?
Solved

Can't ping or access host that is statically nat'd behind Pix 501.

Posted on 2009-04-23
35
Medium Priority
?
627 Views
Last Modified: 2012-05-06
I can't figure out where i'm going wrong here. I have a static mapping for an inside ip address of 192.168.1.30 to an outside ip address ending in .67.   I can't ping it, or telnet into it using port 3001, which is what is required for the device.  If however I PAT it using the pix's outside ip address of .66 along with an access list to allow port 3001, it works fine. The problem is i have two of these device and need to be able to access them over port 3001 with outside ip's ending in .67 and .68.  I feel like it's being blocked coming back out, which is why i tried at least setting it up so i could ping it. Can anyone help me on this?

Thanks...
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
access-list outbound permit ip any any
access-list outbound permit icmp any any echo-reply
pager lines 24
logging buffered debugging
icmp permit host 111.222.333.67 outside
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 75.109.45.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxx password xxxxxxx store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bef46ee1bd690a931ce62b18e84023e0
: end

Open in new window

0
Comment
Question by:No_Expert_Here
  • 21
  • 10
  • 4
35 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24220935
Just looking at the differences and I see these lines:
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
icmp permit host 111.222.333.67 outside

But your having trouble with the 66 address, so it is a strange one...
0
 

Author Comment

by:No_Expert_Here
ID: 24221123
access-list inbound permit tcp any host 111.222.333.67 range 1 65535
was my desperate attempt to make sure that i had all the needed ports open.
i've been instruced that the only port i need is 3001.

but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3301
i left the windows open and ran a show conn and show xlate and got the following results.
the ping test still doesnt work and i did add
the following lines...

access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench

again, if i use the outside interface of 111.222.333.66  and PAT 3001 to 192.168.1.30 the device works!

but i need .67 and .68 to work using NAT because they both have to use 3001.
if you look at the ouput below..it looks like it is translating in...but maybe not getting back out???

I'm including the config as it is now since i changed it a bit, but still not working....

pixfirewall(config)#  show conn
2 in use, 37 most used
TCP out me.me.me.133:1225 in 192.168.1.30:3001 idle 0:00:08 Bytes 43 flags UOB
TCP out me.me.me.133:1229 in 192.168.1.31:3001 idle 0:00:20 Bytes 36 flags UOB
pixfirewall(config)# show xlate
15 in use, 105 most used
Global 111.222.333.67 Local 192.168.1.30
PAT Global 111.222.333.66(1317) Local 192.168.1.12(49210)
PAT Global 111.222.333.66(1318) Local 192.168.1.12(56726)
PAT Global 111.222.333.66(1499) Local 192.168.1.12(1911)
PAT Global 111.222.333.66(1498) Local 192.168.1.12(1908)
PAT Global 111.222.333.66(1501) Local 192.168.1.12(1913)
PAT Global 111.222.333.66(1500) Local 192.168.1.12(1912)
PAT Global 111.222.333.66(1503) Local 192.168.1.12(1914)
PAT Global 111.222.333.66(1502) Local 192.168.1.13(4605)
PAT Global 111.222.333.66(1505) Local 192.168.1.12(1916)
PAT Global 111.222.333.66(1504) Local 192.168.1.12(1915)
PAT Global 111.222.333.66(1507) Local 192.168.1.13(4606)
PAT Global 111.222.333.66(1506) Local 192.168.1.12(1919)
PAT Global 111.222.333.66(1508) Local 192.168.1.13(4607)
Global 111.222.333.68 Local 192.168.1.31
pixfirewall(config)#
 
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.67 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http xx.yy.zz.tt 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp key ******** address x netmask x
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Open in new window

0
 

Author Comment

by:No_Expert_Here
ID: 24221135
i typo'd  port 3001. i did not mean to type 3301.
should have been

but from my house, i tried to telnet in to 111.222.333.67 and .68 on port 3001
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 19

Expert Comment

by:nodisco
ID: 24221172
hey there

3 things I would check quickly on this
Do you have a public switch that the outside int of the PIX connects to?  Check the arp entries on it for the 67/68 addresses - clear arp or even reboot it if you can

Have you cleared the xlate table since making these changes on the PIX?
If you have not, the PIX will have issues with what ip your internal host should be translating to
clear xlate

Are you able to upgrade your PIX OS to 6.3(5)?  I would do this if you have CCO

cheers
0
 

Author Comment

by:No_Expert_Here
ID: 24221181
and one other thing, i cannot ping .67 and .68.
But I can ping .66(the pix's outside interface)
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24221242
I hoped you rebooted after the changes, i too had issues with that version when doing nat changes...

Occasionally, I even needed to boot twice...

And outbound group is needed firstly though.
access-group outbound out interface inside
access-list outbound permit icmp any any echo-reply
0
 

Author Comment

by:No_Expert_Here
ID: 24221270
i will save and reboot after adding the outbound debuggerau.

the outside interface plugs directly into the modem. and i changed .67 to .69, then to .70 incase there was a conflict with .67 or .68 somehow. but the results were the same using .69 and .70.

about to save and reboot...

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24221272
thats not true - you don't need to create an acl for inside to outside traffic unless you specifically want to stop certain inside traffic to get out.  By default, its allowed out anyway due to the security levels in the asa algorithm the PIX uses.
0
 

Author Comment

by:No_Expert_Here
ID: 24221335
ok, i did not do the outbound acl on the inside interface.
i did reboot several times...
then tried
telnet 111.222.333.70 3001(i changed .67 to .70 in case it was an external ip issue)
then i did a show conn and got basically the same thing..


pixfirewall# show conn
2 in use, 6 most used
TCP out me.me.me.133:1385 in 192.168.1.30:3001 idle 0:00:05 Bytes 0 flags UB
TCP out 80.12.192.74:80 in 192.168.1.7:4750 idle 0:00:02 Bytes 56191 flags UIO
pixfirewall#

i still find it odd that i can not ping the inside hosts 192.168.1.30 and .31 even though they are mapped and i added icmp lines to the access-list.

I can ping .66(the pix's outside ip)

Version 6.3(4) is starting to look like it might be something i need to change

0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24221861
Thats funny, my PIX has a default entry which cannot be removed for each nat.

access-list outside_access_in deny ip any any
access-list inside_access_in deny ip any any

Any ACL's above that take precedence..

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24221884
Its an intrinsic deny all.  Acls have an inherent deny all at the end of them no matter what you do - its kind of a safety net in case you accidentally open more than you should
:-)
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24222088
seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.

I thought the security level was more to do with IDC
0
 

Author Comment

by:No_Expert_Here
ID: 24223273
I added the following to see if it would make a difference, but the results did not change any.

access-list outbound permit icmp any any echo-reply
access-list outbound permit icmp any any time-exceeded
access-list outbound permit icmp any any unreachable
access-list outbound permit icmp any any source-quench

access-group outbound in interface inside

0
 

Author Comment

by:No_Expert_Here
ID: 24223288
Is there a fixup command that i'm missing or should not have?

0
 

Author Comment

by:No_Expert_Here
ID: 24226053
nodisco,

I'm going to go ahead and upgrade the IOS from 6.3(4) to 6.3(5).
I hope it doesnt kill my vpn when i do it..
I have version 7.1(2) but, i think that would be more risky than 6.3(5).

Will let you know what happens, i'm just waiting for everyone to go to lunch!
0
 

Author Comment

by:No_Expert_Here
ID: 24226838
BTW, I turned on debug icmp trace and pinged the static mappings from the outside.
i did not get any replys but the pix did report the ping requests..

pixfirewall#
13: ICMP echo-request from outside:me.me.me.133 to 111.222.444.68 ID=1783 seq=2816 length=40
14: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3072 length=40
15: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3328 length=40
16: ICMP echo-request from outside:me.me.me.133 to 111.222.333.68 ID=1783 seq=3584 length=40

I just wanted to make sure the external IP's were routed to our network by the ISP correctly.

0
 

Author Comment

by:No_Expert_Here
ID: 24228470
ok,
I upgraded the pix ios to 6.3(5) but it did not seem to help.
I tried to upgrade to 7.1(2) but it errored out with a message about not enough memory to do so.
The VPN I have in place was not effected, thank goodness.
Anymore ideas?

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24230223
debuggerau
<<seems to contradict your earlier comment, and I did need to specify each outgoing rule in the firewall, else nothing would go out.>>
I don't know what you mean by this and as I said, you DO NOT need an acl applied on the inside to allow outbound traffic fundamentally, your PIX may be configured in such a way that it requires it but this is not the case uniformally.  Besides - this is off topic.

No_expert_here
Can you post your config as it is now and also the output of sh access-list
I'm sure we will get it sorted yet!
0
 

Author Comment

by:No_Expert_Here
ID: 24232961
here goes...


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0
access-list inbound permit tcp any host 111.222.333.67 eq 3001
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.66 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.199.97.0 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location me.me.me.133 255.255.255.255 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.31 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 200
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 111.222.333.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http me.me.me.133 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address w netmask 255.255.255.255
isakmp key ******** address x netmask 255.255.255.255
isakmp key ******** address y netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname x
vpdn group pppoe_group ppp authentication pap
vpdn username x password ********* store-local
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:d43dd3c68043f041a5a5ac7491802d62
: end
[OK]

                                                                                             
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=0)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 10.199.97.0 255.255.255.0 (hitcnt=16)
access-list inbound; 8 elements
access-list inbound line 1 permit tcp any host 111.222.333.67 eq 3001 (hitcnt=0)
access-list inbound line 2 permit tcp any host 111.222.333.68 eq 3001 (hitcnt=1)
access-list inbound line 3 permit icmp any any echo-reply (hitcnt=0)
access-list inbound line 4 permit icmp any any time-exceeded (hitcnt=2)
access-list inbound line 5 permit icmp any any unreachable (hitcnt=8)
access-list inbound line 6 permit icmp any any source-quench (hitcnt=0)
access-list inbound line 7 permit tcp any host 111.222.333.69 eq 3001 (hitcnt=0)
access-list inbound line 8 permit tcp any host 111.222.333.70 eq 3001 (hitcnt=2)
pixfirewall#
0
 

Author Comment

by:No_Expert_Here
ID: 24233203
If I change the static mapping so that it uses the pix's outside interface with port forwarding...
static (inside,outside) tcp 111.222.334.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
along with
access-list inbound permit tcp any host 111.222.333.66 eq 3001
it works fine. problem is i have two of these devices on the inside and they both require port 3001.

0
 

Author Comment

by:No_Expert_Here
ID: 24233305
if i do the same thing with .67,.68, .69, .70 as i do with the pix's outside ip of .66, it will not work.

DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001


DOES NOT WORK
static (inside,outside) tcp 111.222.333.70 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.70 eq 3001


THIS DOES WORK

static (inside,outside) tcp 111.222.333.66 3001 192.168.1.30 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001


THIS DOES WORK
static (inside,outside) tcp 111.222.333.66 3001 192.168.1.31 3001 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 111.222.333.66 eq 3001

I did have someone place a laptop in parrallel with the pix and assign the .67,.68,.69,and .70
to it's interface, and verify each time that they get internet access as well as had him go to
www.whatismyip.com and make sure they were reporting the correct ip address.
0
 

Author Comment

by:No_Expert_Here
ID: 24233505
is there a way for me to send an automatic reboot command to the pix in case i lose contact with it after trying to change the pix's outside ip address to .70 remotely. The pix is in another town and i don't know if i can change the ip without losing contact with it. I Just want to make sure that the problem i'm having isn't because there is something wrong with the IP Addresses assigned by our ISP.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24233750
No - on a router you can issue a "reload in 10" to reboot it in 10 mins for example, but not on a PIX.  But if you're laptop can get out on the web using these public ips then they are working correctly from the ISP side of things.  If you do have a chance in the office though, I would quickly change the PIXs outside int address to one of the avail addresses for peace of mind!

Can you go on the internet with 192.168.1.30 and 192.168.1.31 - go to whatismyip.com and see if they are translating correctly to their correct address - thats the quickest way to test.
Your acl shows the hitcnt incrementing but you are not getting a reply.
Are your machines 192.168.1.30 and 31 using the PIX as their default gateway - if not what is it?
Make sure to clear xlate after making any translation tables

You could try turning on logging and checking the pix as you attempt these connections to see whats going on:
logging on
logging timestamp
logging monitor errors
logging buffered notifications
or
logging buffered information
Open the connection from outside and at the same time - sh log - do it a few times and you will catch the detail.

0
 

Author Comment

by:No_Expert_Here
ID: 24233985
ok, will try logging...

Also,  I forgot that i had someone unplug the network cable from one of the devices assigned to 192.168.1.30 and then had then take a workstation on the inside and assign 192.168.1.30 to it and do a whatismyip.com and sure enough it reported 111.222.333.67.
0
 

Author Comment

by:No_Expert_Here
ID: 24234092
Looks like you're on to something here Nodisco!!!

after turning logging on, i did some pings from home, and tried to get the other office here to
make the connection to the device(192.168.1.30) statically mapped to 111.222.333.70....

This was me trying to ping .70 from home.

106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"



*I have no idea who's trying to connect here? looks like in ip address from china..

106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/8000 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/3128 by access-group "inbound"
106023: Deny tcp src outside:125.65.112.217/6000 dst inside:111.222.333.70/7212 by access-group "inbound"



This is really the only connection that i want to allow...

106023: Deny icmp src 333.444.555 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
      

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24234706
The denies show you pinging 192.168.1.30 mapped as 111.222.333.70 but in the previous post you said 192.168.1.30 was mapped as 111.222.333.67 and working on whatismyip.com?  Are we aok here or I am picking you up wrong?

If the statics are definitely listed as follows:
static (inside,outside) 111.222.333.68 192.168.1.31 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.70 192.168.1.30 netmask 255.255.255.255 0 0

Pls do the following
First:

clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.69 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
access-list inbound deny ip any any

access-group inbound in interface outside

Re-applying the acl can be necessary in some instances when making big changes.
Then, try pinging and more importantly telnetting to port 3001 on the 2 publics ips and check the logs to see what you get.

cheers
0
 

Author Comment

by:No_Expert_Here
ID: 24236187
Ok, a small change with that but i entered it as you listed...
The icmp deny's don't mention the access-list anymore.

i'll save it and reboot to see if that helps...

 
clear xlate
no access-group inbound in interface outside
no access-list inbound
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 111.222.333.68 eq 3001
access-list inbound permit tcp any host 111.222.333.70 eq 3001
 



106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)
106014: Deny inbound icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0)  
 

 
0
 

Author Comment

by:No_Expert_Here
ID: 24236261


ooops..
i forgot to apply the access-list...

so i rebooted then
did access-group inbound in interface outbound
and got this after pinging



106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny icmp src outside:me.me.me.133 dst inside:111.222.333.70 (type 8, code 0) by access-group "inbound"
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"

I don't know whose ip address is listed on the last line there??

what if i just open the whole thing up and see what happens?




0
 
LVL 19

Expert Comment

by:nodisco
ID: 24237770
106023: Deny tcp src outside:86.5.198.82/4479 dst inside:111.222.333.70/445 by access-group "inbound"
Port 445 is netbios and you don't want this getting in any kind of way - it most likely malicious traffic.  

Can you try the telnet on port 3001 and see what happens - I want to see what happens in the log when you try this
0
 

Author Comment

by:No_Expert_Here
ID: 24238713
this was after me trying a  telnet session on port 3001

609001: Built local-host inside:192.168.1.30
305009: Built static translation from inside:192.168.1.30 to outside:111.222.333.70
302013: Built inbound TCP connection 2830 for outside:333.444.555 .222/63059 (70.248.4.222/63059) to inside:192.168.1.30/3001 (111.222.333.70/3001)


This was after trying to query the device using the software
Deny icmp src outside:333.444.555.222 dst inside:166.102.135.70 (type 8, code 0) by access-group "in_bound"
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24238741
There may be something else you need to open - just as a quick test - open the public ip to just your source address e.g.

Put in the following:
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600

Then try again.

Then watch the logs
0
 

Author Comment

by:No_Expert_Here
ID: 24241988
Nodisco.....

YOU ARE D'MAN!

Thank goodness...it's working now...
access-list inbound line 1 permit ip host 333.444.555.222 host 111.222.333.70 log 6 interval 600
did the trick. i saved the configuration.  

now how do i turn the logging off so it doesnt slow the network down any?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 24245481
ahh my friend.  The point is to check the log!  
You have now opened up all ports from your test ip to the .70 address.  What you need to do now is look at the logs when you make a successful connection as you seem to need more than just the port 3001 for this to work.  The logging is set as informational so it will report all hits that match the acl.  You can amend the acl to allow just the required ports accordingly so as not to fully open your secure host.

To remove logging from that one line:
"To disable a log option without having to remove the ACE, use access-list id log disable. "

And to turn off logging:
no logging on

cheers
0
 

Author Closing Comment

by:No_Expert_Here
ID: 31573880
Ok, will do...Thank you so much. I was ready to go place a 2nd router behind the modem and set it up separately. Fortunately, you came through with the know how and patience. Thanks Again...
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24255240
no worries - glad you got working
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question