Random website connection attempts dropped

Posted on 2008-10-17
Medium Priority
Last Modified: 2012-05-05
I occasionally do work on the side for my old boss at my old company.  Long story short, they still have the old Pix 515 that was setup many years ago.  It was last upgraded to version 6.2.  Recently they switched over to a new ISP and had another company come in and configure the Pix with the new address scheme.  

Since that time they've found that certain web sites they go to will show up as unable to be displayed.  Some web sites work, some don't.  So far I've remoted in to a server there to compare what they get to what I get at home.  I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.  

I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine.  The problem is going through it.  What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network.  He hasn't gotten me all the url's yet.  

Following is the config.  It needs to be cleaned up.  The network was a 192 and was switched to a 10.  The conversion never completed before the company was sold off into many divisions.  Anyway, here is the config

PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz1 security50                                
nameif ethernet3 intf3 security15                                
nameif ethernet4 intf4 security20                                
nameif ethernet5 intf5 security25                                
enable password Z5fhsnk.Uhr.xAh3 encrypted                                          
passwd Z5fhsnk.Uhr.xAh3 encrypted                                
hostname VPIFW1              
domain-name vpicorp.com                      
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
no fixup protocol http 80                        
no names                              
pager lines 22              
logging on          
logging timestamp                
logging buffered debugging                          
logging trap informational                          
logging host inside                                
logging host inside                                
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto                        
interface ethernet3 auto shutdown                                
interface ethernet4 auto shutdown                                
interface ethernet5 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu dmz1 1500            
mtu intf3 1500              
mtu intf4 1500              
mtu intf5 1500              
ip address outside 216.xxx.xxx.xxx                                          
ip address inside 10.x.x.x                                      
ip address dmz1 172.x.x.x                                      
ip address intf3                                          
ip address intf4                                          
ip address intf5                                          
ip audit info action alarm                          
ip audit attack action alarm                            
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.x.x.x                                      
failover ip address inside 10.x.x.x                                  
failover ip address dmz1 172.x.x.x                                
failover ip address intf3                                
failover ip address intf4                                
failover ip address intf5                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 216.xxx.xxx.xxx netmask                                                        
global (dmz1) 1 172.x.x.x                          
nat (inside) 1 0 0                                  
nat (dmz1) 1 0 0                                
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x   netmask 0 0                                                                            
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x   netmask 0 0                                                                            
conduit permit tcp host 159.x.x.x                                    
conduit permit tcp host 90.x.x.x eq 23202 any                                              
conduit permit tcp host 172.x.x.x eq 450 any                                              
conduit permit udp host 172.x.x.x eq syslog any                                                  
conduit permit icmp any any echo-reply                                      
conduit permit icmp any any unreachable                                      
conduit permit icmp any any time-exceeded                                        
conduit permit icmp any any                          
conduit permit tcp host 216.xxx.xxx.xxx eq www any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 81 any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 1723 any                                                  
conduit permit tcp host 216.xxx.xxx.xxx eq https host 207.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x                                                        
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 207.x.x.x                                                            
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 129.x.x.x                                                          
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 207.x.x.x                                                            
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 129.x.x.x                                                              
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any                                                  
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any                                                
conduit permit gre host 216.xxx.xxx.xxx any                                          
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any                                                
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any                                                  
outbound  10 permit 172.x.x.x 0 ip                                              
outbound  10 permit 80 tcp                                          
outbound  10 permit 25 tcp                                          
outbound  10 permit 110 tcp                                          
outbound  10 permit 23 tcp                                          
outbound  10 permit 21 tcp                                          
outbound  10 permit 53 tcp                                          
outbound  10 deny 80 tcp                                                    
apply (inside) 10 outgoing_src                              
route outside 1                                              
timeout xlate 1:30:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:00:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http outside                                      
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet xxx.xxx.xxx.xxx outside
telnet 192.x.x.x inside
telnet inside
telnet timeout 50
ssh xxx.xxx.xxx.xxx outside
ssh timeout 15
terminal width 200

Question by:FLPeople
  • 2
LVL 24

Accepted Solution

DMTechGrooup earned 1000 total points
ID: 22746644
It's showing as a class A network.. ip address outside 216.xxx.xxx.xxx  so it thinks that everything that is 216.x.x.x is its own network.  This should probably be class C at best and even subnetted down further.. you need to get the proper settings from the ISP.
LVL 79

Expert Comment

ID: 22746661
>ip address outside 216.xxx.xxx.xxx  
This mask is incorrect.
It should be at best

Author Closing Comment

ID: 31507362
It's good to have a pair of eyes that knows what it is looking for.  

Thank you

Author Comment

ID: 22746700
Thank you both.  I hopped on and checked it right after DM's response.  It's been a long time since I've done anything Cisco and I verified the external address was OK but never looked there, this makes sense since a lone time ago the address used to be a 65. address.

 I never thought to look there as there is so much cleanup needed for this config I overlooked this section.  I took all the naming lines out that are at that point in the config.  I set up names at first and realized I didn't like them.  Never took them out.  I just took it out when I pasted it to remove stuff that wasn't needed.  

Again, thank you both for your quick and accurate responses.

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month6 days, 10 hours left to enroll

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question