Random website connection attempts dropped
I occasionally do work on the side for my old boss at my old company. Long story short, they still have the old Pix 515 that was setup many years ago. It was last upgraded to version 6.2. Recently they switched over to a new ISP and had another company come in and configure the Pix with the new address scheme.
Since that time they've found that certain web sites they go to will show up as unable to be displayed. Some web sites work, some don't. So far I've remoted in to a server there to compare what they get to what I get at home. I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.
I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine. The problem is going through it. What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network. He hasn't gotten me all the url's yet.
Following is the config. It needs to be cleaned up. The network was a 192 and was switched to a 10. The conversion never completed before the company was sold off into many divisions. Anyway, here is the config
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Z5fhsnk.Uhr.xAh3 encrypted
passwd Z5fhsnk.Uhr.xAh3 encrypted
hostname VPIFW1
domain-name vpicorp.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol http 80
no names
pager lines 22
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging host inside 192.168.32.20
logging host inside 192.168.32.8
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 216.xxx.xxx.xxx 255.0.0.0
ip address inside 10.x.x.x 255.255.0.0
ip address dmz1 172.x.x.x 255.255.0.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 216.x.x.x
failover ip address inside 10.x.x.x
failover ip address dmz1 172.x.x.x
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 216.xxx.xxx.xxx netmask 255.255.255.224
global (dmz1) 1 172.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x netmask 255.255.255.255 0 0
conduit permit tcp host 159.x.x.x
conduit permit tcp host 90.x.x.x eq 23202 any
conduit permit tcp host 172.x.x.x eq 450 any
conduit permit udp host 172.x.x.x eq syslog any
conduit permit icmp any any echo-reply
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit icmp any any
conduit permit tcp host 216.xxx.xxx.xxx eq www any
conduit permit tcp host 216.xxx.xxx.xxx eq 81 any
conduit permit tcp host 216.xxx.xxx.xxx eq 1723 any
conduit permit tcp host 216.xxx.xxx.xxx eq https host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any
conduit permit gre host 216.xxx.xxx.xxx any
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any
outbound 10 permit 172.x.x.x 255.255.0.0 0 ip
outbound 10 permit 0.0.0.0 0.0.0.0 80 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 25 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 110 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 23 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 21 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 53 tcp
outbound 10 deny 10.40.101.1 255.255.255.255 80 tcp
apply (inside) 10 outgoing_src
route outside 0.0.0.0 0.0.0.0 216.153.249.65 1
timeout xlate 1:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 204.11.209.50 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 12.155.200.196 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet 192.x.x.x 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 50
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 15
terminal width 200
Cryptochecksum:4ba36453a54
Thanks
Since that time they've found that certain web sites they go to will show up as unable to be displayed. Some web sites work, some don't. So far I've remoted in to a server there to compare what they get to what I get at home. I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.
I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine. The problem is going through it. What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network. He hasn't gotten me all the url's yet.
Following is the config. It needs to be cleaned up. The network was a 192 and was switched to a 10. The conversion never completed before the company was sold off into many divisions. Anyway, here is the config
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Z5fhsnk.Uhr.xAh3 encrypted
passwd Z5fhsnk.Uhr.xAh3 encrypted
hostname VPIFW1
domain-name vpicorp.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol http 80
no names
pager lines 22
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging host inside 192.168.32.20
logging host inside 192.168.32.8
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 216.xxx.xxx.xxx 255.0.0.0
ip address inside 10.x.x.x 255.255.0.0
ip address dmz1 172.x.x.x 255.255.0.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 216.x.x.x
failover ip address inside 10.x.x.x
failover ip address dmz1 172.x.x.x
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 216.xxx.xxx.xxx netmask 255.255.255.224
global (dmz1) 1 172.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 10.x.x.x netmask 255.255.255.255 0 0
conduit permit tcp host 159.x.x.x
conduit permit tcp host 90.x.x.x eq 23202 any
conduit permit tcp host 172.x.x.x eq 450 any
conduit permit udp host 172.x.x.x eq syslog any
conduit permit icmp any any echo-reply
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit icmp any any
conduit permit tcp host 216.xxx.xxx.xxx eq www any
conduit permit tcp host 216.xxx.xxx.xxx eq 81 any
conduit permit tcp host 216.xxx.xxx.xxx eq 1723 any
conduit permit tcp host 216.xxx.xxx.xxx eq https host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq https host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 500 host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 207.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 4500 host 129.x.x.x
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any
conduit permit gre host 216.xxx.xxx.xxx any
conduit permit tcp host 216.xxx.xxx.xxx eq 47 any
conduit permit tcp host 216.xxx.xxx.xxx eq 3389 any
outbound 10 permit 172.x.x.x 255.255.0.0 0 ip
outbound 10 permit 0.0.0.0 0.0.0.0 80 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 25 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 110 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 23 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 21 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 53 tcp
outbound 10 deny 10.40.101.1 255.255.255.255 80 tcp
apply (inside) 10 outgoing_src
route outside 0.0.0.0 0.0.0.0 216.153.249.65 1
timeout xlate 1:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 204.11.209.50 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 12.155.200.196 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet 192.x.x.x 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 50
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 15
terminal width 200
Cryptochecksum:4ba36453a54
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's good to have a pair of eyes that knows what it is looking for.
Thank you
Thank you
ASKER
Thank you both. I hopped on and checked it right after DM's response. It's been a long time since I've done anything Cisco and I verified the external address was OK but never looked there, this makes sense since a lone time ago the address used to be a 65. address.
I never thought to look there as there is so much cleanup needed for this config I overlooked this section. I took all the naming lines out that are at that point in the config. I set up names at first and realized I didn't like them. Never took them out. I just took it out when I pasted it to remove stuff that wasn't needed.
Again, thank you both for your quick and accurate responses.
I never thought to look there as there is so much cleanup needed for this config I overlooked this section. I took all the naming lines out that are at that point in the config. I set up names at first and realized I didn't like them. Never took them out. I just took it out when I pasted it to remove stuff that wasn't needed.
Again, thank you both for your quick and accurate responses.
This mask is incorrect.
It should be at best 255.255.255.0