Solved

Random website connection attempts dropped

Posted on 2008-10-17
4
319 Views
Last Modified: 2012-05-05
I occasionally do work on the side for my old boss at my old company.  Long story short, they still have the old Pix 515 that was setup many years ago.  It was last upgraded to version 6.2.  Recently they switched over to a new ISP and had another company come in and configure the Pix with the new address scheme.  

Since that time they've found that certain web sites they go to will show up as unable to be displayed.  Some web sites work, some don't.  So far I've remoted in to a server there to compare what they get to what I get at home.  I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.  

I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine.  The problem is going through it.  What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network.  He hasn't gotten me all the url's yet.  

Following is the config.  It needs to be cleaned up.  The network was a 192 and was switched to a 10.  The conversion never completed before the company was sold off into many divisions.  Anyway, here is the config

PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz1 security50                                
nameif ethernet3 intf3 security15                                
nameif ethernet4 intf4 security20                                
nameif ethernet5 intf5 security25                                
enable password Z5fhsnk.Uhr.xAh3 encrypted                                          
passwd Z5fhsnk.Uhr.xAh3 encrypted                                
hostname VPIFW1              
domain-name vpicorp.com                      
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
no fixup protocol http 80                        
no names                              
pager lines 22              
logging on          
logging timestamp                
logging buffered debugging                          
logging trap informational                          
logging host inside 192.168.32.20                                
logging host inside 192.168.32.8                                
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto                        
interface ethernet3 auto shutdown                                
interface ethernet4 auto shutdown                                
interface ethernet5 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu dmz1 1500            
mtu intf3 1500              
mtu intf4 1500              
mtu intf5 1500              
ip address outside 216.xxx.xxx.xxx 255.0.0.0                                          
ip address inside 10.x.x.x   255.255.0.0                                      
ip address dmz1 172.x.x.x   255.255.0.0                                      
ip address intf3 127.0.0.1 255.255.255.255                                          
ip address intf4 127.0.0.1 255.255.255.255                                          
ip address intf5 127.0.0.1 255.255.255.255                                          
ip audit info action alarm                          
ip audit attack action alarm                            
failover        
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.x.x.x                                      
failover ip address inside 10.x.x.x                                  
failover ip address dmz1 172.x.x.x                                
failover ip address intf3 0.0.0.0                                
failover ip address intf4 0.0.0.0                                
failover ip address intf5 0.0.0.0                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 216.xxx.xxx.xxx netmask 255.255.255.224                                                        
global (dmz1) 1 172.x.x.x                          
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0                                
                                                                         
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x   netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x   netmask 255.255.255.255 0 0                                                                            
conduit permit tcp host 159.x.x.x                                    
conduit permit tcp host 90.x.x.x eq 23202 any                                              
conduit permit tcp host 172.x.x.x eq 450 any                                              
conduit permit udp host 172.x.x.x eq syslog any                                                  
conduit permit icmp any any echo-reply                                      
conduit permit icmp any any unreachable                                      
conduit permit icmp any any time-exceeded                                        
conduit permit icmp any any                          
conduit permit tcp host 216.xxx.xxx.xxx eq www any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 81 any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 1723 any                                                  
conduit permit tcp host 216.xxx.xxx.xxx eq https host 207.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x                                                        
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 207.x.x.x                                                            
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 129.x.x.x                                                          
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 207.x.x.x                                                            
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 129.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any                                                  
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any                                                
conduit permit gre host 216.xxx.xxx.xxx any                                          
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any                                                  
outbound  10 permit 172.x.x.x   255.255.0.0 0 ip                                              
outbound  10 permit 0.0.0.0 0.0.0.0 80 tcp                                          
outbound  10 permit 0.0.0.0 0.0.0.0 25 tcp                                          
outbound  10 permit 0.0.0.0 0.0.0.0 110 tcp                                          
outbound  10 permit 0.0.0.0 0.0.0.0 23 tcp                                          
outbound  10 permit 0.0.0.0 0.0.0.0 21 tcp                                          
outbound  10 permit 0.0.0.0 0.0.0.0 53 tcp                                          
outbound  10 deny 10.40.101.1 255.255.255.255 80 tcp                                                    
apply (inside) 10 outgoing_src                              
route outside 0.0.0.0 0.0.0.0 216.153.249.65 1                                              
timeout xlate 1:30:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:00:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 204.11.209.50 255.255.255.255 outside                                      
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 12.155.200.196 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet 192.x.x.x   255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 50
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 15
terminal width 200
Cryptochecksum:4ba36453a541479325e527d10813fa2f

Thanks
0
Comment
Question by:FLPeople
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
DMTechGrooup earned 250 total points
ID: 22746644
It's showing as a class A network.. ip address outside 216.xxx.xxx.xxx 255.0.0.0  so it thinks that everything that is 216.x.x.x is its own network.  This should probably be class C at best and even subnetted down further.. you need to get the proper settings from the ISP.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22746661
>ip address outside 216.xxx.xxx.xxx 255.0.0.0  
This mask is incorrect.
It should be at best 255.255.255.0
0
 
LVL 2

Author Closing Comment

by:FLPeople
ID: 31507362
It's good to have a pair of eyes that knows what it is looking for.  

Thank you
0
 
LVL 2

Author Comment

by:FLPeople
ID: 22746700
Thank you both.  I hopped on and checked it right after DM's response.  It's been a long time since I've done anything Cisco and I verified the external address was OK but never looked there, this makes sense since a lone time ago the address used to be a 65. address.

 I never thought to look there as there is so much cleanup needed for this config I overlooked this section.  I took all the naming lines out that are at that point in the config.  I set up names at first and realized I didn't like them.  Never took them out.  I just took it out when I pasted it to remove stuff that wasn't needed.  

Again, thank you both for your quick and accurate responses.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now