Solved

Routing/Firewall Issue

Posted on 2006-10-26
41
427 Views
Last Modified: 2013-11-16
We work with a partner who recently changed the way we access information.  Previously we used Citrix web interface to access their server farm.  We now use the local Citrix client, they also changed an IP address.  This is NOT a citrix issue, I have verified that everyway from Sunday its a firewall issue.  

We have an internal router a PIX and then an external router.  From the external router i am able to telnet to the IP address over 1494 and it works.  If I try from behind the firewall it doesnt.  

I thought outbound connections dont have any restrictions from a PIX unless implicity put there?  I dont have any specific rule for PORT 80 or 443 traffic.  It seems that the problem would be when the traffic is trying to come back in.

Any ideas?
0
Comment
Question by:snowsurfer
  • 21
  • 8
  • 6
  • +3
41 Comments
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
The PIX is a stateful firewall.  If an outbound connection goes through, it gets entered into a state table.  Then, when the reply comes back, the firewall checks the state table, sees the entry, and lets the reply back through.

Best security practice is NOT to allow everything out.  Best practice is to deny everything unless explicitly allowed - cuts down on the spread of virus infections, zombie attacks, etc.  Plus good for letting you know when you're infected.
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Thanks for that, but to the point of my question, what do you think could be causing it not to work
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 225 total points
Comment Utility
A simple way to find out if it is the firewall *ALONE* that is causing the problem would be to let your inbound access-list allow all connections to that public IP which you use to connect to Citrix Server and see if it works.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
To test rsivanandan , I set up access-list outside_in permit tcp any any

There was no change.  I still could not telnet.  Did I do the access-list wrong, or is there another problem
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I set up access-list outside_in permit ip any any

Change it to the above and apply it on the outside. If it still doesn't work, can you paste the config of the firewall ?

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Do you mean to apply it with this?

access-group outside_in in interface outside
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
YES.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
It did not work, which leads me to believe its not a firewall issue, but I am not sure what else it could be.

Which portions of the config do you want to see
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Everything, sanitized (just remove the passwords/usernames and last 3 octects of your public ip.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Here is the main portion, I took out all the VPN stuff to make it smaller, I also didnt include the typical top junk

access-list 100 permit ip 10.0.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list 100 permit ip 10.0.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.36.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.46.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.37.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.38.0 255.255.255.0
access-list outside_in permit tcp any host 64.x.x.x eq https
access-list outside_in permit tcp any host 64.x.x.x eq www
access-list outside_in permit tcp any host 64.x.x.x eq smtp
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any any
access-list 110 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 110 permit ip host 10.0.1.18 host 216.x.x.x
access-list 180 permit ip 10.0.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 190 permit ip 10.0.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 200 permit ip 10.0.1.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 160 permit ip 10.0.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 170 permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 220 permit ip 10.0.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 240 permit ip 10.0.1.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 250 permit ip 10.0.1.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list 260 permit ip 10.0.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 230 permit ip 10.0.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 270 permit ip 10.0.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 280 permit ip 10.0.1.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list 290 permit ip 10.0.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 300 permit ip 10.0.1.0 255.255.255.0 192.168.36.0 255.255.255.0
access-list 295 permit ip 10.0.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list 195 permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 310 permit ip 10.0.1.0 255.255.255.0 192.168.46.0 255.255.255.0
access-list 320 permit ip 10.0.1.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 330 permit ip 10.0.1.0 255.255.255.0 192.168.37.0 255.255.255.0
access-list 340 permit ip 10.0.1.0 255.255.255.0 192.168.38.0 255.255.255.0
pager lines 24
logging timestamp
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 172.16.32.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SYNSACpool 172.16.1.1-172.16.1.25
pdm location 10.0.1.0 255.255.255.0 inside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) tcp 64.x.x.x www 10.0.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x https 10.0.1.3 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 10.0.1.0 255.255.255.0 172.16.32.254 1
route outside 10.0.2.0 255.255.255.0 64.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 10.0.1.15
no snmp-server location
no snmp-server contact
snmp-server community syncon
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
This does look to me like a firewall issue. It has something to do with their setup on the other side. Confirm with them about the settings (it might be overlooked for a different port as well, who knows)...

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
All of their outside people can connect.  I also just hooked up a PC on the outside of our firewall and was able to connect.  What would I have them look for
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
Comment Utility
What is the IP address of the local host that you are trying to telnet from?
10.0.1.x or 172.16.32.x ?
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
10.0.1x
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The reason I asked that is because the inside of this pix is 172.16.32.x but only 10.0.1.x has a nat rule.
As long as the client is 10.0.1.x I can't see anything in the config that you've posted that would be preventing it from working.
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Me either, thats the kicker.

There is nothing on the 172. network except the inside of this firewall a router and another firewall.  We have traffic split up for internet and a few other things.  The default route on the router is to send all traffic to 172.16.32.253.  Specific traffic goes out to a PIX 515.  I have put a specific route to send traffic to the specific network out our other PIX just for giggles, with the same result.

Very strange
0
 
LVL 1

Expert Comment

by:nikpegler
Comment Utility
Correct me if I'm wrong, but generally a 10.0.1.x network Address generally indicates that the computer is auto-assigning it's IP address, which could very well point to connectivity issues within your network between those computers and your DHCP server.
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Thanks nikpelgar, but we are not having any issues there, its much more advanced than that.
0
 
LVL 1

Expert Comment

by:nikpegler
Comment Utility
Just thought to bring that up.  I've always learned to start with the simple things first... Unfortunately this is beyond my ability so I cannot help you any with this problem.
0
 
LVL 7

Expert Comment

by:instillmotion
Comment Utility
Is 172.16.32.254 the interface on the internal router?

Can you access other services outside your external router from the 10.0.1.x client?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Oh yeah, all of them.  Everything is working fine, we have no issues other than the fact that we can no longer connect to this partner because they changed they way we connect from a web connection to a straight client connection.  I would think that it is something on the partner end except that they are not havinf connectivity problems from any of their locations.  i tested from home and I can get to their connection and I just moved a PC outside of our firewall and it connected.  So it appears to be some sort of routing/firewall issue on this end.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Nikpegler -
169.254.0.0 is range for APIPA addressing. This is what a XP/2000 pc will default to if no DHCP server is reachable.
10.0.0.0 is very much normal and within RFC 1918 guidelines for private IP addressing with or without DHCP servers.

snowsurfer -
If you have a spare public IP, try assiging a static 1-1 nat to your 10.0.1.x client and see if that makes a difference.

0
 
LVL 7

Expert Comment

by:instillmotion
Comment Utility
can you install a sniffer on the client machine? like ethereal or packetizer?
It will help you identify the issue.
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
I have ethreal on one of our network machines, I have recentely installed and not played with it.  How would it help?
0
 
LVL 7

Expert Comment

by:instillmotion
Comment Utility
If you run it on the client machine that you're trying to connect from and start a capturing session to the remote server. It will start capturing the network traffic, let it run for a minute or so, while you're trying to to connect.
Stop the capture.

Go to Edit > Find Packet > Find by String > host of remote server

You should now see the TCP conversation.

You can also in the filter window put:
(ip.addr eq remoteserverip and ip.addr eq clientip)

or
ip.dst == remoteserverip

Now you can right-click > Follow TCP Stream
It will map out the TCP Flow

Please post those results
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
okay, I am heading out for the night, Ill post in the AM
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
All the stream says is

sftc

I dont know what that means
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
The only thing that I can think of is that the packet is being altered and when it is sent back the PIX is dropping it.  They have a SONICWALL on the other end.  In troublshooting I moved a client to the 172 network to eliminate a routing problem.  The same issue exists.  I am in the process of hooking up a new pix with the most basic config possible and connecting it to a testing T1 we have to try again, then I am going to use a cheapie Linksys router/vpn device to see the results, I am expecting that it will work with linksys and not the PIX.

instillmotion do you think i could use ethereal to capture the packets from outside of the firewall to see it working and then analyze the packet to see if its being altered in someway?
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Ok i was wrong, the pix with the very basic config worked.  So now i am going to compare the configs to see why it is happening, I am leaning towards a NAT issue now
0
 
LVL 7

Accepted Solution

by:
instillmotion earned 225 total points
Comment Utility
Hey snowsurfer. If you have available public ips on the ip block for that pix, try this. create a static to the client machine.

static (inside, outside) publicip 10.0.1.x netmask 255.255.255.255 0 0
clear xlate local 10.0.1.x

(where 10.0.1.x is the ip of the client)

Try it now
0
 
LVL 7

Expert Comment

by:instillmotion
Comment Utility
Yes putting the sniffer on the outside of the PIX could very well be more helpful if the packet is being dropped there. You will need a hub (not switch) between the outside interface and the exteral router.
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Just so I double check.  Wont clear xlate drop all connections we currently have?  I need to know if I need to do this after hours
0
 
LVL 7

Expert Comment

by:instillmotion
Comment Utility
no if you do clear xlate local 10.0.1.x where 10.0.1.x is the address of the specific client it will only clear translation for that ip.

clear xlate local 10.0.1.x
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
I didnt have any extra IP addresses, so I used our testing line and rebuilt or exact setup in the lab and started removing things one at a time until I was able to connect.

isakmp enable outside is what did it.  Obvioulsy in our lab we dont need any crypto map and isakmp statements because we dont have a VPN.  

As soon as I take that off I can get to the connection.  If I put that back on, then no dice.  Why would the isakmp statement be affecting port 1494 traffic?
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
I put the isakmp statement back in and it still works, I clear xlate and rebooted the PIX and it still works.

Now I am really confused.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I believe there is some problem (bug) with transient state with crypto map and isakmp statements with PIX. If you browse this site, you can see numerous examples of the same.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Thats good to know, that makes sense.  I just took the isakmp enable from our production pix and cleared all the isakmp sa's.  I was able to connect.  I put it back and the vpn's started coming back up.  It was still working.

Then poof for no reason, I cant connect anymore.

You wouldnt happen to know if the newest version of the PIX software fixes it do you?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
What version are you running now? The latest and stable one is 6.3(5). But I've seen people with that version have this problem as well though.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
6.3(4), it doesnt seem like it will fix the problem.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
But if possible I'll go there.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:snowsurfer
Comment Utility
Thanks everyone for the help.  Points have been spread out.  I am going to attack this a different way all togther.

thanks again
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now