lyncks
asked on
desperate pix help, 1 am here and still at work, when i cold start the pix i can use the remote network's resources, after i cant at all
hello again (1 am here im going crazy at work)
this pix is killing me
the topology is like this in the network:
internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network
i want to be able to ping the other LAN connected to the linux router.
the working config is this
: Saved
: Written by enable_15 at 12:18:24.929 UTC Fri Aug 3 2007
!
PIX Version 7.1(2)
!
hostname pix
domain-name ...
enable password ... encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address ... 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.18.251 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ...
access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.18.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.18.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.10.20.2-10.10.20.254 mask 255.255.255.0
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route inside 10.10.10.0 255.255.255.0 10.10.18.1 1
route outside 0.0.0.0 0.0.0.0 ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value 10.10.18.10
dns-server value 193.231.236.25 193.231.236.30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn3000_splitTunnelAcl
default-domain value ...
username ... password ... encrypted privilege 0
username ... attributes
vpn-group-policy vpn3000
username ... password ... encrypted privilege 0
username ...attributes
vpn-group-policy vpn3000
http server enable
http 10.10.18.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool ippool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ab10b9c23a4 9c14500e23 ad8708b8aa 0
: end
on the linux router have this
route add -net 10.10.20.0/24 gw 10.10.18.251
everything fine until now
when i cold start the pix and my laptop i can connect and do my job.
if i disconnect and i try to connect again, i can connect but cant access the remote network at all.
in the stats on the cisco vpn client i have no received packets
this happens if i do a reload on pix, or add some securi,ty stuff and do a wr mem.
i wonder what is wrong, i mean IT WORKS first time perfectly.
is something left in the linux router?
is the pix bad? this is the third image version i have installed on it and the same thing happens.
also if i setup telnet i cant use it at all. neither ssh. with telnet i can connect but nothing appears.
please help im desperate, it's 1 am here, been at work from 8 am yesterday
thank you
this pix is killing me
the topology is like this in the network:
internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network
i want to be able to ping the other LAN connected to the linux router.
the working config is this
: Saved
: Written by enable_15 at 12:18:24.929 UTC Fri Aug 3 2007
!
PIX Version 7.1(2)
!
hostname pix
domain-name ...
enable password ... encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address ... 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.18.251 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ...
access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.18.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.18.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.10.20.2-10.10.20.254 mask 255.255.255.0
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route inside 10.10.10.0 255.255.255.0 10.10.18.1 1
route outside 0.0.0.0 0.0.0.0 ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value 10.10.18.10
dns-server value 193.231.236.25 193.231.236.30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn3000_splitTunnelAcl
default-domain value ...
username ... password ... encrypted privilege 0
username ... attributes
vpn-group-policy vpn3000
username ... password ... encrypted privilege 0
username ...attributes
vpn-group-policy vpn3000
http server enable
http 10.10.18.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool ippool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ab10b9c23a4
: end
on the linux router have this
route add -net 10.10.20.0/24 gw 10.10.18.251
everything fine until now
when i cold start the pix and my laptop i can connect and do my job.
if i disconnect and i try to connect again, i can connect but cant access the remote network at all.
in the stats on the cisco vpn client i have no received packets
this happens if i do a reload on pix, or add some securi,ty stuff and do a wr mem.
i wonder what is wrong, i mean IT WORKS first time perfectly.
is something left in the linux router?
is the pix bad? this is the third image version i have installed on it and the same thing happens.
also if i setup telnet i cant use it at all. neither ssh. with telnet i can connect but nothing appears.
please help im desperate, it's 1 am here, been at work from 8 am yesterday
thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
BestWay: i already did that a few times, tried with different versions of firmware and the same stuff happens.
lrmoore: now it works, i wr erase then reonfigured everything with the exact config i posted earlier and it works. if i do a reload or wr mem it doesnt work anymore. now i just left it like that because my boss really needs it to work this weekend.
ill try to explain in detail the setup.
on the linux router:
eth0: main public ip from a different subnet. that is the main internet connection
eth1: ip from another public class which acts as the gateway for all the other computers which have a public ip, including the pix
eth2: private ip from the LAN from our office (10.10.18.0/24)
eth3: private ip from the LAN for the other offices in the building (10.10.10.0/24)
eth1 is NOT on the same subnet as the outside on the linux router, but it uses the same internet connection.
the pix has on outside interface an ip from the same subnet as eth1 on the linux router
on the inside has an ip from the same subnet as eth2 (10.10.18.251)
im sorry for all the troubles with this, never used a pix before, did this several times with cisco routers with vpn modules and it worked just fine. now with this pix everything seems to not wanting to work.
i will add what you said on monday morning and see what happens. maybe with the details i just told you you can find some flaw in this configuration.
thank you guys, thanks a lot
lrmoore: now it works, i wr erase then reonfigured everything with the exact config i posted earlier and it works. if i do a reload or wr mem it doesnt work anymore. now i just left it like that because my boss really needs it to work this weekend.
ill try to explain in detail the setup.
on the linux router:
eth0: main public ip from a different subnet. that is the main internet connection
eth1: ip from another public class which acts as the gateway for all the other computers which have a public ip, including the pix
eth2: private ip from the LAN from our office (10.10.18.0/24)
eth3: private ip from the LAN for the other offices in the building (10.10.10.0/24)
eth1 is NOT on the same subnet as the outside on the linux router, but it uses the same internet connection.
the pix has on outside interface an ip from the same subnet as eth1 on the linux router
on the inside has an ip from the same subnet as eth2 (10.10.18.251)
im sorry for all the troubles with this, never used a pix before, did this several times with cisco routers with vpn modules and it worked just fine. now with this pix everything seems to not wanting to work.
i will add what you said on monday morning and see what happens. maybe with the details i just told you you can find some flaw in this configuration.
thank you guys, thanks a lot
OK, add this too:
sysopt noproxyarp outside
sysopt noproxyarp outside
ASKER
it works now.
thanks a million
can you tell me what was wrong?
thank you
thanks a million
can you tell me what was wrong?
thank you
Proxy arp does strange things when you have competing gateways on a LAN.
Glad you are working!
Glad you are working!
I think that PIX is not so good. Or a power issue, or firmware.
The PIX have warranty? And do you(or your company) have any support from CISCO? If so, i will say that you need to contact them to check that PIX.
If not... not so many thinks o can do about it.
Try backup all the data, reset the PIX to default, disconnect from power about 5m, connect and restore your data.
If that is ok, tested again.
Try to check if any new firmware available.
Hope this can help
Jail