Random website connection attempts dropped

Posted on 2008-10-17
Last Modified: 2012-05-05
I occasionally do work on the side for my old boss at my old company.  Long story short, they still have the old Pix 515 that was setup many years ago.  It was last upgraded to version 6.2.  Recently they switched over to a new ISP and had another company come in and configure the Pix with the new address scheme.  

Since that time they've found that certain web sites they go to will show up as unable to be displayed.  Some web sites work, some don't.  So far I've remoted in to a server there to compare what they get to what I get at home.  I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.  

I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine.  The problem is going through it.  What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network.  He hasn't gotten me all the url's yet.  

Following is the config.  It needs to be cleaned up.  The network was a 192 and was switched to a 10.  The conversion never completed before the company was sold off into many divisions.  Anyway, here is the config

PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz1 security50                                
nameif ethernet3 intf3 security15                                
nameif ethernet4 intf4 security20                                
nameif ethernet5 intf5 security25                                
enable password Z5fhsnk.Uhr.xAh3 encrypted                                          
passwd Z5fhsnk.Uhr.xAh3 encrypted                                
hostname VPIFW1              
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
no fixup protocol http 80                        
no names                              
pager lines 22              
logging on          
logging timestamp                
logging buffered debugging                          
logging trap informational                          
logging host inside                                
logging host inside                                
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto                        
interface ethernet3 auto shutdown                                
interface ethernet4 auto shutdown                                
interface ethernet5 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu dmz1 1500            
mtu intf3 1500              
mtu intf4 1500              
mtu intf5 1500              
ip address outside                                          
ip address inside 10.x.x.x                                      
ip address dmz1 172.x.x.x                                      
ip address intf3                                          
ip address intf4                                          
ip address intf5                                          
ip audit info action alarm                          
ip audit attack action alarm                            
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.x.x.x                                      
failover ip address inside 10.x.x.x                                  
failover ip address dmz1 172.x.x.x                                
failover ip address intf3                                
failover ip address intf4                                
failover ip address intf5                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 netmask                                                        
global (dmz1) 1 172.x.x.x                          
nat (inside) 1 0 0                                  
nat (dmz1) 1 0 0                                
static (inside,outside) 10.x.x.x   netmask 0 0                                                                            
static (inside,outside) 10.x.x.x   netmask 0 0                                                                            
conduit permit tcp host 159.x.x.x                                    
conduit permit tcp host 90.x.x.x eq 23202 any                                              
conduit permit tcp host 172.x.x.x eq 450 any                                              
conduit permit udp host 172.x.x.x eq syslog any                                                  
conduit permit icmp any any echo-reply                                      
conduit permit icmp any any unreachable                                      
conduit permit icmp any any time-exceeded                                        
conduit permit icmp any any                          
conduit permit tcp host eq www any                                                
conduit permit tcp host eq 81 any                                                
conduit permit tcp host eq 1723 any                                                  
conduit permit tcp host eq https host 207.x.x.x                                                              
conduit permit tcp host eq https host 129.x.x.x                                                        
conduit permit tcp host eq https host 129.x.x.x                                                              
conduit permit tcp host eq 500 host 207.x.x.x                                                            
conduit permit tcp host eq 500 host 129.x.x.x                                                          
conduit permit tcp host eq 4500 host 207.x.x.x                                                            
conduit permit tcp host eq 4500 host 129.x.x.x                                                              
conduit permit tcp host eq 3389 any                                                  
conduit permit tcp host eq 47 any                                                
conduit permit gre host any                                          
conduit permit tcp host eq 47 any                                                
conduit permit tcp host eq 3389 any                                                  
outbound  10 permit 172.x.x.x 0 ip                                              
outbound  10 permit 80 tcp                                          
outbound  10 permit 25 tcp                                          
outbound  10 permit 110 tcp                                          
outbound  10 permit 23 tcp                                          
outbound  10 permit 21 tcp                                          
outbound  10 permit 53 tcp                                          
outbound  10 deny 80 tcp                                                    
apply (inside) 10 outgoing_src                              
route outside 1                                              
timeout xlate 1:30:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:00:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http outside                                      
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet outside
telnet 192.x.x.x inside
telnet inside
telnet timeout 50
ssh outside
ssh timeout 15
terminal width 200

Question by:FLPeople
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 24

Accepted Solution

DMTechGrooup earned 250 total points
ID: 22746644
It's showing as a class A network.. ip address outside  so it thinks that everything that is 216.x.x.x is its own network.  This should probably be class C at best and even subnetted down further.. you need to get the proper settings from the ISP.
LVL 79

Expert Comment

ID: 22746661
>ip address outside  
This mask is incorrect.
It should be at best

Author Closing Comment

ID: 31507362
It's good to have a pair of eyes that knows what it is looking for.  

Thank you

Author Comment

ID: 22746700
Thank you both.  I hopped on and checked it right after DM's response.  It's been a long time since I've done anything Cisco and I verified the external address was OK but never looked there, this makes sense since a lone time ago the address used to be a 65. address.

 I never thought to look there as there is so much cleanup needed for this config I overlooked this section.  I took all the naming lines out that are at that point in the config.  I set up names at first and realized I didn't like them.  Never took them out.  I just took it out when I pasted it to remove stuff that wasn't needed.  

Again, thank you both for your quick and accurate responses.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco USB console Windows 8.1 unable to open serial port 4 140
PIM sparse mode question 1 28
Cisco SRST questions 5 57
Install Cisco Unified Comunication Manager Subscriber 6 52
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question