Avatar of Bob Sampson
Bob Sampson
 asked on

Cisco Pix 525 Firewall Configuration Problems

Hi all,

I have a Cisco PIX 525 firewall with a config on it that is giving me lots of problems. Simple senario:
1 external network card (IP 62.253.220.1 255.255.255.192).
2 internal network cards on different subnets (10.0.0.5/24 and 10.0.2.1/24).
All outbound traffic from both subnets needs to be allowed (and is actually working fine. All outbound traffic is going out the router with no problems, web, mail, RDP etc).
There are 59 available public facing IPs on the external card some of which have servers behind, on each of the subnets.
These servers have limited port access from the outside world ie inbound port 3389, 80, 443, 25 commonly and a number of other random ports.
Currently NO inbound traffic is working on any of the ports on any of the IPs.  I need this up and working ASAP. Here is the configuration log...............

**************************************************************
PIX Version 7.0(4)
!
hostname LUPIXFW-01
domain-name luton.watford
enable password yyB04azV5FZ8k/yT encrypted
names
!
interface Ethernet0
 description External Interface - gateway at 62.253.220.60
 nameif External
 security-level 0
 ip address 62.253.220.1 255.255.255.192
!
interface Ethernet1
 description Interface for 10.0.0.0/24 subnet
 nameif Intsub1
 security-level 100
 ip address 10.0.0.5 255.255.255.0
!
interface Ethernet2
 description Interface for 10.0.2.0/24 subnet
 nameif Intsub2
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0
 description Temporarily Disabled
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup External
dns domain-lookup Intsub1
dns domain-lookup Intsub2
dns name-server 10.0.0.1
dns name-server 10.0.0.12
dns name-server 10.0.0.3
dns name-server 194.168.4.100
dns name-server 194.168.8.100
same-security-traffic permit inter-interface
object-group service NeilCrowtherTCP tcp
 description Neil Crowther's Inbound TCP Ports
 port-object eq 4662
 port-object eq 4711
 port-object eq 4661
 port-object eq 29900
 port-object eq 27015
 port-object eq 55125
 port-object eq 39582
 port-object eq 55124
 port-object eq 55123
 port-object eq 3389
 port-object eq 16567
object-group service NeilCrowtherUDP udp
 description Neil Crowther's Inbound UDP Ports
 port-object eq 4665
 port-object eq 39582
 port-object eq 4672
 port-object eq 1200
 port-object eq 27015
object-group service WebServersTCP tcp
 description Web Servers (62.253.220.14)
 port-object eq 2803
 port-object eq 8232
 port-object eq 2801
 port-object eq 7244
 port-object eq www
 port-object eq https
 port-object eq 1234
object-group service DocumanTCP tcp
 description Documan (62.253.220.29) Inbound TCP Ports
 port-object eq smtp
 port-object eq ssh
 port-object eq 2020
 port-object eq ftp
 port-object eq www
 port-object eq 898
object-group service DocushareTCP tcp
 description Docushare (62.253.220.36) Inbound TCP Ports
 port-object eq ssh
 port-object eq ftp
 port-object eq www
 port-object eq 8236
object-group service IronmailTCP tcp
 description Ironmail (62.253.220.45) Inbound TCP Ports
 port-object eq 10443
 port-object eq 465
 port-object eq 995
 port-object eq smtp
 port-object eq imap4
 port-object eq 993
 port-object eq www
 port-object eq ssh
 port-object eq ftp-data
 port-object eq pop3
 port-object eq 20022
object-group service LutonTSTCP tcp
 description Luton-TS001 (62.253.220.35) Inbound TCP Ports
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service HadesTCP tcp
 description Hades (62.253.220.20) Inbound TCP Ports
 port-object eq 10001
 port-object eq pcanywhere-data
 port-object eq www
 port-object eq https
 port-object eq 9734
 port-object eq 800
object-group service HadesUDP udp
 description Hades (62.253.220.20) Inbound UDP Ports
 port-object eq pcanywhere-status
object-group service Mail.Watford.Co.Uk_10.0.0.1_TCP tcp
 description Mail.Waford.Co.Uk (62.253.220.4) Inbound TCP Ports To 10.0.0.1
 port-object eq pptp
 port-object eq 47
 port-object eq 3389
 port-object eq ftp
 port-object eq nntp
 port-object eq imap4
 port-object eq domain
object-group service Mail.Watford.Co.Uk_10.0.0.1_UDP udp
 description Mail.Watford.Co.Uk (62.253.220.4) Inbound UDP Ports To 10.0.0.1
 port-object eq 1701
 port-object eq domain
object-group service Email_10.0.0.10_TCP tcp
 description Email (62.253.220.37) Inbound TCP Ports
 port-object eq smtp
 port-object eq https
object-group service Mail.Watford.Co.Uk_10.0.0.10_TCP tcp
 description Mail.Watford.Co.Uk (62.253.220.4) Inbound TCP Ports To 10.0.0.10
 port-object eq pop3
 port-object eq www
object-group service Starbug_10.0.2.102_TCP tcp
 description Starbug (62.253.220.3) Inbound TCP Ports To 10.0.2.102
 port-object eq 2200
 port-object eq ftp
 port-object eq 9663
object-group service WatfordVPN_10.0.2.88_TCP tcp
 description Watford-VPN (62.253.220.43) Inbound TCP Ports To 10.0.2.88
 port-object eq pptp
 port-object eq 47
object-group service WatfordVPN_10.0.2.88_UDP udp
 description Watford-VPN (62.253.220.43) Inbound UDP Ports To 10.0.2.88
 port-object eq 1701
object-group service Masterpack_10.0.2.10_TCP tcp
 description Masterpack (62.253.220.18) Inbound TCP Ports To 10.0.2.10
 port-object eq telnet
 port-object eq ftp
 port-object eq 3468
 port-object eq https
object-group service Test.Savastore_10.0.2.202_TCP tcp
 description Test.Savastore (62.253.220.26) Inbound TCP Ports To 10.0.2.202
 port-object eq 8797
 port-object eq www
 port-object eq 8799
 port-object eq https
object-group service Hoasting_10.0.2.210_TCP tcp
 description Hoasting (62.253.220.12) Inbound TCP Ports To 10.0.2.210
 port-object eq smtp
 port-object eq 3389
 port-object eq pop3
 port-object eq www
object-group service Carrera_10.0.2.15_TCP tcp
 description Carrera (62.253.220.32) Inbound TCP Ports To 10.0.2.15
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service Old-Web_10.0.2.15_TCP tcp
 description Old-Web (62.253.220.5) Inbound TCP Ports To 10.0.2.15
 port-object eq smtp
 port-object eq 9030
 port-object eq 9016
object-group service Gandalf_10.0.0.6_TCP tcp
 description Gandalf (62.253.220.22)  Inbound TCP Ports To 10.0.0.6
 port-object eq www
 port-object eq https
object-group service Savascheme_10.0.2.15_TCP tcp
 description Savascheme (62.253.220.31) Inbound TCP Ports To 10.0.2.15
 port-object eq www
 port-object eq https
object-group service Xchange01_10.0.2.30_TCP tcp
 description Xchange01 (62.253.220.7) Inbound TCP Ports To 10.0.2.30
 port-object eq ftp
 port-object eq www
object-group service Demonite_10.0.2.15_TCP tcp
 description Demonite (62.253.220.33) Inbound TCP Ports To 10.0.2.15
 port-object eq www
 port-object eq https
object-group service DocumanNew_10.0.0.58_TCP tcp
 description Documan New (62.253.220.38) Inbound TCP Ports To 10.0.0.58
 port-object eq www
 port-object eq https
object-group service DocumanDemo_10.0.0.197_TCP tcp
 description Documan Demo (62.253.220.41) Inbound TCP Ports To 10.0.0.197
 port-object eq www
 port-object eq https
object-group service NeilCrowther_10.0.0.99_UDP udp
 description Neil Crowther (62.253.220.25) Inbound UDP Ports To 10.0.0.99
 port-object eq 4665
 port-object eq 39582
 port-object eq 4672
 port-object eq 1200
 port-object eq 27015
object-group service NeilCrowther_10.0.0.99_TCP tcp
 description Neil Crowther (62.253.220.25) Inbound TCP Ports To 10.0.0.99
 port-object eq 4662
 port-object eq 4711
 port-object eq 4661
 port-object eq 29900
 port-object eq 27015
 port-object eq 55125
 port-object eq 39582
 port-object eq 55124
 port-object eq 55123
 port-object eq 3389
 port-object eq 16567
object-group service Watford-VPN_10.0.2.88_UDP udp
 description Watford-VPN (62.253.220.43) Inbound UDP Ports To 10.0.2.88
 port-object eq 1701
object-group service Ironmail_10.0.0.21_TCP tcp
 description Ironmail (62.253.220.45) Inbound TCP Ports To 10.0.0.21
 port-object eq 10443
 port-object eq 465
 port-object eq 995
 port-object eq smtp
 port-object eq imap4
 port-object eq 993
 port-object eq www
 port-object eq ssh
 port-object eq ftp-data
 port-object eq pop3
 port-object eq 20022
object-group service Web-Servers_10.0.2.15_TCP tcp
 description Web-Servers (62.253.220.14) Inbound TCP Ports To 10.0.2.15
 port-object eq 2803
 port-object eq 8232
 port-object eq 2801
 port-object eq 7244
 port-object eq www
 port-object eq https
 port-object eq 1234
object-group service Agodfrey_10.0.2.110_TCP tcp
 description Agodfrey (62.253.220.44) Inbound TCP Port To 10.0.2.110
 port-object eq 3389
object-group service Documan_10.0.0.63_TCP tcp
 description Documan (62.253.220.29) Inbound TCP Ports To 10.0.0.63
 port-object eq smtp
 port-object eq ssh
 port-object eq 2020
 port-object eq ftp
 port-object eq www
 port-object eq 898
object-group service Dalius_10.0.2.87_TCP tcp
 description Dalius (62.253.220.9) Inbound TCP Ports To 10.0.2.87
 port-object eq 3389
object-group service Docushare_10.0.0.198_TCP tcp
 description Docushare (62.253.220.36) Inbound TCP Ports To 10.0.0.198
 port-object eq ssh
 port-object eq ftp
 port-object eq www
 port-object eq 8236
object-group service Luton-TS001_10.0.0.95_TCP tcp
 description Luton-TS001 (62.253.220.35) Inbound TCP Ports To 10.0.0.95
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service Hades_10.0.2.23_TCP tcp
 description Hades (62.253.220.20) Inbound TCP Ports To 10.0.2.23
 port-object eq 10001
 port-object eq pcanywhere-data
 port-object eq www
 port-object eq https
 port-object eq 9734
 port-object eq 800
object-group service Hades_10.0.2.23_UDP udp
 description Hades (62.253.220.20) Inbound UDP Ports To 10.0.2.23
 port-object eq pcanywhere-status
object-group service Intsub1_Network_TCP tcp
 description Intsub1 (10.0.0.0/24) Inbound TCP Ports
 port-object eq 8080
 port-object eq ident
 port-object eq 77
object-group service Intsub1_Network_UDP udp
 description Intsub1 (10.0.0.0/24) Inbound UDP Ports
 port-object range 1024 65535
 port-object eq domain
object-group service Intsub2_Network_TCP tcp
 description Intsub2 (10.0.2.0/24) Inbound TCP Ports
 port-object eq 8080
 port-object eq ident
 port-object eq 77
object-group service Intsub2_Network_UDP udp
 description Intsub2 (10.0.2.0/24) Inbound UDP Ports
 port-object range 1024 65535
 port-object eq domain
object-group service Starbug_10.0.2.15_TCP tcp
 description Starbug (62.253.220.3) Inbound TCP Ports To 10.0.2.15
 port-object eq 9090
access-list acl-out extended permit icmp any any
access-list External_access_in extended permit icmp any any unreachable
access-list External_access_in extended permit icmp any any time-exceeded
access-list External_access_in extended permit icmp any any traceroute
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit tcp any host 62.253.220.32 object-group Carrera_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.31 object-group Savascheme_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.33 object-group Demonite_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.14 object-group Web-Servers_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.5 object-group Old-Web_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.37 object-group Email_10.0.0.10_TCP
access-list External_access_in extended permit tcp any host 62.253.220.4 object-group Mail.Watford.Co.Uk_10.0.0.10_TCP
access-list External_access_in extended permit tcp any host 62.253.220.4 object-group Mail.Watford.Co.Uk_10.0.0.1_TCP
access-list External_access_in extended permit udp any host 62.253.220.4 object-group Mail.Watford.Co.Uk_10.0.0.1_UDP
access-list External_access_in extended permit tcp any host 62.253.220.20 object-group Hades_10.0.2.23_TCP
access-list External_access_in extended permit udp any host 62.253.220.20 object-group Hades_10.0.2.23_UDP
access-list External_access_in extended permit tcp any host 62.253.220.43 object-group WatfordVPN_10.0.2.88_TCP
access-list External_access_in extended permit udp any host 62.253.220.43 object-group Watford-VPN_10.0.2.88_UDP
access-list External_access_in extended permit tcp any host 62.253.220.22 object-group Gandalf_10.0.0.6_TCP
access-list External_access_in extended permit tcp any host 62.253.220.18 object-group Masterpack_10.0.2.10_TCP
access-list External_access_in extended permit tcp any host 62.253.220.38 object-group DocumanNew_10.0.0.58_TCP
access-list External_access_in extended permit tcp any host 62.253.220.25 object-group NeilCrowther_10.0.0.99_TCP
access-list External_access_in extended permit udp any host 62.253.220.25 object-group NeilCrowther_10.0.0.99_UDP
access-list External_access_in extended permit tcp any host 62.253.220.41 object-group DocumanDemo_10.0.0.197_TCP
access-list External_access_in extended permit tcp any host 62.253.220.26 object-group Test.Savastore_10.0.2.202_TCP
access-list External_access_in extended permit tcp any host 62.253.220.29 object-group Documan_10.0.0.63_TCP
access-list External_access_in extended permit tcp any host 62.253.220.7 object-group Xchange01_10.0.2.30_TCP
access-list External_access_in extended permit tcp any host 62.253.220.36 object-group Docushare_10.0.0.198_TCP
access-list External_access_in extended permit tcp any host 62.253.220.35 object-group Luton-TS001_10.0.0.95_TCP
access-list External_access_in extended permit tcp any host 62.253.220.44 object-group Agodfrey_10.0.2.110_TCP
access-list External_access_in extended permit tcp any host 62.253.220.45 object-group Ironmail_10.0.0.21_TCP
access-list External_access_in extended permit tcp any host 62.253.220.9 object-group Dalius_10.0.2.87_TCP
access-list External_access_in extended permit tcp any host 62.253.220.12 object-group Hoasting_10.0.2.210_TCP
access-list External_access_in extended permit tcp any host 62.253.220.3 object-group Starbug_10.0.2.102_TCP
access-list External_access_in extended permit tcp any host 62.253.220.3 object-group Starbug_10.0.2.15_TCP
access-list outbound extended permit ip interface Intsub1 any
access-list outbound extended permit ip interface Intsub2 any
pager lines 24
logging enable
logging buffered notifications
logging from-address PixFw@watford.co.uk
logging recipient-address Neil@watford.co.uk level errors
logging recipient-address Mike@Watford.co.uk level errors
mtu External 1500
mtu Intsub1 1500
mtu Intsub2 1500
ip local pool VPNUsers 10.0.22.0-10.0.22.255 mask 255.255.255.0
failover
failover key *****
icmp permit any External
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Intsub1) 1 10.0.0.0 255.255.255.0
nat (Intsub2) 1 10.0.2.0 255.255.255.0
static (Intsub2,External) tcp 62.253.220.31 www 10.0.2.15 9033 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.31 https 10.0.2.15 9034 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.33 www 10.0.2.15 9037 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.33 https 10.0.2.15 9038 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 www 10.0.2.15 www netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 https 10.0.2.15 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 2801 10.0.2.15 2801 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 7244 10.0.2.15 7244 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 8232 10.0.2.15 8232 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 2803 10.0.2.15 2803 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 1234 10.0.2.15 1234 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.5 smtp 10.0.2.15 smtp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.5 9016 10.0.2.15 9016 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.5 9030 10.0.2.15 9030 netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.37 smtp 10.0.0.10 smtp netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.37 https 10.0.0.10 https netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 www 10.0.0.10 www netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 pop3 10.0.0.10 pop3 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 www 10.0.2.23 www netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 https 10.0.2.23 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 800 10.0.2.23 800 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 pcanywhere-data 10.0.2.23 pcanywhere-data netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 9734 10.0.2.23 9734 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 10001 10.0.2.23 10001 netmask 255.255.255.255
static (Intsub2,External) udp 62.253.220.20 pcanywhere-status 10.0.2.23 pcanywhere-status netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.43 47 10.0.2.88 47 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.43 pptp 10.0.2.88 pptp netmask 255.255.255.255
static (Intsub2,External) udp 62.253.220.43 1701 10.0.2.88 1701 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 ftp 10.0.2.10 ftp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 telnet 10.0.2.10 telnet netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 https 10.0.2.10 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 3468 10.0.2.10 3468 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 www 10.0.2.202 www netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 https 10.0.2.202 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 8797 10.0.2.202 8797 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 8799 10.0.2.203 8799 netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.22 www 10.0.0.6 www netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.22 https 10.0.0.6 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.7 ftp 10.0.2.30 ftp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.7 www 10.0.2.30 www netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.38 www 10.0.0.58 www netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.38 https 10.0.0.58 https netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.41 www 10.0.0.197 www netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.41 https 10.0.0.197 https netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.9 3389 10.0.2.87 3389 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 smtp 10.0.2.210 smtp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 www 10.0.2.210 www netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 pop3 10.0.2.210 pop3 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 3389 10.0.2.210 3389 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 ftp 10.0.2.102 ftp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 2200 10.0.2.102 2200 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 9663 10.0.2.102 9663 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 www 10.0.2.15 9090 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.32 ftp 10.0.2.15 ftp netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.32 www 10.0.2.15 9035 netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.32 https 10.0.2.15 9036 netmask 255.255.255.255
static (Intsub1,External) tcp 62.253.220.14 www 10.0.2.15 www netmask 255.255.255.255
static (Intsub1,External) 62.253.220.25 10.0.0.99 netmask 255.255.255.255
static (Intsub2,External) 62.253.220.44 10.0.2.110 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.29 10.0.0.63 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.36 10.0.0.198 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.35 10.0.0.95 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.45 10.0.0.21 netmask 255.255.255.255
static (Intsub2,External) 62.253.220.40 10.0.2.40 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.24 10.0.0.53 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.2 10.0.0.4 netmask 255.255.255.255
access-group External_access_in in interface External
rip Intsub1 passive version 1
rip Intsub1 default version 1
route External 0.0.0.0 0.0.0.0 62.253.220.60 1
route Intsub1 213.232.80.0 255.255.255.0 10.0.0.193 1
route Intsub1 194.70.94.152 255.255.255.255 10.0.0.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username administrator password DIDoj/44tMeFMFGd encrypted privilege 15
username andrews password VWz7WydquTjZz/aD encrypted privilege 15
http server enable
http 10.0.99.0 255.255.255.0 Intsub1
http 10.0.0.0 255.255.255.0 Intsub1
http 10.0.2.0 255.255.255.0 Intsub2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 External
fragment chain 1 Intsub1
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
isakmp enable External
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet 10.0.0.0 255.255.255.0 Intsub1
telnet 10.0.99.0 255.255.255.0 Intsub1
telnet 10.0.2.0 255.255.255.0 Intsub2
telnet timeout 5
ssh timeout 5
console timeout 0
smtp-server 10.0.0.1 10.0.0.10
Cryptochecksum:bb838f090b465df9b1377278b6fa2177
: end

**************************************************************

Many thanks for any help you can give.

Bob

bob@andrews-computers.com
Software FirewallsCisco

Avatar of undefined
Last Comment
paul1gilbert

8/22/2022 - Mon
JFrederick29

Your configuration looks good.  I was just able to telnet to 62.253.220.31 on port 80 so that connection appears to be working.  Are some inbound connections working and others not?
Bob Sampson

ASKER
Actually, the problem firewall is not live at the moment, it is going in to replace the existing firewall which is working fine, just running slow as its an old PC with a software firewall.

Bob
JFrederick29

ahh, okay.  I see nothing on the PIX itself that would not be allowing the traffic through.  When you have the PIX in place again, I would look at the inbound connections (show conn) to see if the traffic is making it to the PIX and a "show log" for anything related to the attempt.  If none of that helps, I would do a capture specific to one attempt such as:

access-list http permit tcp any host 62.253.220.31 eq http
capture http access-list http interface External

You can then do a "copy capture:http tftp" to copy the capture file to your PC to analyze it via Ethereal or your favorite packet capture software.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
paul1gilbert

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question