smocohiba
asked on
Pix 501 - static (inside,outside) statements shut down all internet access
I have a feeling I'm just missing something really simple here, but this problem has been driving me crazy!
Here's the situation:
We had a Pix 506E which failed a couple days ago because of a bad power connector. I installed a brand new Pix 501 and cut/pasted the config from the 506. Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.
We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix. Every host could ping the Pix, but not any public address outside the network. After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine! Putting those static statements back in would immediately hose internet access again.
What's weird is that the 10-user Pix 501 has those static statements and there's no problem!
Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501. The config on this unit wasn't changed! This is leading me to believe I'm just overlooking something really obvious and simple.
Below is the config we're using. I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!
Chris
--------------------------
PX1# sh ver
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
PX1 up 1 min 19 secs
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Configuration has not been modified since last system restart.
PX1#
PX1# sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list 100 permit ip 172.16.2.0 255.255.255.0 192.168.19.0 255.255.255.0
access-list 110 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
pager lines 24
logging facility 16
logging host inside 172.16.2.11
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162 255.255.255.240
ip address inside 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip 192.168.19.1-192.168.19.25
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.33.164 172.16.2.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.165 172.16.2.11 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.167 172.16.2.124 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.170 172.16.2.222 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.2.11 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server 172.16.2.11
vpngroup local-vpn wins-server 172.16.2.11
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet 172.16.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.100-172.16.2.131 inside
dhcpd dns 172.16.2.11
dhcpd wins 172.16.2.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:92bb98c7071
: end
PX1#
Here's the situation:
We had a Pix 506E which failed a couple days ago because of a bad power connector. I installed a brand new Pix 501 and cut/pasted the config from the 506. Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.
We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix. Every host could ping the Pix, but not any public address outside the network. After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine! Putting those static statements back in would immediately hose internet access again.
What's weird is that the 10-user Pix 501 has those static statements and there's no problem!
Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501. The config on this unit wasn't changed! This is leading me to believe I'm just overlooking something really obvious and simple.
Below is the config we're using. I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!
Chris
--------------------------
PX1# sh ver
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
PX1 up 1 min 19 secs
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Configuration has not been modified since last system restart.
PX1#
PX1# sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list 100 permit ip 172.16.2.0 255.255.255.0 192.168.19.0 255.255.255.0
access-list 110 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
pager lines 24
logging facility 16
logging host inside 172.16.2.11
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162 255.255.255.240
ip address inside 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip 192.168.19.1-192.168.19.25
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.33.164 172.16.2.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.165 172.16.2.11 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.167 172.16.2.124 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.170 172.16.2.222 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.2.11 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server 172.16.2.11
vpngroup local-vpn wins-server 172.16.2.11
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet 172.16.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.100-172.16.2.131 inside
dhcpd dns 172.16.2.11
dhcpd wins 172.16.2.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:92bb98c7071
: end
PX1#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is one of the inside servers referenced in your static translation statements your DNS server for your inside network hosts? Also, when you try to ping an outside host from an inside host have you tried pinging by IP address or pinging by hostname?
ASKER
Yes, the .165 outside address is static mapped to the .11 internal DNS/mail server. All pings outside are by IP.
Can you post the 10 user PIX 501 config and either the 506 or the unrestricted 501 configs as they exist right now?
ASKER
It actually did end up being the MAC cache on the ISP gateway! I had them flush it and everything works fine. Thanks for your help!
ASKER
I also contacted our ISP and they assured me there's no other equipment along our circuit that would be caching MAC addresses.
Thanks again and please keep the suggestions coming!