Solved

PIX 506 configuration

Posted on 2006-06-16
21
525 Views
Last Modified: 2013-11-16
I am having a Cisco PIX 506e and having a VPN thru a leased line to a remote site in another company. The problem is that the firewall of the other part is not allowing any traffic coming from real IPs, I want to make all traffic to this site: 10.134.35.59 thru the internal network only (inside of the PIX).

I had this working with the router only and an ISA2000 server, the ISA was routing to the router, the router routing to the other end's router, and then routed to the firewall on the other side.

Since the PIX in installed between the router and my network I am not able to connect. When I enable debugging, it shows that the traffic is passed thru the outside (real IP) of the PIX, which is blocked by the firewall on the other side.

Any help?
I am hope it is clear.

My IP is 10.157.14.0, the other side IP is 10.157.13.0, and the routers are having .1 .
Previously the conf was as follows:
ISA routes requests to 10.134.35.59 to the router 10.157.14.1 using its local interface,
Router1 (10.157.14.1) routes to the other router, using VPN
Router2 (10.157.13.1) routes to firewall (10.157.13.2)
firewall aloows routing to 10.134.35.59 only if traffic is coming from 10.157.14.0 network

Thanks.
0
Comment
Question by:Ehab Salem
21 Comments
 
LVL 5

Expert Comment

by:renill
Comment Utility
what is your firewall outside/inside ip and other side outside ip and
do you have any Natting in your side??

Pls post   the configs  of  the router and the pix

renill
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
hehehe Sounds like we are on the same wavelength.

Have you placed a NAT (inside) 0 statement in the PIX?
Did you run the vpn wizard?
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
There is a NAT (inside) o.

I don't know how to run the VPN wizard, can you give more guidance.
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
PIX Configuration:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aRfsdeffnl2R5 encrypted
passwd 2KFasds.2KYKU encrypted
hostname NVOC.GGUARD
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host (realIP1) eq smtp
access-list 101 permit tcp any host (realIP1) eq www
access-list 101 permit ip host 10.2.133.50 any
access-list 101 permit ip 10.134.35.0 255    ---------------> This is the IP I am having trouble with
access-list 101 permit tcp any host (realIP3) eq www
access-list 101 permit ip 10.157.13.0 255.255.255.0 any
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list 101 permit udp any any eq 1701
access-list 101 permit ah any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 102 deny tcp any any eq 2745
access-list 102 deny tcp any any eq 4751
access-list 102 deny tcp any any eq 6667
access-list 102 permit ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside (realIP4) 255.255.255.224
ip address inside 10.157.14.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm location (realPDM) 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 (realIP5)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) (realIP1) 10.157.14.55 netmask 255.255.255.255 0 0
static (inside,outside) (realIP6) 10.157.14.54 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 (routerRealIP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http (realIP6) 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet 10.157.14.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
global (outside) 1 (realIP5)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

That is the only NAT statement I can see which tells the PIX to use the realip5 for all traffic leaving through the external interface.

I use the PDM for the VPN connection

https://inside ip_of_pix
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
PDM https://inside is not working. How do I tell whether it is installed or not?

What lines should I add to make traffic to 10.134.35.59 go thru 10.157.14.0 network to the router 10.157.14.1?
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
ok, now I am able to run the PDM.
I will check the VPN wizd
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Excellent. I assume you had to add the http server?
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
I added http 10.157.14.0 255.255.255.0 inside

Now what is next? I got into the VPN wizard, but the remote site I don't have access to it at all. I want to force the traffic to 10.134.35.59 to the inside interface.

I had this problem before when the gateway was a windows server with ISA, I just added a static route on the inside interface to route traffic to the inside of the router an dit worked fine. Why is this a problem in the PIX?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
When I add

route inside 10.134.35.59 255.255.255.255 10.157.14.1

I get in the log:
110001: No route to 10.134.35.59 from 10.157.14.61 (61 is my IP address)
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Post your configuration as it stands now

It sounds like you do not have the proper acls, nat 0 statement in place to point the traffic up the tunnel / down the tunnel.

Also on the other end is traffic being routed properly across the tunnel?
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
The problem was solved by adding these two lines:

access-list inside_outbound permit ip 10.157.14.0 255.255.255.0 host 10.134.35.59
nat (inside) 0 access-list inside_outbound

This disables nating for this address and the original IP is kept.

Thanks for all your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
As above :)

<< Have you placed a NAT (inside) 0 statement in the PIX? >>

but never mind :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
I'm not fussed ghost.  Paq - refund is fine :)
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
I am still having a problem.
Although I can ping and tracert the destination 10.134.35.59, I cannot telnet to it on both ports 23 (normal telnet) and port 25 (SMTP). I need to telnet 23 and 25.

So the question is still open.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
From what
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
from my IP 10.157.14.0 255.255.255.0
0
 
LVL 14

Author Comment

by:Ehab Salem
Comment Utility
I think it is a routing problem and not a firewall issue. The traffic coming from 10.134.35.59 cannot find its way to 10.157.14.62.

I am getting this in in the pix log when there is no NAT (inside) 0 command:
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)
- Teardown TCP connection 19 for outside:10.134.35.59/23 to inside:10.157.14.62/3747 duration 0:00:05 bytes 1223 TCP FINs

When I put the NAT0 line, I get only the first line, ie
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)

But I still cannot figure it out.
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
Comment Utility
Closed, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now