.0.0.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 60.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.3 10.0.0.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 60.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access outside
console timeout 0

terminal width 80


: end
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
arachnidserviceAuthor Commented:
okay i changed the dns configuration in plesk for the domain themselvs, and after a little bit of time it started working, but not completely.
when i go to https://www.domain2.com it takes me to domain1
but when i go to http://www.domain2.com it takes me to the right area.

see the way it is, i have 6 domains
1 domain is on a dedicated ip 60.0.0.1
2 are on a shared ip 60.0.0.2
3 are on another sharedip 60.0.0.3

when i go to https://www.domain3.com it takes me to domain2
so i figured a dns was backward, so i checked it, and they are correct.
so still while it is working, dont think i have it configured correctly.
0
 
arachnidserviceAuthor Commented:
okay i checked the dns for the domain that IS working, and what i did on that one was removed the internal ip for the domain and added the external ip, 60.0.0.1, instead of 10.0.0.1 - and it worked -- shouldnt the firewall be forwarding this so i can use the internal ip ?
0
 
jjoseph_xCommented:
There's a little problem with your config that might be causing the problem that you experience:

You don't need to do the static (outside,inside) and (inside,outside).  Instead of:

static (outside,inside) 10.0.0.1 60.0.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 60.0.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.2 10.0.0.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 60.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.3 10.0.0.3 netmask 255.255.255.255 0 0

you only need to do:

static (inside,outside) 60.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.3 10.0.0.3 netmask 255.255.255.255 0 0

The static NAT mappings are reciprocal (if you map and outside address to an inside address, the inside address is equally mapped to the outside address).


0
 
arachnidserviceAuthor Commented:
Okay from what I've been seeing on plesk forum, with similar issues, was to set it up so both the internal and external ip are in the domains ip pool, then when adding the domain, set it to the internal one, then default it to the external, they said it would tell the webserver to use the internal ip, and the name server, email, etc to use the external, omg this is confusing the hell outof me

the static routes, isnt that needed for reverse lookup ? a bit hesitant to remove them since it was godaddy that configured it to start with.
0
 
arachnidserviceAuthor Commented:
ok i redid one of the domains, and its resolving to an ip... but not the right one, i have it set to an external ip, 60.0.0.2 - when i nslookup that domain, it gives me the ip of the firewall, and not the actual external ip! *starts pulling hair out of his scalp* this is much more frustrating than i imagined
0
 
arachnidserviceAuthor Commented:
okay i talked to our host provider and was basically told they dont support their dedicated servers, its up to the customer *sigh* but they gave me some suggestions, which basically did not work.
they suggested I reconfigure plesk to the internal ips, which is already was, but i did it again just to be sure, i set the domain to 10.0.0.1 ip
now the NAT in the firewall should point 60.0.0.1 to 10.0.0.1, right ?
wel it does not.
when trying to ping the domain, it returns with 10.0.0.1 ?! and no response!
the name server, which is on the same domain, and has the same ip, is telling its fellow dns servers that its ip is 10.0.0.1.... which it should since the provider said to set it to 10.0.0.1!!! arugh!

im lost, confused, and out of ideas, e-e is my last hope :(
0
 
arachnidserviceAuthor Commented:
could this just be a simple nameserver issue ? shouldnt ns.domain1.com reflect the outside ip and not the internal ?
0
 
jjoseph_xCommented:
Yes, it could be a nameserver issue (all this time I thought that you were accessing the server by ip address).  Verify that the  IP portion is okay by just accessing the webservers (or whatever servers) by their IP addresses (e.g. http://xx.xx.xx.xx).  If that looks okay then the next step is to verify the DNS.

You can use the nslookup command and just enter the fully qualified domain name of the machine in question and nslookup will do a DNS query and return its IP address.  If the IP is wrong, then you've got to fix the DNS.

The address that is returned shouldn't be the 10.0.0.x address (if it's literally a 10.0.0.x address it's a private IP that doesn't exist in internet space), it should return the 60.0.0.x address (the public IP of the server).
0
 
jjoseph_xCommented:
Actually, if your DNS config that you posted above is correct, it would seem that you are using the private IP of the server in your DNS.
0
 
arachnidserviceAuthor Commented:
as I was told to by godaddy and plesk.com - they said to point the domain to the internal ip of 10.0.0.1 which the firewall would translate to 60.0.0.1 -- but i dont think they realised that my nameserver is on the same box as the domains themselvs (only have one server for everything)
0
 
arachnidserviceAuthor Commented:
this is the suggestion from another site:

There is no outbound ACL applied which is usually necessary for requests begining from your server

access-list 101 permit ip any any
access-group 101 in interface inside

Your primary DNS should be setup to point to public IPs. If I try to get to your site and you say go to 10.0.0.1 its not going to leave my private network

Next, your static statements should all be

static (inside) (outside) outsideip insideip
all the extras that are backwards were never needed. when adding the statics, you just need to type in "static outsideip insideip" in a small chassis pix like yours the pix will know to set the inside and outside for you.

When changing statics they are not effective until you do a clear xlate which will kick you off, and make you reconnect.

Once you have done that use "sh conn" to check out the connections to make sure they are getting through correctly. And setup logging

logging on
logging bufferred notify 16384

will take care of that.

Last and final thing to do to sometimes resolve application issues is to setup your public IPs on your server as additional IP addresses.

Cheers!
Good Luck!!

----------------------------------------


same thing you suggested except for the first 2 commands

im fixing the static routes now, but down to dns, when people say primary dns....
in plesk theres 2 dns, theres the Servers dns template, which is applied to all domains added
right now the dns template is pointing to the firewall, so when someone adds an account, it points everything in dns to 60.0.0.215 (firewall)
godaddy told me this was wrong, yet this is the instructions on their FAQ.... *mutters* the servers ip itself is 60.0.0.1 (has 3 ips, one is exclusive to a single domain which is also the ns - should the ip be pointing to the nameserver itself ? if so, what if i wanted to add a customer with their own ip ?

arugh! i need to buy a book on dns management
0
 
jjoseph_xCommented:
Don't change your access-lists, they're fine as they are.  Your statics are also fine.

Maybe a little network diagram would help to see where your servers are in relation to the internet and in relation to the DNS servers

ex:

client <----> internet<---->DNS<---->PIX<---->Your servers

The client needs to be able to located your servers by their IP address (their public IP).  Your public DNS has to have your public IP address for that to happen... then when they try to connect to that public IP address, the firewall will translate it to the private IP.

0
 
arachnidserviceAuthor Commented:
mmm i dont have a public dns server...

my server has the dns server on it..

the domain registrar has ns1.domain1.com/ns2.domain1.com which is set to a public ip

i changed my dns settings for domain1 to the following:

60.0.0.1 / 24                  PTR      domain1.com.      
domain1.com.                  A      60.0.0.1      
domain1.com.                  MX (10)      mail.domain1.com.      
domain1.com.                  NS      ns.domain1.com.      
ftp.domain1.com.            CNAME      domain1.com.      
mail.domain1.com.            A      60.0.0.1      
mssql.domain1.com.            A      60.0.0.1      
ns.domain1.com.                  A      60.0.0.1      
sitebuilder.domain1.com.      A      60.0.0.1      
webmail.domain1.com.            A      60.0.0.1
www.domain1.com.            CNAME      domain1.com.

and domain1 now resolves to a public ip, which is great, but the connection is timing out whenever i try to connect to it via ping, firefox
0
 
jjoseph_xCommented:
Okay, I see.

For you local DNS server you can use the private 10.0.0.x IP addresses (that part is fine).  The registrar has the public IPs which is also fine.  Can you ping the default gateway of the PIX (60.0.0.254)?

From any of the servers can you access the internet?  Go a someplace like whatismyip.com (server 10.0.0.1 should have a public ip of 60.0.0.1).  That'll tell you if the translation is working.




0
 
arachnidserviceAuthor Commented:
got it! woot! yay! thanks jjoseph!
0
 
jjoseph_xCommented:
No problemo.  I was glad to help.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 12
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now