• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

Can't ping or access host that is statically nat'd behind Pix 501.

I can't figure out where i'm going wrong here. I have a static mapping for an inside ip address of 192.168.1.30 to an outside ip address ending in .67.   I can't ping it, or telnet into it using port 3001, which is what is required for the device.  If however I PAT it using the pix's outside ip address of .66 along with an access list to allow port 3001, it works fine. The problem is i have two of these device and need to be able to access them over port 3001 with outside ip's ending in .67 and .68.  I feel like it's being blocked coming back out, which is why i tried at least setting it up so i could ping it. Can anyone help me on this?

Thanks...
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
access-list outbound permit ip any any
access-list outbound permit icmp any any echo-reply
pager lines 24
logging buffered debugging
icmp permit host 111.222.333.67 outside
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 75.109.45.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxx password xxxxxxx store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bef46ee1bd690a931ce62b18e84023e0
: end

Open in new window

0
No_Expert_Here
Asked:
No_Expert_Here
  • 21
  • 10
  • 4
1 Solution
 
debuggerauCommented:
Just looking at the differences and I see these lines:
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
icmp permit host 111.222.333.67 outside

But your having trouble with the 66 address, so it is a strange one...
0
 
No_Expert_HereAuthor Commented:
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
was my desperate attempt to make sure that i had all the needed ports open.
i've been instruced that the only port i need is 3001.

but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3301
i left the windows open and ran a show conn and show xlate and got the following results.
the ping test still doesnt work and i did add
the following lines...

access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench

again, if i use the outside interface of 111.222.333.66  and PAT 3001 to 192.168.1.30 the device works!

but i need .67 and .68 to work using NAT because they both have to use 3001.
if you look at the ouput below..it looks like it is translating in...but maybe not getting back out???

I'm including the config as it is now since i changed it a bit, but still not working....

pixfirewall(config)#  show conn
2 in use, 37 most used
TCP out me.me.me.133:1225 in 192.168.1.30:3001 idle 0:00:08 Bytes 43 flags UOB
TCP out me.me.me.133:1229 in 192.168.1.31:3001 idle 0:00:20 Bytes 36 flags UOB
pixfirewall(config)# show xlate
15 in use, 105 most used
Global 111.222.333.67 Local 192.168.1.30
PAT Global 111.222.333.66(1317) Local 192.168.1.12(49210)
PAT Global 111.222.333.66(1318) Local 192.168.1.12(56726)
PAT Global 111.222.333.66(1499) Local 192.168.1.12(1911)
PAT Global 111.222.333.66(1498) Local 192.168.1.12(1908)
PAT Global 111.222.333.66(1501) Local 192.168.1.12(1913)
PAT Global 111.222.333.66(1500) Local 192.168.1.12(1912)
PAT Global 111.222.333.66(1503) Local 192.168.1.12(1914)
PAT Global 111.222.333.66(1502) Local 192.168.1.13(4605)
PAT Global 111.222.333.66(1505) Local 192.168.1.12(1916)
PAT Global 111.222.333.66(1504) Local 192.168.1.12(1915)
PAT Global 111.222.333.66(1507) Local 192.168.1.13(4606)
PAT Global 111.222.333.66(1506) Local 192.168.1.12(1919)
PAT Global 111.222.333.66(1508) Local 192.168.1.13(4607)
Global 111.222.333.68 Local 192.168.1.31
pixfirewall(config)#
 
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http xx.yy.zz.tt 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Open in new window

0
 
No_Expert_HereAuthor Commented:
i typo'd  port 3001. i did not mean to type 3301.
should have been

but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3001
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
nodiscoCommented:
hey there

3 things I would check quickly on this
Do you have a public switch that the outside int of the PIX connects to?  Check the arp entries on it for the 67/68 addresses - clear arp or even reboot it if you can

Have you cleared the xlate table since making these changes on the PIX?
If you have not, the PIX will have issues with what ip your internal host should be translating to
clear xlate

Are you able to upgrade your PIX OS to 6.3(5)?  I would do this if you have CCO

cheers
0
 
No_Expert_HereAuthor Commented:
and one other thing, i cannot ping .67 and .68.
But I can ping .66(the pix's outside interface)
0
 
debuggerauCommented:
I hoped you rebooted after the changes, i too had issues with that version when doing nat changes...

Occasionally, I even needed to boot twice...

And outbound group is needed firstly though.
access-group outbound out interface inside
access-list outbound permit icmp any any echo-reply
0
 
No_Expert_HereAuthor Commented:
i will save and reboot after adding the outbound debuggerau.

the outside interface plugs directly into the modem. and i changed .67 to .69, then to .70 incase there was a conflict with .67 or .68 somehow. but the results were the same using .69 and .70.

about to save and reboot...

0
 
nodiscoCommented:
thats not true - you don't need to create an acl for inside to outside traffic unless you specifically want to stop certain inside traffic to get out.  By default, its allowed out anyway due to the security levels in the asa algorithm the PIX uses.
0
 
No_Expert_HereAuthor Commented:
ok, i did not do the outbound acl on the inside interface.
i did reboot several times...
then tried
telnet 111.222.333.70 3001(i changed .67 to .70 in case it was an external ip issue)
then i did a show conn and got basically the same thing..


pixfirewall# show conn
2 in use, 6 most used
TCP out me.me.me.133:1385 in 192.168.1.30:3001 idle 0:00:05 Bytes 0 flags UB
TCP out 80.12.192.74:80 in 192.168.1.7:4750 idle 0:00:02 Bytes 56191 flags UIO
pixfirewall#

i still find it odd that i can not ping the inside hosts 192.168.1.30 and .31 even though they are mapped and i added icmp lines to the access-list.

I can ping .66(the pix's outside ip)

Version 6.3(4) is starting to look like it might be something i need to change

0
 
debuggerauCommented:
Thats funny, my PIX has a default entry which cannot be removed for each nat.

access-list outside_access_in deny ip any any
access-list inside_access_in deny ip any any

Any ACL's above that take precedence..

0
 
nodiscoCommented:
Its an intrinsic deny all.  Acls have an inherent deny all at the end of them no matter what you do - its kind of a safety net in case you accidentally open more than you should
:-)
0
 
debuggerauCommented:
seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.

I thought the security level was more to do with IDC
0
 
No_Expert_HereAuthor Commented:
I added the following to see if it would make a difference, but the results did not change any.

access-list outbound permit icmp any any echo-reply
access-list outbound permit icmp any any time-exceeded
access-list outbound permit icmp any any unreachable
access-list outbound permit icmp any any source-quench

access-group outbound in interface inside

0
 
No_Expert_HereAuthor Commented:
Is there a fixup command that i'm missing or should not have?

0
 
No_Expert_HereAuthor Commented:
nodisco,

I'm going to go ahead and upgrade the IOS from 6.3(4) to 6.3(5).
I hope it doesnt kill my vpn when i do it..
I have version 7.1(2) but, i think that would be more risky than 6.3(5).

Will let you know what happens, i'm just waiting for everyone to go to lunch!
0
 
No_Expert_HereAuthor Commented:
BTW, I turned on debug icmp trace and pinged the static mappings from the outside.
i did not get any replys but the pix did report the ping requests..

pixfirewall#
13: ICMP echo-request from outside:me.me.me.133 to 111.222.444.68 ID=1783 seq=2816 length=40
14: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3072 length=40
15: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3328 length=40
16: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3584 length=40

I just wanted to make sure the external IP's were routed to our network by the ISP correctly.

0
 
No_Expert_HereAuthor Commented:
ok,
I upgraded the pix ios to 6.3(5) but it did not seem to help.
I tried to upgrade to 7.1(2) but it errored out with a message about not enough memory to do so.
The VPN I have in place was not effected, thank goodness.
Anymore ideas?

0
 
nodiscoCommented:
debuggerau
<<seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.>>
I don't know what you mean by this and as I said, you DO NOT need an acl applied on the inside to allow outbound traffic fundamentally, your PIX may be configured in such a way that it requires it but this is not the case uniformally.  Besides - this is off topic.

No_expert_here
Can you post your config as it is now and also the output of sh access-list
I'm sure we will get it sorted yet!
0
 
No_Expert_HereAuthor Commented:
here goes...


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location me.me.me.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http me.me.me.133 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address w netmask 255.255.255.255
isakmp key ******** address x netmask 255.255.255.255
isakmp key ******** address y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:d43dd3c68043f041a5a5ac7491802d62
: end
[OK]

                                                                                             
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=0)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=16)
access-list inbound; 8 elements
access-list inbound line 1 permit tcp any host 111.222.333.67 eq 3001 (hitcnt=0)
access-list inbound line 2 permit tcp any host 111.222.333.68 eq 3001 (hitcnt=1)
access-list inbound line 3 permit icmp any any echo-reply (hitcnt=0)
access-list inbound line 4 permit icmp any any time-exceeded (hitcnt=2)
access-list inbound line 5 permit icmp any any unreachable (hitcnt=8)
access-list inbound line 6 permit icmp any any source-quench (hitcnt=0)
access-list inbound line 7 permit tcp any host 111.222.333.69 eq 3001 (hitcnt=0)
access-list inbound line 8 permit tcp any host 111.222.333.70 eq 3001 (hitcnt=2)
pixfirewall#
0
 
No_Expert_HereAuthor Commented:
If I change the static mapping so that it uses the pix's outside interface with port forwarding...
static (inside,outside) tcp 111.222.334.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
along with
access-list inbound permit tcp any host 111.222.333.66 eq 3001
it works fine. problem is i have two of these devices on the inside and they both require port 3001.

0
 
No_Expert_HereAuthor Commented:
if i do the same thing with .67,.68, .69, .70 as i do with the pix's outside ip of .66, it will not work.

DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001


DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001


THIS DOES WORK

static (inside,outside) tcp 111.222.333.66 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001


THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001

I did have someone place a laptop in parrallel with the pix and assign the .67,.68,.69,and .70
to it's interface, and verify each time that they get internet access as well as had him go to
www.whatismyip.com and make sure they were reporting the correct ip address.
0
 
No_Expert_HereAuthor Commented:
is there a way for me to send an automatic reboot command to the pix in case i lose contact with it after trying to change the pix's outside ip address to .70 remotely. The pix is in another town and i don't know if i can change the ip without losing contact with it. I Just want to make sure that the problem i'm having isn't because there is something wrong with the IP Addresses assigned by our ISP.
0
 
nodiscoCommented:
No - on a router you can issue a "reload in 10" to reboot it in 10 mins for example, but not on a PIX.  But if you're laptop can get out on the web using these public ips then they are working correctly from the ISP side of things.  If you do have a chance in the office though, I would quickly change the PIXs outside int address to one of the avail addresses for peace of mind!

Can you go on the internet with 192.168.1.30 and 192.168.1.31 - go to whatismyip.com and see if they are translating correctly to their correct address - thats the quickest way to test.
Your acl shows the hitcnt incrementing but you are not getting a reply.
Are your machines 192.168.1.30 and 31 using the PIX as their default gateway - if not what is it?
Make sure to clear xlate after making any translation tables

You could try turning on logging and checking the pix as you attempt these connections to see whats going on:
logging on
logging timestamp
logging monitor errors
logging buffered notifications
or
logging buffered information
Open the connection from outside and at the same time - sh log - do it a few times and you will catch the detail.

0
 
No_Expert_HereAuthor Commented:
ok, will try logging...

Also,  I forgot that i had someone unplug the network cable from one of the devices assigned to 192.168.1.30 and then had then take a workstation on the inside and assign 192.168.1.30 to it and do a whatismyip.com and sure enough it reported 111.222.333.67.
0
 
No_Expert_HereAuthor Commented:
Looks like you're on to something here Nodisco!!!

after turning logging on, i did some pings from home, and tried to get the other office here to
make the connection to the device(192.168.1.30) statically mapped to 111.222.333.70....

This was me trying to ping .70 from home.

106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"



*I have no idea who's trying to connect here? looks like in ip address from china..

106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/8000 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/3128 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/7212 by access-group "inbound"



This is really the only connection that i want to allow...

106023: Deny icmp src 333.444.555 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
      

0
 
nodiscoCommented:
The denies show you pinging 192.168.1.30 mapped as 111.222.333.70 but in the previous post you said 192.168.1.30 was mapped as 111.222.333.67 and working on whatismyip.com?  Are we aok here or I am picking you up wrong?

If the statics are definitely listed as follows:
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0

Pls do the following
First:

clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
access-list inbound deny ip any any

access-group inbound in interface outside

Re-applying the acl can be necessary in some instances when making big changes.
Then, try pinging and more importantly telnetting to port 3001 on the 2 publics ips and check the logs to see what you get.

cheers
0
 
No_Expert_HereAuthor Commented:
Ok, a small change with that but i entered it as you listed...
The icmp deny's don't mention the access-list anymore.

i'll save it and reboot to see if that helps...

 
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
 



106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)  
 

 
0
 
No_Expert_HereAuthor Commented:


ooops..
i forgot to apply the access-list...

so i rebooted then
did access-group inbound in interface outbound
and got this after pinging



106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"

I don't know whose ip address is listed on the last line there??

what if i just open the whole thing up and see what happens?




0
 
nodiscoCommented:
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"
Port 445 is netbios and you don't want this getting in any kind of way - it most likely malicious traffic.  

Can you try the telnet on port 3001 and see what happens - I want to see what happens in the log when you try this
0
 
No_Expert_HereAuthor Commented:
this was after me trying a  telnet session on port 3001

609001: Built local-host inside:192.168.1.30
305009: Built static translation from inside:192.168.1.30 to outside:111.222.333.70
302013: Built inbound TCP connection 2830 for outside:333.444.555 .222/63059 (70.248.4.222/63059) to inside:192.168.1.30/3001 (111.222.333.70/3001)


This was after trying to query the device using the software
Deny icmp src outside:333.444.555.222 dst inside:166.102.135.70 (type 8, code 0) by access-group "in_bound"
0
 
nodiscoCommented:
There may be something else you need to open - just as a quick test - open the public ip to just your source address e.g.

Put in the following:
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600

Then try again.

Then watch the logs
0
 
No_Expert_HereAuthor Commented:
Nodisco.....

YOU ARE D'MAN!

Thank goodness...it's working now...
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
did the trick. i saved the configuration.  

now how do i turn the logging off so it doesnt slow the network down any?
0
 
nodiscoCommented:
ahh my friend.  The point is to check the log!  
You have now opened up all ports from your test ip to the .70 address.  What you need to do now is look at the logs when you make a successful connection as you seem to need more than just the port 3001 for this to work.  The logging is set as informational so it will report all hits that match the acl.  You can amend the acl to allow just the required ports accordingly so as not to fully open your secure host.

To remove logging from that one line:
"To disable a log option without having to remove the ACE, use access-list id log disable. "

And to turn off logging:
no logging on

cheers
0
 
No_Expert_HereAuthor Commented:
Ok, will do...Thank you so much. I was ready to go place a 2nd router behind the modem and set it up separately. Fortunately, you came through with the know how and patience. Thanks Again...
0
 
nodiscoCommented:
no worries - glad you got working
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 21
  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now