• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 848
  • Last Modified:

Static acces thru Pix problem

I am having a very hard time getting our mail server working thru our new pix.

The server can access the internet fine until I add the following commands to the config below.
then I cannot get to the web at all.
The default gateway of the server is 10.0.0.243

access-list fromoutside permit tcp any host 111.222.333.62 eq smtp
access-list fromoutside permit tcp any host 111.222.333.62 eq https
access-list fromoutside permit tcp any host 111.222.333.62 eq www
access-list fromoutside permit tcp any host 111.222.333.62 eq 81
access-group fromoutside in interface outside
static (inside,outside) 111.222.333.62 10.0.0.14 netmask 255.255.255.255 0 0

Any suggestions?

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1111111 encrypted
passwd 11111111 encrypted
hostname pixfirewall
domain-name mypix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list mypix_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.7.0 255.255.255.224
pager lines 24
logging on
logging console emergencies
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.50 255.255.255.240
ip address inside 10.0.0.243 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.7.2-192.168.7.22
pdm location 10.0.0.242 255.255.255.255 inside
pdm location 192.168.7.0 255.255.255.224 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 111.222.333.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.242 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mypix address-pool VPN
vpngroup mypix dns-server 10.0.0.7 10.0.0.3
vpngroup mypix wins-server 10.0.0.7
vpngroup mypix default-domain mypix
vpngroup mypix split-tunnel mypix_splitTunnelAcl
vpngroup mypix idle-time 1800
vpngroup mypix password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
0
FPCS
Asked:
FPCS
  • 8
  • 5
  • 5
2 Solutions
 
Cyclops3590Commented:
did you run a
clear xlate
after you made those changes?

also, can you telnet from outside to one of the ports you specified to check to see if that traffic would atleast work
0
 
Cyclops3590Commented:
also, i would upgrade to 6.3(5) if I were you.
0
 
lrmooreCommented:
I thought we already had you fixed:
http://www.experts-exchange.com/Hardware/Routers/Q_21833182.html#16577470

Agree with Cyclops. Your version 6.3(1) is a very buggy version. There is one known bug that sometimes you have to hard reboot the PIX to get the static to stick.
Highly suggest upgrading to latest 6.3(5)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
FPCSAuthor Commented:
What about version 7? I have memory on the way to allow me to upgrade to it.

Do you reccomend it?
0
 
Cyclops3590Commented:
personally I like it, but I haven't done too much of 6.3 pix before. i recently started so I have more experience with 7 (although still little).

However, if I were you I would go to 6.3(5) for now, going to 7 changes how some stuff is done.  ex. vpngroup is depricated.
Stick with 6.3(5) for now until the problem is fixed then look at 7.  at least that's what I'd do.
0
 
lrmooreCommented:
Which model of PIX is this?
I agree with Cyclops on this one. Let's get you working on 6.3 and then upgrade to 7.0 if you can and if you need to.
It is a completely different animal with new GUI and very different way to do VPN's, but the statics are still the same and the acls are still the same..

0
 
FPCSAuthor Commented:
Ok, Management was pushing me to do it so I upgraded to version 7. (they want the ADSM even though they wont ever use it)

Everything that was working is still working.

When I add the static for the mail server, the mail server loses all connectivity with the web in and out.

This time the pix gave me this error when I entered the command.

Global address overlaps with NAT exempt configuration

Any reccomendations on this one?

Thanks
0
 
lrmooreCommented:

>Global address overlaps with NAT exempt configuration

Now that you've updated, can you re-post your complete running config?
There are some new nat exemption features of 7.0
0
 
FPCSAuthor Commented:
: Saved
: Written by enable_15 at 03:28:07.880 CDT Wed May 3 2006
!
PIX Version 7.1(2)
!
hostname pixfirewall
domain-name PixFirewall
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 11.222.333.50 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.243 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name hiltoninc
same-security-traffic permit intra-interface
access-list PixFirewall_splitTunnelAcl extended permit ip 10.0.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.7.0 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.7.0 255.255.255.224
access-list PixFirewall_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging console emergencies
logging asdm errors
mtu outside 1500
mtu inside 1500
ip local pool VPN 192.168.7.2-192.168.7.22
asdm image flash:/asdm-512.bin
asdm location 10.0.0.242 255.255.255.255 inside
asdm location 192.168.7.0 255.255.255.224 outside
asdm location 10.0.0.0 255.0.0.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.222.333.49 1
route inside 10.174.14.0 255.255.255.0 10.0.0.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy PixFirewall internal
group-policy PixFirewall attributes
 wins-server value 10.0.0.7
 dns-server value 10.0.0.7 10.0.0.3
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PixFirewall_splitTunnelAcl
 default-domain value PixFirewall
group-policy PixFirewall internal
group-policy PixFirewall attributes
 wins-server value 10.0.0.7
 dns-server value 10.0.0.7 10.0.0.3
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PixFirewall_splitTunnelAcl
 default-domain value PixFirewall
http server enable
http 10.0.0.242 255.255.255.255 inside
http 10.0.0.103 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) none
tunnel-group PixFirewall type ipsec-ra
tunnel-group PixFirewall general-attributes
 address-pool VPN
 default-group-policy PixFirewall
tunnel-group PixFirewall ipsec-attributes
 pre-shared-key hilton445866
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
0
 
lrmooreCommented:
>same-security-traffic permit intra-interface
Remove this, then you should be able to add a static for the mail server, as long as you are using a different IP address from the interface IP.
Have you verified with your ISP that you can use more than one IP within the same subnet of the outside interface? What is you outside connection? Cable, DSL, T1? If it's a T1, do you control that router?
If it is cable, verify with your ISP that nobody else is using the .62 IP that you are trying to map to your server. If it is cable, verify with your ISP that they don't block smtp traffic. Most do.


0
 
Cyclops3590Commented:
try removing this line
nat-control

i don't have it in my config and from the little I know about it I am not positive its really needed for you
0
 
FPCSAuthor Commented:
I have made both changes and still no luck, this is weird

It works fine on the pix 501 I have, but will not work on the 515.
0
 
Cyclops3590Commented:
you did run
clear xlate
after you added the static entry right?
0
 
lrmooreCommented:
>try removing this line
nat-control

Actually, you need to keep that line in with ver 7.x
"no nat-control" is the "new and improved" way of disabling the requirement that you nat between interfaces


0
 
Cyclops3590Commented:
lrmoore, since he's only dealing with an inside and outside interface all traffic should be nat'd anyway shouldn't it (except vpn of course) so this command is really unnecessary in his situation isn't it.   Of course you know far more about cisco firewalls than I do so I'm probably wrong.
0
 
Cyclops3590Commented:
0
 
FPCSAuthor Commented:
That issue is fixed, I am waiting till end of day to work on this issue some more.

Thanks
0
 
Cyclops3590Commented:
got it
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 8
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now