Solved

Pix 501 - static (inside,outside) statements shut down all internet access

Posted on 2006-11-12
6
1,243 Views
Last Modified: 2013-11-16
I have a feeling I'm just missing something really simple here, but this problem has been driving me crazy!

Here's the situation:

We had a Pix 506E which failed a couple days ago because of a bad power connector.  I installed a brand new Pix 501 and cut/pasted the config from the 506.  Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.  

We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix.  Every host could ping the Pix, but not any public address outside the network.  After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine!  Putting those static statements back in would immediately hose internet access again.

What's weird is that the 10-user Pix 501 has those static statements and there's no problem!  

Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501.  The config on this unit wasn't changed!  This is leading me to believe I'm just overlooking something really obvious and simple.

Below is the config we're using.  I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!

Chris

--------------------------------------------------------
PX1# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PX1 up 1 min 19 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Configuration has not been modified since last system restart.


PX1#
PX1# sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list 100 permit ip 172.16.2.0 255.255.255.0 192.168.19.0 255.255.255.0
access-list 110 permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
pager lines 24
logging facility 16
logging host inside 172.16.2.11
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162 255.255.255.240
ip address inside 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip 192.168.19.1-192.168.19.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.33.164 172.16.2.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.165 172.16.2.11 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.33.167 172.16.2.124 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.33.170 172.16.2.222 netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.2.11 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server 172.16.2.11
vpngroup local-vpn wins-server 172.16.2.11
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet 172.16.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.100-172.16.2.131 inside
dhcpd dns 172.16.2.11
dhcpd wins 172.16.2.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:92bb98c707108efce19d82b8b1c33ac2
: end
PX1#
0
Comment
Question by:smocohiba
  • 3
  • 3
6 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 17925896
The first thing I would check is the ARP cache on your next hop gateway listed in your PIX config as xxx.xxx.33.161.  When you change out hardware you run into the problem of the next hop gateway (or any other device on the outside network segment) caching your MAC address in it's ARP table which can cause connectivity problems until it is refreshed.

Therefore, clear the ARP cache on the next hop router by either:

1) Manually issuing the command to do it for that particular device (don't know how to tell you to do this since I don't know what kind of router/device it is)
2) Cycle the power to it

Try this first and let me know if the problem is still there.
0
 

Author Comment

by:smocohiba
ID: 17925990
Thanks for your suggestion - the .161 gateway is an onsite endpoint from our wireless ISP, basically nothing more than a small box with one enet port and a power connector.  I've power cycled this along with our other equipment without success.  

I also contacted our ISP and they assured me there's no other equipment along our circuit that would be caching  MAC addresses.

Thanks again and please keep the suggestions coming!

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17927308
Is one of the inside servers referenced in your static translation statements your DNS server for your inside network hosts?  Also, when you try to ping an outside host from an inside host have you tried pinging by IP address or pinging by hostname?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:smocohiba
ID: 17927576
Yes, the .165 outside address is static mapped to the .11 internal DNS/mail server.  All pings outside are by IP.

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17928020
Can you post the 10 user PIX 501 config and either the 506 or the unrestricted 501 configs as they exist right now?
0
 

Author Comment

by:smocohiba
ID: 17948533
It actually did end up being the MAC cache on the ISP gateway!  I had them flush it and everything works fine.  Thanks for your help!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now