• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

desperate pix help, 1 am here and still at work, when i cold start the pix i can use the remote network's resources, after i cant at all

hello again (1 am here im going crazy at work)
this pix is killing me
the topology is like this in the network:

internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network
i want to be able to ping the other LAN connected to the linux router.
the working config is this

: Saved
: Written by enable_15 at 12:18:24.929 UTC Fri Aug 3 2007
!
PIX Version 7.1(2)
!
hostname pix
domain-name ...
enable password ... encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address ... 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.18.251 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ...
access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.18.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.18.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.10.20.2-10.10.20.254 mask 255.255.255.0
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route inside 10.10.10.0 255.255.255.0 10.10.18.1 1
route outside 0.0.0.0 0.0.0.0 ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 10.10.18.10
 dns-server value 193.231.236.25 193.231.236.30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ...
username ... password ... encrypted privilege 0
username ... attributes
 vpn-group-policy vpn3000
username ... password ... encrypted privilege 0
username ...attributes
 vpn-group-policy vpn3000
http server enable
http 10.10.18.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool ippool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ab10b9c23a49c14500e23ad8708b8aa0
: end

on the linux router  have this
route add -net 10.10.20.0/24 gw 10.10.18.251

everything fine until now
when i cold start the pix and my laptop i can connect and do my job.
if i disconnect and i try to connect again, i can connect but cant access the remote network at all.
in the stats on the cisco vpn client i have no received packets
this happens if i do a reload on pix, or add some securi,ty stuff and do a wr mem.
i wonder what is wrong, i mean IT WORKS first time perfectly.
is something left in the linux router?
is the pix bad? this is the third image version i have installed on it and the same thing happens.

also if i setup telnet i cant use it at all. neither ssh. with telnet i can connect but nothing appears.

please help im desperate, it's 1 am here, been at work from 8 am yesterday

thank you
0
lyncks
Asked:
lyncks
  • 3
  • 2
1 Solution
 
Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi

I think that PIX is not so good. Or a power issue, or firmware.

The PIX have warranty? And do you(or your company) have any support from CISCO? If so, i will say that you need to contact them to check that PIX.

If not... not so many thinks o can do about it.

Try backup all the data, reset the PIX to default, disconnect from power about 5m, connect and restore your data.

If that is ok, tested again.

Try to check if any new firmware available.

Hope this can help

Jail
0
 
lrmooreCommented:
sorry to hear that, lyncks.
Is the outside interface on the same IP subnet as the Linux box outside, or on a totally different internet link?

>access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
Remove that...
 no access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0

Add these commands:
 management-access inside
 isakmp identity address
 iskmp nat-traversal 20
 sysopt noproxyarp inside

0
 
lyncksAuthor Commented:
BestWay: i already did that a few times, tried with different versions of firmware and the same stuff happens.
lrmoore: now it works, i wr erase then reonfigured everything with the exact config i posted earlier and it works. if i do a reload or wr mem it doesnt work anymore. now i just left it like that because my boss really needs it to work this weekend.
ill try to explain in detail the setup.
on the linux router:
eth0: main public ip from a different subnet. that is the main internet connection
eth1: ip from another public class which acts as the gateway for all the other computers which have a public ip, including the pix
eth2: private ip from the LAN from our office (10.10.18.0/24)
eth3: private ip from the LAN for the other offices in the building (10.10.10.0/24)
eth1 is NOT on the same subnet as the outside on the linux router, but it uses the same internet connection.

the pix has on outside interface an ip from the same subnet as eth1 on the linux router
on the inside has an ip from the same subnet as eth2 (10.10.18.251)

im sorry for all the troubles with this, never used a pix before, did this several times with cisco routers with vpn modules and it worked just fine. now with this pix everything seems to not wanting to work.
i will add what you said on monday morning and see what happens. maybe with the details i just told you you can find some flaw in this configuration.

thank you guys, thanks a lot
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
lrmooreCommented:
OK, add this too:
  sysopt noproxyarp outside
0
 
lyncksAuthor Commented:
it works now.
thanks a million
can you tell me what was wrong?
thank you
0
 
lrmooreCommented:
Proxy arp does strange things when you have competing gateways on a LAN.
Glad you are working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now