[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

desperate pix help, 1 am here and still at work, when i cold start the pix i can use the remote network's resources, after i cant at all

Posted on 2007-08-03
6
Medium Priority
?
363 Views
Last Modified: 2010-04-09
hello again (1 am here im going crazy at work)
this pix is killing me
the topology is like this in the network:

internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network
i want to be able to ping the other LAN connected to the linux router.
the working config is this

: Saved
: Written by enable_15 at 12:18:24.929 UTC Fri Aug 3 2007
!
PIX Version 7.1(2)
!
hostname pix
domain-name ...
enable password ... encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address ... 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.18.251 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ...
access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.18.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.18.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.10.20.2-10.10.20.254 mask 255.255.255.0
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route inside 10.10.10.0 255.255.255.0 10.10.18.1 1
route outside 0.0.0.0 0.0.0.0 ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 10.10.18.10
 dns-server value 193.231.236.25 193.231.236.30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ...
username ... password ... encrypted privilege 0
username ... attributes
 vpn-group-policy vpn3000
username ... password ... encrypted privilege 0
username ...attributes
 vpn-group-policy vpn3000
http server enable
http 10.10.18.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool ippool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ab10b9c23a49c14500e23ad8708b8aa0
: end

on the linux router  have this
route add -net 10.10.20.0/24 gw 10.10.18.251

everything fine until now
when i cold start the pix and my laptop i can connect and do my job.
if i disconnect and i try to connect again, i can connect but cant access the remote network at all.
in the stats on the cisco vpn client i have no received packets
this happens if i do a reload on pix, or add some securi,ty stuff and do a wr mem.
i wonder what is wrong, i mean IT WORKS first time perfectly.
is something left in the linux router?
is the pix bad? this is the third image version i have installed on it and the same thing happens.

also if i setup telnet i cant use it at all. neither ssh. with telnet i can connect but nothing appears.

please help im desperate, it's 1 am here, been at work from 8 am yesterday

thank you
0
Comment
Question by:lyncks
  • 3
  • 2
6 Comments
 
LVL 24

Expert Comment

by:Luciano Patrão
ID: 19629048
Hi

I think that PIX is not so good. Or a power issue, or firmware.

The PIX have warranty? And do you(or your company) have any support from CISCO? If so, i will say that you need to contact them to check that PIX.

If not... not so many thinks o can do about it.

Try backup all the data, reset the PIX to default, disconnect from power about 5m, connect and restore your data.

If that is ok, tested again.

Try to check if any new firmware available.

Hope this can help

Jail
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19629074
sorry to hear that, lyncks.
Is the outside interface on the same IP subnet as the Linux box outside, or on a totally different internet link?

>access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0
Remove that...
 no access-list inside_nat0_outbound extended permit ip interface inside 10.10.20.0 255.255.255.0

Add these commands:
 management-access inside
 isakmp identity address
 iskmp nat-traversal 20
 sysopt noproxyarp inside

0
 
LVL 1

Author Comment

by:lyncks
ID: 19630493
BestWay: i already did that a few times, tried with different versions of firmware and the same stuff happens.
lrmoore: now it works, i wr erase then reonfigured everything with the exact config i posted earlier and it works. if i do a reload or wr mem it doesnt work anymore. now i just left it like that because my boss really needs it to work this weekend.
ill try to explain in detail the setup.
on the linux router:
eth0: main public ip from a different subnet. that is the main internet connection
eth1: ip from another public class which acts as the gateway for all the other computers which have a public ip, including the pix
eth2: private ip from the LAN from our office (10.10.18.0/24)
eth3: private ip from the LAN for the other offices in the building (10.10.10.0/24)
eth1 is NOT on the same subnet as the outside on the linux router, but it uses the same internet connection.

the pix has on outside interface an ip from the same subnet as eth1 on the linux router
on the inside has an ip from the same subnet as eth2 (10.10.18.251)

im sorry for all the troubles with this, never used a pix before, did this several times with cisco routers with vpn modules and it worked just fine. now with this pix everything seems to not wanting to work.
i will add what you said on monday morning and see what happens. maybe with the details i just told you you can find some flaw in this configuration.

thank you guys, thanks a lot
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 79

Expert Comment

by:lrmoore
ID: 19630607
OK, add this too:
  sysopt noproxyarp outside
0
 
LVL 1

Author Comment

by:lyncks
ID: 19643970
it works now.
thanks a million
can you tell me what was wrong?
thank you
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19644864
Proxy arp does strange things when you have competing gateways on a LAN.
Glad you are working!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 1 hour left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question