Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Random website connection attempts dropped

Posted on 2008-10-17
Medium Priority
Last Modified: 2012-05-05
I occasionally do work on the side for my old boss at my old company.  Long story short, they still have the old Pix 515 that was setup many years ago.  It was last upgraded to version 6.2.  Recently they switched over to a new ISP and had another company come in and configure the Pix with the new address scheme.  

Since that time they've found that certain web sites they go to will show up as unable to be displayed.  Some web sites work, some don't.  So far I've remoted in to a server there to compare what they get to what I get at home.  I thought it may be a DNS issue but the nslookups are the same at both locations for all web sites.  

I went in and hooked a laptop on the outside of the Pix and was able to get to the web site just fine.  The problem is going through it.  What I have noticed from the 3 web sites he gave me is they all started with a 216 address, the same as their network.  He hasn't gotten me all the url's yet.  

Following is the config.  It needs to be cleaned up.  The network was a 192 and was switched to a 10.  The conversion never completed before the company was sold off into many divisions.  Anyway, here is the config

PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz1 security50                                
nameif ethernet3 intf3 security15                                
nameif ethernet4 intf4 security20                                
nameif ethernet5 intf5 security25                                
enable password Z5fhsnk.Uhr.xAh3 encrypted                                          
passwd Z5fhsnk.Uhr.xAh3 encrypted                                
hostname VPIFW1              
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
no fixup protocol http 80                        
no names                              
pager lines 22              
logging on          
logging timestamp                
logging buffered debugging                          
logging trap informational                          
logging host inside                                
logging host inside                                
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto                        
interface ethernet3 auto shutdown                                
interface ethernet4 auto shutdown                                
interface ethernet5 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu dmz1 1500            
mtu intf3 1500              
mtu intf4 1500              
mtu intf5 1500              
ip address outside                                          
ip address inside 10.x.x.x                                      
ip address dmz1 172.x.x.x                                      
ip address intf3                                          
ip address intf4                                          
ip address intf5                                          
ip audit info action alarm                          
ip audit attack action alarm                            
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.x.x.x                                      
failover ip address inside 10.x.x.x                                  
failover ip address dmz1 172.x.x.x                                
failover ip address intf3                                
failover ip address intf4                                
failover ip address intf5                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 netmask                                                        
global (dmz1) 1 172.x.x.x                          
nat (inside) 1 0 0                                  
nat (dmz1) 1 0 0                                
static (inside,outside) 10.x.x.x   netmask 0 0                                                                            
static (inside,outside) 10.x.x.x   netmask 0 0                                                                            
conduit permit tcp host 159.x.x.x                                    
conduit permit tcp host 90.x.x.x eq 23202 any                                              
conduit permit tcp host 172.x.x.x eq 450 any                                              
conduit permit udp host 172.x.x.x eq syslog any                                                  
conduit permit icmp any any echo-reply                                      
conduit permit icmp any any unreachable                                      
conduit permit icmp any any time-exceeded                                        
conduit permit icmp any any                          
conduit permit tcp host eq www any                                                
conduit permit tcp host eq 81 any                                                
conduit permit tcp host eq 1723 any                                                  
conduit permit tcp host eq https host 207.x.x.x                                                              
conduit permit tcp host eq https host 129.x.x.x                                                        
conduit permit tcp host eq https host 129.x.x.x                                                              
conduit permit tcp host eq 500 host 207.x.x.x                                                            
conduit permit tcp host eq 500 host 129.x.x.x                                                          
conduit permit tcp host eq 4500 host 207.x.x.x                                                            
conduit permit tcp host eq 4500 host 129.x.x.x                                                              
conduit permit tcp host eq 3389 any                                                  
conduit permit tcp host eq 47 any                                                
conduit permit gre host any                                          
conduit permit tcp host eq 47 any                                                
conduit permit tcp host eq 3389 any                                                  
outbound  10 permit 172.x.x.x 0 ip                                              
outbound  10 permit 80 tcp                                          
outbound  10 permit 25 tcp                                          
outbound  10 permit 110 tcp                                          
outbound  10 permit 23 tcp                                          
outbound  10 permit 21 tcp                                          
outbound  10 permit 53 tcp                                          
outbound  10 deny 80 tcp                                                    
apply (inside) 10 outgoing_src                              
route outside 1                                              
timeout xlate 1:30:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:00:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http outside                                      
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set authenc esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet outside
telnet 192.x.x.x inside
telnet inside
telnet timeout 50
ssh outside
ssh timeout 15
terminal width 200

Question by:FLPeople
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 24

Accepted Solution

DMTechGrooup earned 1000 total points
ID: 22746644
It's showing as a class A network.. ip address outside  so it thinks that everything that is 216.x.x.x is its own network.  This should probably be class C at best and even subnetted down further.. you need to get the proper settings from the ISP.
LVL 79

Expert Comment

ID: 22746661
>ip address outside  
This mask is incorrect.
It should be at best

Author Closing Comment

ID: 31507362
It's good to have a pair of eyes that knows what it is looking for.  

Thank you

Author Comment

ID: 22746700
Thank you both.  I hopped on and checked it right after DM's response.  It's been a long time since I've done anything Cisco and I verified the external address was OK but never looked there, this makes sense since a lone time ago the address used to be a 65. address.

 I never thought to look there as there is so much cleanup needed for this config I overlooked this section.  I took all the naming lines out that are at that point in the config.  I set up names at first and realized I didn't like them.  Never took them out.  I just took it out when I pasted it to remove stuff that wasn't needed.  

Again, thank you both for your quick and accurate responses.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question