No_Expert_Here
asked on
Can't ping or access host that is statically nat'd behind Pix 501.
I can't figure out where i'm going wrong here. I have a static mapping for an inside ip address of 192.168.1.30 to an outside ip address ending in .67. I can't ping it, or telnet into it using port 3001, which is what is required for the device. If however I PAT it using the pix's outside ip address of .66 along with an access list to allow port 3001, it works fine. The problem is i have two of these device and need to be able to access them over port 3001 with outside ip's ending in .67 and .68. I feel like it's being blocked coming back out, which is why i tried at least setting it up so i could ping it. Can anyone help me on this?
Thanks...
Thanks...
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
access-list outbound permit ip any any
access-list outbound permit icmp any any echo-reply
pager lines 24
logging buffered debugging
icmp permit host 111.222.333.67 outside
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 75.109.45.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxx password xxxxxxx store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bef46ee1bd690a931ce62b18e84023e0
: end
ASKER
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
was my desperate attempt to make sure that i had all the needed ports open.
i've been instruced that the only port i need is 3001.
but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3301
i left the windows open and ran a show conn and show xlate and got the following results.
the ping test still doesnt work and i did add
the following lines...
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
again, if i use the outside interface of 111.222.333.66 and PAT 3001 to 192.168.1.30 the device works!
but i need .67 and .68 to work using NAT because they both have to use 3001.
if you look at the ouput below..it looks like it is translating in...but maybe not getting back out???
I'm including the config as it is now since i changed it a bit, but still not working....
was my desperate attempt to make sure that i had all the needed ports open.
i've been instruced that the only port i need is 3001.
but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3301
i left the windows open and ran a show conn and show xlate and got the following results.
the ping test still doesnt work and i did add
the following lines...
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
again, if i use the outside interface of 111.222.333.66 and PAT 3001 to 192.168.1.30 the device works!
but i need .67 and .68 to work using NAT because they both have to use 3001.
if you look at the ouput below..it looks like it is translating in...but maybe not getting back out???
I'm including the config as it is now since i changed it a bit, but still not working....
pixfirewall(config)# show conn
2 in use, 37 most used
TCP out me.me.me.133:1225 in 192.168.1.30:3001 idle 0:00:08 Bytes 43 flags UOB
TCP out me.me.me.133:1229 in 192.168.1.31:3001 idle 0:00:20 Bytes 36 flags UOB
pixfirewall(config)# show xlate
15 in use, 105 most used
Global 111.222.333.67 Local 192.168.1.30
PAT Global 111.222.333.66(1317) Local 192.168.1.12(49210)
PAT Global 111.222.333.66(1318) Local 192.168.1.12(56726)
PAT Global 111.222.333.66(1499) Local 192.168.1.12(1911)
PAT Global 111.222.333.66(1498) Local 192.168.1.12(1908)
PAT Global 111.222.333.66(1501) Local 192.168.1.12(1913)
PAT Global 111.222.333.66(1500) Local 192.168.1.12(1912)
PAT Global 111.222.333.66(1503) Local 192.168.1.12(1914)
PAT Global 111.222.333.66(1502) Local 192.168.1.13(4605)
PAT Global 111.222.333.66(1505) Local 192.168.1.12(1916)
PAT Global 111.222.333.66(1504) Local 192.168.1.12(1915)
PAT Global 111.222.333.66(1507) Local 192.168.1.13(4606)
PAT Global 111.222.333.66(1506) Local 192.168.1.12(1919)
PAT Global 111.222.333.66(1508) Local 192.168.1.13(4607)
Global 111.222.333.68 Local 192.168.1.31
pixfirewall(config)#
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http xx.yy.zz.tt 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
ASKER
i typo'd port 3001. i did not mean to type 3301.
should have been
but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3001
should have been
but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3001
hey there
3 things I would check quickly on this
Do you have a public switch that the outside int of the PIX connects to? Check the arp entries on it for the 67/68 addresses - clear arp or even reboot it if you can
Have you cleared the xlate table since making these changes on the PIX?
If you have not, the PIX will have issues with what ip your internal host should be translating to
clear xlate
Are you able to upgrade your PIX OS to 6.3(5)? I would do this if you have CCO
cheers
3 things I would check quickly on this
Do you have a public switch that the outside int of the PIX connects to? Check the arp entries on it for the 67/68 addresses - clear arp or even reboot it if you can
Have you cleared the xlate table since making these changes on the PIX?
If you have not, the PIX will have issues with what ip your internal host should be translating to
clear xlate
Are you able to upgrade your PIX OS to 6.3(5)? I would do this if you have CCO
cheers
ASKER
and one other thing, i cannot ping .67 and .68.
But I can ping .66(the pix's outside interface)
But I can ping .66(the pix's outside interface)
I hoped you rebooted after the changes, i too had issues with that version when doing nat changes...
Occasionally, I even needed to boot twice...
And outbound group is needed firstly though.
access-group outbound out interface inside
access-list outbound permit icmp any any echo-reply
Occasionally, I even needed to boot twice...
And outbound group is needed firstly though.
access-group outbound out interface inside
access-list outbound permit icmp any any echo-reply
ASKER
i will save and reboot after adding the outbound debuggerau.
the outside interface plugs directly into the modem. and i changed .67 to .69, then to .70 incase there was a conflict with .67 or .68 somehow. but the results were the same using .69 and .70.
about to save and reboot...
the outside interface plugs directly into the modem. and i changed .67 to .69, then to .70 incase there was a conflict with .67 or .68 somehow. but the results were the same using .69 and .70.
about to save and reboot...
thats not true - you don't need to create an acl for inside to outside traffic unless you specifically want to stop certain inside traffic to get out. By default, its allowed out anyway due to the security levels in the asa algorithm the PIX uses.
ASKER
ok, i did not do the outbound acl on the inside interface.
i did reboot several times...
then tried
telnet 111.222.333.70 3001(i changed .67 to .70 in case it was an external ip issue)
then i did a show conn and got basically the same thing..
pixfirewall# show conn
2 in use, 6 most used
TCP out me.me.me.133:1385 in 192.168.1.30:3001 idle 0:00:05 Bytes 0 flags UB
TCP out 80.12.192.74:80 in 192.168.1.7:4750 idle 0:00:02 Bytes 56191 flags UIO
pixfirewall#
i still find it odd that i can not ping the inside hosts 192.168.1.30 and .31 even though they are mapped and i added icmp lines to the access-list.
I can ping .66(the pix's outside ip)
Version 6.3(4) is starting to look like it might be something i need to change
i did reboot several times...
then tried
telnet 111.222.333.70 3001(i changed .67 to .70 in case it was an external ip issue)
then i did a show conn and got basically the same thing..
pixfirewall# show conn
2 in use, 6 most used
TCP out me.me.me.133:1385 in 192.168.1.30:3001 idle 0:00:05 Bytes 0 flags UB
TCP out 80.12.192.74:80 in 192.168.1.7:4750 idle 0:00:02 Bytes 56191 flags UIO
pixfirewall#
i still find it odd that i can not ping the inside hosts 192.168.1.30 and .31 even though they are mapped and i added icmp lines to the access-list.
I can ping .66(the pix's outside ip)
Version 6.3(4) is starting to look like it might be something i need to change
Thats funny, my PIX has a default entry which cannot be removed for each nat.
access-list outside_access_in deny ip any any
access-list inside_access_in deny ip any any
Any ACL's above that take precedence..
access-list outside_access_in deny ip any any
access-list inside_access_in deny ip any any
Any ACL's above that take precedence..
Its an intrinsic deny all. Acls have an inherent deny all at the end of them no matter what you do - its kind of a safety net in case you accidentally open more than you should
:-)
:-)
seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.
I thought the security level was more to do with IDC
I thought the security level was more to do with IDC
ASKER
I added the following to see if it would make a difference, but the results did not change any.
access-list outbound permit icmp any any echo-reply
access-list outbound permit icmp any any time-exceeded
access-list outbound permit icmp any any unreachable
access-list outbound permit icmp any any source-quench
access-group outbound in interface inside
access-list outbound permit icmp any any echo-reply
access-list outbound permit icmp any any time-exceeded
access-list outbound permit icmp any any unreachable
access-list outbound permit icmp any any source-quench
access-group outbound in interface inside
ASKER
Is there a fixup command that i'm missing or should not have?
ASKER
nodisco,
I'm going to go ahead and upgrade the IOS from 6.3(4) to 6.3(5).
I hope it doesnt kill my vpn when i do it..
I have version 7.1(2) but, i think that would be more risky than 6.3(5).
Will let you know what happens, i'm just waiting for everyone to go to lunch!
I'm going to go ahead and upgrade the IOS from 6.3(4) to 6.3(5).
I hope it doesnt kill my vpn when i do it..
I have version 7.1(2) but, i think that would be more risky than 6.3(5).
Will let you know what happens, i'm just waiting for everyone to go to lunch!
ASKER
BTW, I turned on debug icmp trace and pinged the static mappings from the outside.
i did not get any replys but the pix did report the ping requests..
pixfirewall#
13: ICMP echo-request from outside:me.me.me.133 to 111.222.444.68 ID=1783 seq=2816 length=40
14: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3072 length=40
15: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3328 length=40
16: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3584 length=40
I just wanted to make sure the external IP's were routed to our network by the ISP correctly.
i did not get any replys but the pix did report the ping requests..
pixfirewall#
13: ICMP echo-request from outside:me.me.me.133 to 111.222.444.68 ID=1783 seq=2816 length=40
14: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3072 length=40
15: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3328 length=40
16: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3584 length=40
I just wanted to make sure the external IP's were routed to our network by the ISP correctly.
ASKER
ok,
I upgraded the pix ios to 6.3(5) but it did not seem to help.
I tried to upgrade to 7.1(2) but it errored out with a message about not enough memory to do so.
The VPN I have in place was not effected, thank goodness.
Anymore ideas?
I upgraded the pix ios to 6.3(5) but it did not seem to help.
I tried to upgrade to 7.1(2) but it errored out with a message about not enough memory to do so.
The VPN I have in place was not effected, thank goodness.
Anymore ideas?
debuggerau
<<seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.>>
I don't know what you mean by this and as I said, you DO NOT need an acl applied on the inside to allow outbound traffic fundamentally, your PIX may be configured in such a way that it requires it but this is not the case uniformally. Besides - this is off topic.
No_expert_here
Can you post your config as it is now and also the output of sh access-list
I'm sure we will get it sorted yet!
<<seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.>>
I don't know what you mean by this and as I said, you DO NOT need an acl applied on the inside to allow outbound traffic fundamentally, your PIX may be configured in such a way that it requires it but this is not the case uniformally. Besides - this is off topic.
No_expert_here
Can you post your config as it is now and also the output of sh access-list
I'm sure we will get it sorted yet!
ASKER
here goes...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location me.me.me.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http me.me.me.133 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address w netmask 255.255.255.255
isakmp key ******** address x netmask 255.255.255.255
isakmp key ******** address y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:d43dd3c6804 3f041a5a5a c7491802d6 2
: end
[OK]
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=0)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=16)
access-list inbound; 8 elements
access-list inbound line 1 permit tcp any host 111.222.333.67 eq 3001 (hitcnt=0)
access-list inbound line 2 permit tcp any host 111.222.333.68 eq 3001 (hitcnt=1)
access-list inbound line 3 permit icmp any any echo-reply (hitcnt=0)
access-list inbound line 4 permit icmp any any time-exceeded (hitcnt=2)
access-list inbound line 5 permit icmp any any unreachable (hitcnt=8)
access-list inbound line 6 permit icmp any any source-quench (hitcnt=0)
access-list inbound line 7 permit tcp any host 111.222.333.69 eq 3001 (hitcnt=0)
access-list inbound line 8 permit tcp any host 111.222.333.70 eq 3001 (hitcnt=2)
pixfirewall#
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location me.me.me.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http me.me.me.133 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address w netmask 255.255.255.255
isakmp key ******** address x netmask 255.255.255.255
isakmp key ******** address y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:d43dd3c6804
: end
[OK]
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=0)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=16)
access-list inbound; 8 elements
access-list inbound line 1 permit tcp any host 111.222.333.67 eq 3001 (hitcnt=0)
access-list inbound line 2 permit tcp any host 111.222.333.68 eq 3001 (hitcnt=1)
access-list inbound line 3 permit icmp any any echo-reply (hitcnt=0)
access-list inbound line 4 permit icmp any any time-exceeded (hitcnt=2)
access-list inbound line 5 permit icmp any any unreachable (hitcnt=8)
access-list inbound line 6 permit icmp any any source-quench (hitcnt=0)
access-list inbound line 7 permit tcp any host 111.222.333.69 eq 3001 (hitcnt=0)
access-list inbound line 8 permit tcp any host 111.222.333.70 eq 3001 (hitcnt=2)
pixfirewall#
ASKER
If I change the static mapping so that it uses the pix's outside interface with port forwarding...
static (inside,outside) tcp 111.222.334.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
along with
access-list inbound permit tcp any host 111.222.333.66 eq 3001
it works fine. problem is i have two of these devices on the inside and they both require port 3001.
static (inside,outside) tcp 111.222.334.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
along with
access-list inbound permit tcp any host 111.222.333.66 eq 3001
it works fine. problem is i have two of these devices on the inside and they both require port 3001.
ASKER
if i do the same thing with .67,.68, .69, .70 as i do with the pix's outside ip of .66, it will not work.
DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001
DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001
THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001
THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001
I did have someone place a laptop in parrallel with the pix and assign the .67,.68,.69,and .70
to it's interface, and verify each time that they get internet access as well as had him go to
www.whatismyip.com and make sure they were reporting the correct ip address.
DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001
DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001
THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001
THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001
I did have someone place a laptop in parrallel with the pix and assign the .67,.68,.69,and .70
to it's interface, and verify each time that they get internet access as well as had him go to
www.whatismyip.com and make sure they were reporting the correct ip address.
ASKER
is there a way for me to send an automatic reboot command to the pix in case i lose contact with it after trying to change the pix's outside ip address to .70 remotely. The pix is in another town and i don't know if i can change the ip without losing contact with it. I Just want to make sure that the problem i'm having isn't because there is something wrong with the IP Addresses assigned by our ISP.
No - on a router you can issue a "reload in 10" to reboot it in 10 mins for example, but not on a PIX. But if you're laptop can get out on the web using these public ips then they are working correctly from the ISP side of things. If you do have a chance in the office though, I would quickly change the PIXs outside int address to one of the avail addresses for peace of mind!
Can you go on the internet with 192.168.1.30 and 192.168.1.31 - go to whatismyip.com and see if they are translating correctly to their correct address - thats the quickest way to test.
Your acl shows the hitcnt incrementing but you are not getting a reply.
Are your machines 192.168.1.30 and 31 using the PIX as their default gateway - if not what is it?
Make sure to clear xlate after making any translation tables
You could try turning on logging and checking the pix as you attempt these connections to see whats going on:
logging on
logging timestamp
logging monitor errors
logging buffered notifications
or
logging buffered information
Open the connection from outside and at the same time - sh log - do it a few times and you will catch the detail.
Can you go on the internet with 192.168.1.30 and 192.168.1.31 - go to whatismyip.com and see if they are translating correctly to their correct address - thats the quickest way to test.
Your acl shows the hitcnt incrementing but you are not getting a reply.
Are your machines 192.168.1.30 and 31 using the PIX as their default gateway - if not what is it?
Make sure to clear xlate after making any translation tables
You could try turning on logging and checking the pix as you attempt these connections to see whats going on:
logging on
logging timestamp
logging monitor errors
logging buffered notifications
or
logging buffered information
Open the connection from outside and at the same time - sh log - do it a few times and you will catch the detail.
ASKER
ok, will try logging...
Also, I forgot that i had someone unplug the network cable from one of the devices assigned to 192.168.1.30 and then had then take a workstation on the inside and assign 192.168.1.30 to it and do a whatismyip.com and sure enough it reported 111.222.333.67.
Also, I forgot that i had someone unplug the network cable from one of the devices assigned to 192.168.1.30 and then had then take a workstation on the inside and assign 192.168.1.30 to it and do a whatismyip.com and sure enough it reported 111.222.333.67.
ASKER
Looks like you're on to something here Nodisco!!!
after turning logging on, i did some pings from home, and tried to get the other office here to
make the connection to the device(192.168.1.30) statically mapped to 111.222.333.70....
This was me trying to ping .70 from home.
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
*I have no idea who's trying to connect here? looks like in ip address from china..
106023: Deny tcp src outside:125.65.112.217/600 0 dst inside:111.222.333.70/8000 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/600 0 dst inside:111.222.333.70/3128 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/600 0 dst inside:111.222.333.70/7212 by access-group "inbound"
This is really the only connection that i want to allow...
106023: Deny icmp src 333.444.555 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
after turning logging on, i did some pings from home, and tried to get the other office here to
make the connection to the device(192.168.1.30) statically mapped to 111.222.333.70....
This was me trying to ping .70 from home.
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
*I have no idea who's trying to connect here? looks like in ip address from china..
106023: Deny tcp src outside:125.65.112.217/600
106023: Deny tcp src outside:125.65.112.217/600
106023: Deny tcp src outside:125.65.112.217/600
This is really the only connection that i want to allow...
106023: Deny icmp src 333.444.555 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
The denies show you pinging 192.168.1.30 mapped as 111.222.333.70 but in the previous post you said 192.168.1.30 was mapped as 111.222.333.67 and working on whatismyip.com? Are we aok here or I am picking you up wrong?
If the statics are definitely listed as follows:
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
Pls do the following
First:
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
access-list inbound deny ip any any
access-group inbound in interface outside
Re-applying the acl can be necessary in some instances when making big changes.
Then, try pinging and more importantly telnetting to port 3001 on the 2 publics ips and check the logs to see what you get.
cheers
If the statics are definitely listed as follows:
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
Pls do the following
First:
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
access-list inbound deny ip any any
access-group inbound in interface outside
Re-applying the acl can be necessary in some instances when making big changes.
Then, try pinging and more importantly telnetting to port 3001 on the 2 publics ips and check the logs to see what you get.
cheers
ASKER
Ok, a small change with that but i entered it as you listed...
The icmp deny's don't mention the access-list anymore.
i'll save it and reboot to see if that helps...
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
The icmp deny's don't mention the access-list anymore.
i'll save it and reboot to see if that helps...
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
ASKER
ooops..
i forgot to apply the access-list...
so i rebooted then
did access-group inbound in interface outbound
and got this after pinging
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"
I don't know whose ip address is listed on the last line there??
what if i just open the whole thing up and see what happens?
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"
Port 445 is netbios and you don't want this getting in any kind of way - it most likely malicious traffic.
Can you try the telnet on port 3001 and see what happens - I want to see what happens in the log when you try this
Port 445 is netbios and you don't want this getting in any kind of way - it most likely malicious traffic.
Can you try the telnet on port 3001 and see what happens - I want to see what happens in the log when you try this
ASKER
this was after me trying a telnet session on port 3001
609001: Built local-host inside:192.168.1.30
305009: Built static translation from inside:192.168.1.30 to outside:111.222.333.70
302013: Built inbound TCP connection 2830 for outside:333.444.555 .222/63059 (70.248.4.222/63059) to inside:192.168.1.30/3001 (111.222.333.70/3001)
This was after trying to query the device using the software
Deny icmp src outside:333.444.555.222 dst inside:166.102.135.70 (type 8, code 0) by access-group "in_bound"
609001: Built local-host inside:192.168.1.30
305009: Built static translation from inside:192.168.1.30 to outside:111.222.333.70
302013: Built inbound TCP connection 2830 for outside:333.444.555 .222/63059 (70.248.4.222/63059) to inside:192.168.1.30/3001 (111.222.333.70/3001)
This was after trying to query the device using the software
Deny icmp src outside:333.444.555.222 dst inside:166.102.135.70 (type 8, code 0) by access-group "in_bound"
There may be something else you need to open - just as a quick test - open the public ip to just your source address e.g.
Put in the following:
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
Then try again.
Then watch the logs
Put in the following:
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
Then try again.
Then watch the logs
ASKER
Nodisco.....
YOU ARE D'MAN!
Thank goodness...it's working now...
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
did the trick. i saved the configuration.
now how do i turn the logging off so it doesnt slow the network down any?
YOU ARE D'MAN!
Thank goodness...it's working now...
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
did the trick. i saved the configuration.
now how do i turn the logging off so it doesnt slow the network down any?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, will do...Thank you so much. I was ready to go place a 2nd router behind the modem and set it up separately. Fortunately, you came through with the know how and patience. Thanks Again...
no worries - glad you got working
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
icmp permit host 111.222.333.67 outside
But your having trouble with the 66 address, so it is a strange one...