[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 776
  • Last Modified:

PIX Routing issue

Hi experts,

We've been assigned the following I.P's from our ISP:-

91.84.158.57
91.84.158.58
91.84.158.59
91.84.158.60
91.84.158.61
91.84.158.62

Ive configured the following:-

I.P Address: 91.84.158.57 (assigned to the WAN port on the ADSL router)
I.P address: 91.84.158.58 (assigned LAN port on the ADSL router)
I.P address: 91.84.158.59 (assigned to the PIX WAN E0 port)

Subnet mask :- 255.255.255.248

Below is my running PIX configuration file as of this evening:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name xxxxlocal
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 255.255.255.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:baf8beb407e36304abe63376478ef7bd
: end

Using my laptop, assigned a 192.168.16.x I.P from our Windows 2003 server, Im unable to obtain an Internet connection, however when assigning the following configuration to the LAN interface on my laptop:-

I.P address:- 91.84.158.59
SN:- 255.255.255.248
DG:- 91.84.158.59
DNS1:- 81.26.107.2
DNS2:- 81.26.107.3

With the above configuration, Im able to gain Internet access.

Please advise whats wrong with the PIX configuration above?
0
dt3itsteam
Asked:
dt3itsteam
  • 56
  • 50
1 Solution
 
JFrederick29Commented:
Add this:

conf t
global (outside) 1 interface
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Thanks for the quick response, can you elaborate as to what the above command does?
0
 
JFrederick29Commented:
It completes the NAT configuration on the PIX.  It basically instructs the PIX to PAT traffic traversing from the inside to the outside and use the outside interface IP address as the PAT address.  If you want, you can use a free IP from your pool for the PAT IP instead....

global (outside) 1 91.84.158.x
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
dt3itsteamAuthor Commented:
Hhi JFrederick29,

Thnaks this makes sense, I'll test this tomorrow evening and come back to you, can you see anything else wrong with the config above?  I'll be adding PAT forwarding rules for VPN, owa etc.. once I have a working config (inside > outside)
0
 
JFrederick29Commented:
Everything else looks good.
0
 
dt3itsteamAuthor Commented:
JFrederick29,

I added the following statement:-

global (outside) 1 interface

But still no Internet connectivity, I also added:-

global (outside) 1 91.84.158.60

But again no joy, I'm able to add the following to my laptop :-

I.P address:- 91.84.158.59
SN:- 255.255.255.248
DG:- 91.84.158.59
DNS1:- 81.26.107.2
DNS2:- 81.26.107.3

And I get a connection, so I know the CPE is good and RIP is working

Note other than the "global (outside)" statements, no other chnages have been made to the PIX, so the config above is still on the unit.

When the PIX is connected (on 192.168.1.1), I'm assigned the following via DHCP to my laptop:-

I.P address:- 192.168.16.x
SN:- 255.255.255.0
DG:- 192.168.1.1
DNS:- 192.168.16.2

DNS is forwarding DNS queries from 192.168.16.2 > ISP provided DNS, the SBS server is routing the 16.x to the 1.x subnet, and Internet is operational on the 16.x I.P (with the DSL router in normal PPPOA mode)

Any further thoughts?  
0
 
JFrederick29Commented:
Is this a typo?  The PC should have an IP of either 192.168.16.x and a DG of 192.168.16.2 or an IP of 192.168.1.x and a DG of 192.168.1.1.  Also, if the PC is on the 192.168.16.x subnet and the SBS server is it's default gateway, if the SBS server isn't doing NAT, the PIX needs a route to 192.168.1.0/24 via 192.168.1.x <--sbs server NIC on 192.168.1.x subnet.

route inside 192.168.1.0 255.255.255.0 192.168.1.x   <--sbs server IP

The SBS server should have a DG/default route via 192.168.1.1
0
 
dt3itsteamAuthor Commented:
JFrederick29,

Sorry yep a typo, DHCP configured PC's as follows:-

I.P address:- 192.168.16.x
SN:- 255.255.255.0
DG:- 192.168.16.2
DNS:- 192.168.16.2

I've also manually configured:-

I.P address:- 192.168.1.100
SN:- 255.255.255.0
DG:- 192.168.1.1
DNS:- 81.26.107.2

Obviously bypassing the SBS completely, but still no internet connectivity

Thoughts?
0
 
JFrederick29Commented:
Ahh, looks like your default route is incorrect.

conf t
no route outside 0.0.0.0 255.255.255.0 91.84.158.58 1
route outside 0.0.0.0 0.0.0.0 91.84.158.58
0
 
dt3itsteamAuthor Commented:
OK will try again tomorow evening, I'll keep you posted!  Thx again
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

I've changed the config to:-

ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

I'll be implementin this this evening and will advise how it goes.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Great the statement :- route outside 0.0.0.0 0.0.0.0 91.84.158.58 1 did the trick!

I'm now in the process of adding PAT rules to allow SMTP, VPN, HTTPS etc.

I've added the following statements:-

name 192.168.1.4 Exchange
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any interface outside eq pptp
access-list outside permit tcp any interface outside eq ftp

static (inside,outside) tcp 91.84.158.57 smtp Exchange smtp netmask 255.255.255.255 0 0
access-group outside in interface outside

However the "91.84.158.57" I.P is assigned to the router, correct me if I'm wrong but do I need to use the following 'available' I.P's:-

91.84.158.60
91.84.158.61

If so is the static route statement above correct?

Many thanks again, and hope to hear from you soon
0
 
JFrederick29Commented:
You can use the interface IP if desired but it is best to use a free IP if you have them available which you do.

I would do this instead:

name 192.168.1.4 Exchange
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq ftp

static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
access-group outside in interface outside

This doesn't change the static route at all.  That is all the config you need.
0
 
dt3itsteamAuthor Commented:
JFrederick29,

Many thanks for the quick reply!  I've quickly added the above statements, and I'm currently on the same internal network as the PIX , I was hoping to test this, by trying the following:-

https://91.84.158.60/exchange (obviously substituting FQDN for .60 I.P as FQDN this will still point to .57)

And have tried:-

telnet 91.84.158.60 443

Neither connect
0
 
dt3itsteamAuthor Commented:
I should be clear I have added:-

static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
0
 
JFrederick29Commented:
Yeah, that doesn't work that way.  You'll need to test it from outside the PIX (external).
0
 
dt3itsteamAuthor Commented:
JFrederick29,

I asked a colleague to try an connect to :- https://91.84.158.60/exchange from his DSL connection, still no luck I'm afraid, this should be forwarding to exchange (192.168.1.4)  for OWA (which is fully operational on 91.84.158.57).

Note the PIX firewall is now off line as I'm back at home, and needed to re-instated our original firewall for the office tomorrow AM.

Thoughts?
0
 
dt3itsteamAuthor Commented:
My free range of public I.P's are:-

91.84.158.60
91.84.158.61
91.84.158.62

As such should I not have the following statement:-

global (outside) 1 91.84.158.60-91.84.158.62 netmask 255.255.255.248

rather than:-

global (outside) 1 interface

Please advise?
0
 
JFrederick29Commented:
No, you don't want to assign all your IP's to the PAT pool.  You can assign one of the IP's but I would use the interface IP and use the others for static server NAT's.
0
 
dt3itsteamAuthor Commented:
JFrederick29,

Ok this hasn't been configured it was just a thought, the configuration is still as follows:-

ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

name 192.168.1.4 Exchange

access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq ftp

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0

But I still cannot connect to our Exchange box on port 25

I will test the router isnlt blocking anything (i..e firewall switched on!, which I recall "was" turned off) but other thanh this, do you see anything wrong with the above config? (note 192.168.1.4 is pingable from the PIX)
0
 
JFrederick29Commented:
You also added this, right?

access-group outside in interface outside

Can you "telnet 192.168.1.4 25" from a command prompt on a PC on the inside?
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Current config:-

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name xxxxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.61 eq smtp
access-list outside permit tcp any host 91.84.158.61 eq https
access-list outside permit tcp any host 91.84.158.61 eq ftp
access-list outside permit tcp any host 91.84.158.61 eq pptp
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 smtp test_lab smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 pptp test_lab pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 https test_lab https netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
0
 
dt3itsteamAuthor Commented:
And sorry to answer your question in full, I'm able to telnet to 192.168.1.4 (port 25) from a local PC
0
 
JFrederick29Commented:
Okay, try this:

conf t
no fixup protocol smtp 25

Does HTTPS work?
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Let me check the router iisn't to blame here!  As I tried both HTTPS and SMTP on the .60 I.P neither worked

I'll come back to you later this afternoon, as I'll be dropping our network around 15:00 GMT
0
 
JFrederick29Commented:
Yeah, sounds like the router as your PIX config is good.  Does outbound Internet access work?  If so, definitely focus on the router.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Yep outbound traffic through the PIX as the DG works faultlessly!  Also I suspect the damn router is to blame (hence have configured another DSL router in a no nat configuration, to rule out issue with the 1st router).

One final question if I may, I need to tunnel all internet traffic from .61 to .1.245 (which will hit another internal firewall which will undertake PAT, do these statements look right:-

names
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.61 test_lab
static (inside,outside) tcp 91.84.158.61 any test_lab any netmask 255.255.255.255 0 0
0
 
JFrederick29Commented:
Close, I would do this if you want all IP traffic to that other Firewall:

names
name 192.168.1.245 test_lab
access-list outside permit ip any host 91.84.158.61
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0

This will forward all traffic from .61 to 1.245.
0
 
dt3itsteamAuthor Commented:
JFrederick29,

I've swapped out the router but get exactly the same problem, :( I've tried enabling the DMZ and port forwarding on the router to both 59 (outside int on the PIX) and .60 but no joy.

If you want me to enable you to look at this remotely, maybe that's an option?

Any thoughts?
0
 
JFrederick29Commented:
Well, using port forwarding or the DMZ will still NAT the traffic to the WAN interface of the router.  Can you completely disable NAT on the router?  What model router is it?  Your ISP is routing the 91.84.158.56/29 subnet to the WAN interface of the router, right?
0
 
dt3itsteamAuthor Commented:
JFrederick29,

It's a Linksys WA54GS and Ive alos tried a WAG200G DSL router, both routers have NAT switched off, and RIP enabled, along with the firewall turned off.

And yes Eclipse are routing the 91.84.158.56/29 subnet to the WAN interface of the router.
0
 
JFrederick29Commented:
Okay, so from a PC on the inside, go to "www.whatismyip.com".  Does it say you are coming from 91.84.158.59 or from the WAN interface IP on the Linksys?
0
 
dt3itsteamAuthor Commented:
it states :- 91.84.158.59
0
 
JFrederick29Commented:
Okay, then, NAT is disabled and routing is there.  You are positive the Linksys isn't doing any kind of port filtering?  Not port forwarding or DMZ, but ACL type filtering.

Remove this from the PIX also:

conf t
no fixup protocol smtp 25
0
 
JFrederick29Commented:
By the way, if the connection from your ISP is ethernet (assuming it is since you are using the Linksys), you can remove the Linksys the simply plug the ISP connection into the PIX outside and assign the PIX outside the static IP that is on the Linksys WAN interface.
0
 
dt3itsteamAuthor Commented:
I'm absolutely positive there's no port forwarding, DMZ, or port range mappings on the Linksys DSL router

will remove the config statement now
0
 
dt3itsteamAuthor Commented:
This is becoming a nightmare, done the config change, still cannot connect to:-

https://91.84.158.60/exchange

Really appreciate your help on this BTW!
0
 
JFrederick29Commented:
I really suspect it is the Firewall in the Linksys.  Trying to find out for sure and how to disable it if possible.  Your ADSL line is phone line into the Linksys, right? or did your provider give you a DSL modem that hands off ethernet to the Linksys?
0
 
JFrederick29Commented:
To verify the PIX config is fine and to narrow it down to the Linksys, assign your PC 91.84.158.62 and plug it into the router and try to access https://91.84.158.60/exchange.  If it works, it's definitely not the PIX and you can focus all your attention on the router (trying to find the Firewall).
0
 
dt3itsteamAuthor Commented:
I can try a modem, rather than a router as you and I suspect, I don't think NAT's "really" turned off.  I'll add a modem in 5 mins
0
 
JFrederick29Commented:
Great, I think that should take care of it.  You'll need to readdress the PIX outside interface to the WAN IP provided by your ISP (the IP they are routing your block of IP's to).
0
 
dt3itsteamAuthor Commented:
Ok I've added a different DSL router (unfortunately it's still a router) but again with the following disabled:-

NAT
Firewall
Port forwarding
DMZ

I've enabled RIP V1.1

But still no luck, I've changed the static mapping to:-

static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255  0 0
&
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255  0 0

But I still cannot connect, is it possible this is an ISP issue?
0
 
JFrederick29Commented:
No, since you are going out to the Internet as the outside of the PIX.  Can you try the PC on the outside of the PIX to make sure you can access exchange?  That would rule out the PIX and anything with the server if it works.
0
 
dt3itsteamAuthor Commented:
Sorry I'm not clear what you mean by:-

"Can you try the PC on the outside of the PIX to make sure you can access exchange?  That would rule out the PIX and anything with the server if it works"

please advise?
0
 
JFrederick29Commented:
Assign a PC 91.84.158.62 and plug it into a free switch port on the router and try to access https://91.84.158.60/exchange.  This will verify the PIX config is good.
0
 
dt3itsteamAuthor Commented:
Ok thanks, I have done this and still annot access the Exchange URL

Please advise?
0
 
JFrederick29Commented:
Okay, you can however access that Exchange URL from the inside right? using the inside IP?

Try doing this on the PIX:

wr mem
reload

This will save change and then reboot the PIX.
0
 
dt3itsteamAuthor Commented:
I can access the Exchange box internally through :-

https://192.168.1.4/exchange

Will try the comman now
0
 
dt3itsteamAuthor Commented:
have written the configuration and reloaded, additionally I ran a ran clear xlate previously

Still no access :(
0
 
JFrederick29Commented:
So from the PC that is on the outside with 91.84.158.62 255.255.255.248, you can't access it?  Strange.

Do this on the PIX:

conf t
icmp permit any outside

Then make sure from the PC you can ping 91.84.158.59.  If that works, enable logging:

conf t
logging on
logging timestamp
logging buffered debug

Then try to access exchange again and do a "show log" on the PIX right after.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

e. your 1st comment, yep I cannot access https://91.84.158.60\exchange from a Pc assigned 91.84.158.62 on th same interface

I have added:-

icmp permit any outside

*but* i cannot ping 91.84.158.59 (from a PC assigned a LAN I.P), I have reloaded the PIX again but still no joy

Obviously we need to get poast this stage before I start sending logs

Many thanks
0
 
JFrederick29Commented:
I meant to ping 91.84.158.59 from the PC on the outside with the 91.84.158.62 IP just to verify connectivity to the PIX from that PC.
0
 
dt3itsteamAuthor Commented:
I have assigned  91.84.158.62 to my PC, Internet acess is good, and I can ping 91.84.158.59
0
 
JFrederick29Commented:
Okay, enable the logging and then access the exchange URL again and post the show log.
0
 
dt3itsteamAuthor Commented:
Log output as promised below:-

Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 71 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
quest discarded from 192.168.1.4/63302 to inside:192.168.1.1/domain
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/56462 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
305011: Built dynamic TCP translation from inside:192.168.1.4/63303 to outside:9
1.84.158.59/1219
302013: Built outbound TCP connection 1439 for outside:77.242.193.137/80 (77.242
.193.137/80) to inside:192.168.1.4/63303 (91.84.158.59/1219)
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
7ide:91.84.158.57/63855 (91.84.158.57/63855) to inside:192.168.1.4/63308 (91.84.
158.59/1229)
302015: Built outbound UDP connection 1466 for outside:213.22.1.85/31508 (213.22
.1.85/31508) to inside:192.168.1.4/63308 (91.84.158.59/1229)
106023: Deny icmp src outside:91.84.158.57 dst inside:91.84.158.59 (type 3, code
 3) by access-group "outside"
710005: UDP request discarded from 192.168.1.245/65056 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/49856 to inside:192.168.1.1/dom
ain
302015: Built outbound UDP connection 1467 for outside:91.139.201.95/53313 (91.1
39.201.95/53313) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1468 for outside:91.90.8.111/16569 (91.90.
8.111/16569) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1469 for outside:88.176.148.211/62649 (88.
176.148.211/62649) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1470 for outside:82.17.215.230/49632 (82.1
7.215.230/49632) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1471 for outside:80.7.70.47/32229 (80.7.70
.47/32229) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1472 for outside:86.6.55.166/63527 (86.6.5
5.166/63527) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1473 for outside:91.124.48.144/64506 (91.1
24.48.144/64506) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1474 for outside:91.187.175.69/46208 (91.1
87.175.69/46208) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1475 for outside:89.201.124.78/22517 (89.2
01.124.78/22517) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1476 for outside:91.108.113.55/38309 (91.1
08.113.55/38309) to inside:192.168.1.4/63308 (91.84.158.59/1229)
.39.65.31/39814 (82.39.65.31/39814) to inside:192.168.1.4/63308 (91.84.158.59/12
29)
302015: Built outbound UDP connection 1451 for outside:76.252.21.8/30847 (76.252
.21.8/30847) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1452 for outside:86.13.180.84/41480 (86.13
.180.84/41480) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1453 for outside:89.241.190.7/32927 (89.24
1.190.7/32927) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1454 for outside:82.47.56.83/35844 (82.47.
56.83/35844) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1455 for outside:92.234.148.231/29268 (92.
234.148.231/29268) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1456 for outside:82.9.70.17/54190 (82.9.70
pix506e(config)#  de:192.168.1.4/63308 (91.
0
 
JFrederick29Commented:
Okay, lets try that again but narrowing down the log output:

Do this from the .62 PC (from a command prompt)

telnet 91.84.158.60 443

Then immediately on the PIX do a "show log | i 91.84.158.60"
0
 
dt3itsteamAuthor Commented:
As promised:-

pix506e(config)# show log i 91.84.158.60
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 3964 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/23024 to outsid
e:91.84.158.59/1565 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/37294 to outsid
e:91.84.158.59/1566 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/1713 to outside
:91.84.158.59/1567 duration 0:00:31
302014: Teardown TCP connection 2030 for outside:205.227.136.116/8801 to inside:
192.168.1.4/63588 duration 0:02:13 bytes 1866 TCP Reset-O
302014: Teardown TCP connection 2031 for outside:205.227.136.116/8801 to inside:
192.168.1.4/63589 duration 0:02:13 bytes 1871 TCP Reset-O
305011: Built dynamic TCP translation from inside:192.168.1.4/63663 to outside:9
1.84.158.59/1542
302013: Built outbound TCP connection 2297 for outside:77.242.193.129/443 (77.24
2.193.129/443) to inside:192.168.1.4/63663 (91.84.158.59/1542)
302015: Built outbound UDP connection 2298 for outside:89.176.40.72/61692 (89.17
6.40.72/61692) to inside:192.168.1.4/63646 (91.84.158.59/1568)
302015: Built outbound UDP connection 2299 for outside:129.240.81.103/44858 (129
.240.81.103/44858) to inside:192.168.1.4/63646 (91.84.158.59/1568)
305011: Built dynamic TCP translation from inside:192.168.1.4/63664 to outside:9
1.84.158.59/1543
302013: Built outbound TCP connection 2300 for outside:72.14.221.103/80 (72.14.2
21.103/80) to inside:192.168.1.4/63664 (91.84.158.59/1543)
304001: 192.168.1.4 Accessed URL 72.14.221.103:/
305011: Built dynamic UDP translation from inside:192.168.1.4/63665 to outside:9
1.84.158.59/1579
302015: Built outbound UDP connection 2301 for outside:133.25.155.5/59965 (133.2
5.155.5/59965) to inside:192.168.1.4/63665 (91.84.158.59/1579)
305011: Built dynamic UDP translation from inside:192.168.1.4/4224 to outside:91
.84.158.59/1580
305011: Built dynamic UDP translation from inside:192.168.1.4/48938 to outside:9
1.84.158.59/1581
302015: Built outbound UDP connection 2302 for outside:64.233.161.9/53 (64.233.1
61.9/53) to inside:192.168.1.4/4224 (91.84.158.59/4224)
302016: Teardown UDP connection 2302 for outside:64.233.161.9/53 to inside:192.1
68.1.4/4224 duration 0:00:01 bytes 156
305011: Built dynamic TCP translation from inside:192.168.1.4/63666 to outside:9
1.84.158.59/1544
302013: Built outbound TCP connection 2303 for outside:74.125.43.102/80 (74.125.
43.102/80) to inside:192.168.1.4/63666 (91.84.158.59/1544)
304001: 192.168.1.4 Accessed URL 74.125.43.102:/generate_204
305011: Built dynamic UDP translation from inside:192.168.1.4/63667 to outside:9
1.84.158.59/1582
302015: Built outbound UDP connection 2304 for outside:91.139.201.95/53313 (91.1
39.201.95/53313) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2305 for outside:91.90.8.111/16569 (91.90.
8.111/16569) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2306 for outside:88.176.148.211/62649 (88.
176.148.211/62649) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2307 for outside:82.17.215.230/49632 (82.1
7.215.230/49632) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2308 for outside:80.7.70.47/32229 (80.7.70
.47/32229) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2309 for outside:86.6.55.166/63527 (86.6.5
5.166/63527) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2310 for outside:91.124.48.144/64506 (91.1
24.48.144/64506) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2311 for outside:91.187.175.69/46208 (91.1
87.175.69/46208) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2312 for outside:89.201.124.78/22517 (89.2
01.124.78/22517) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2313 for outside:91.108.113.55/38309 (91.1
08.113.55/38309) to inside:192.168.1.4/63667 (91.84.158.59/1582)
305012: Teardown dynamic TCP translation from inside:192.168.1.4/63647 to outsid
e:91.84.158.59/1534 duration 0:00:34
pix506e(config)#
0
 
JFrederick29Commented:
Try doing this:

conf t
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
clear xlate

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

The try again.
0
 
dt3itsteamAuthor Commented:
added, and have got a collegue to test this externally, still no joy!

I have to leave this for today, and will pick this back up on Monday, again many thanks for your time, which is greatly appreciated!

i'll leave you with the "curent" running config:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.25
5.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:bd4ba9d5097faf11db9a0de51811582e
: end
pix506e(config)#
0
 
JFrederick29Commented:
Okay, need to remove these as well:

no static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.255.255 0 0
clear xlate
0
 
JFrederick29Commented:
Oh, DUH, overlooking the obvious here.

Confirm the 192.168.1.4 server has a default gateway of 192.168.1.1.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

I'll add the revised static statements on Monday, and yes 192.168.1.4 has a DG of 192.168.1.1

Will come back to you on Monday with testing results around the new static entries.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

The issue is the PIX cannot see the Exchange host (192.168.1.4) see output from my PC below:-

C:\Users\user>ping 192.168.1.4

Pinging 192.168.1.4 with 32 bytes of data:

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

now running a ping test from the PIX:-

pix506e# conf t
pix506e(config)# ping 192.168.1.4
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms

Please advise why the PIX cannot see the above host?
0
 
JFrederick29Commented:
Good question, can you ping anything else on the 192.168.1.0/24 subnet?  Do a "show arp | i 192.168.1.4" on the PIX to see if an entry exists.
0
 
dt3itsteamAuthor Commented:
I can ping another host 192.168.1.6 so leads me to suspect it's a server thing!
0
 
JFrederick29Commented:
Yeah, this server isn't running a Firewall or ISA, is it?
0
 
dt3itsteamAuthor Commented:
It's running SBS 2003, I;ve justed disabled SBS's FW, getting a colleage to test my external OWA:-

https://91.84.158.59/exchange

Thought I'd cracked it, but it's STILL not working!!
0
 
dt3itsteamAuthor Commented:
AS an FYI this server has two NICS, do you think this could be cause any issues?  Configured as follows:-

1st NIC:-

I.P:- 192.168.1.4
SB:- 255.255.255.0
DG:- 192.168.1.1

2nd NIC:-

I.P:- 192.168.16.2
SB:- 255.255.255.0
DG:- n/a
DNS:- 192.168.16.2
0
 
JFrederick29Commented:
Strange, the fact that you can access OWA from other 192.168.1.x PC's though would indicate the server is fine.  Can you ping the PIX from 192.168.1.4?
0
 
dt3itsteamAuthor Commented:
yeah I agree!  This is now becoming really odd!  to the piint I;m going to giove up on the 506E :(

I can ping 192.168.1.1 from the server
&
I can ping 192.168.1.4 from the PIX

pix506e(config)# ping 192.168.1.4
        Exchange response received -- 0ms
        Exchange response received -- 0ms
        Exchange response received -- 0ms
pix506e(config)#

HELP!!!!
0
 
JFrederick29Commented:
So, you CAN ping 192.168.1.1 from the server but you CAN'T ping the server from the PIX?

Can you post a "route print" from the server.
0
 
dt3itsteamAuthor Commented:
I "can" ping 192.168.1.1 from the server and I "can" ping 192.168.1.4 from the PIX

Route print from the server:-

C:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 91 a3 f6 ...... VMware Accelerated AMD PCNet Adapter
0x40005 ...00 0c 29 91 a3 00 ...... VMware Accelerated AMD PCNet Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0      192.168.1.4      192.168.1.4     10
      192.168.1.4  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.255  255.255.255.255      192.168.1.4      192.168.1.4     10
     192.168.16.0    255.255.255.0     192.168.16.2     192.168.16.2     10
     192.168.16.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.16.255  255.255.255.255     192.168.16.2     192.168.16.2     10
        224.0.0.0        240.0.0.0      192.168.1.4      192.168.1.4     10
        224.0.0.0        240.0.0.0     192.168.16.2     192.168.16.2     10
  255.255.255.255  255.255.255.255      192.168.1.4      192.168.1.4      1
  255.255.255.255  255.255.255.255     192.168.16.2     192.168.16.2      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\>
0
 
JFrederick29Commented:
That looks good.  Can you post the latest PIX config?
0
 
dt3itsteamAuthor Commented:
As promised:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.25
5.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:7b57318c971361b4003390d31297bcee
: end
pix506e#
0
 
JFrederick29Commented:
FIrst off, you should be accessing .60:

https://91.84.158.60/exchange

If still not working, do this:

conf t
no static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

access-list outside permit tcp any host 91.84.158.60 eq http

Then try accessing:

https://91.84.158.60/exchange

then this:

http://91.84.158.60/exchange
0
 
dt3itsteamAuthor Commented:
Amended the config but still a ao on both counts I'm afraid!!

I'm getting a colleague to test this externally to my network

What is it with this Damn firewall! the config is good, & everything is pingable and telnetable!
0
 
JFrederick29Commented:
Can you post config again just to double check the changes?
0
 
dt3itsteamAuthor Commented:
This *was* the running config that was running on the PIX (prior to it being given to me) with no issues, if this helps??

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password q2Y6D/RDXLXEcrD6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name nrtc.local

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

names
name 192.168.16.3 E4H-Server1
name 82.68.202.107 Webmail
name 82.68.202.0 ZENRange
name 82.68.202.108 RDC
name 192.168.16.2 Athenaeum
name 192.168.16.0 E4HLAN
name 82.68.202.111 ZenSpare5
name 82.68.202.106 ZenSpare3
name 82.68.202.105 ZenSpare2
name 82.68.202.104 ZenSpare1
name 82.68.202.10 ZenSpare4

access-list outside_access_in permit tcp host 10.0.0.223 any
access-list outside_access_in permit tcp interface outside any

pager lines 24
mtu outside 1500
mtu inside 1500

ip address outside 82.68.202.109 255.255.255.0
ip address inside 192.168.16.254 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
ip local pool Remote1 192.168.16.200-192.168.16.220
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.47 255.255.255.255 outside
pdm location Athenaeum 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location E4H-Server1 255.255.255.255 inside
pdm location RDC 255.255.255.255 outside
pdm location E4HLAN 255.255.255.0 inside
pdm location Webmail 255.255.255.255 outside
pdm location ZenSpare4 255.255.255.255 outside
pdm location ZenSpare1 255.255.255.255 outside
pdm location ZenSpare2 255.255.255.255 outside
pdm location ZenSpare3 255.255.255.255 outside
pdm location ZenSpare5 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp RDC 3389 E4H-Server1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp Webmail smtp Athenaeum smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp RDC www Athenaeum www netmask 255.255.255.255 0 0
static (inside,outside) tcp Webmail https Athenaeum https netmask 255.255.255.255 0 0

conduit permit tcp any any
conduit permit tcp any eq 3389 any
conduit permit tcp any eq smtp any

route outside 0.0.0.0 0.0.0.0 82.68.202.110 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http E4HLAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

telnet 10.0.0.47 255.255.255.255 outside
telnet timeout 5

ssh timeout 5
console timeout 0

vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication pap
vpdn group L2TP-VPDN-GROUP ppp authentication chap
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local Remote1
vpdn group L2TP-VPDN-GROUP client configuration dns Athenaeum
vpdn group L2TP-VPDN-GROUP client configuration wins Athenaeum
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60

vpdn username nrtc01 password *********
vpdn enable outside

dhcpd address E4H-Server1-192.168.16.253 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

terminal width 80
Cryptochecksum:82ed0614652d93670f054ce69917ab96
: end
pixfirewall#
0
 
JFrederick29Commented:
Pretty sure that in 6.3(1), you didn't need to use conduit statement but why not, give it a try:

conf t
conduit permit tcp any any
0
 
dt3itsteamAuthor Commented:
Added and externally tested still no go!

The LED's on the PIX show the ACT as green (solid) this this correct?  power is also obviously solid, and the network flashed with transmission of data

Just wanted to confirm the ACT LED should also be solid green?  as I tread this indicates it's in failover mode?
0
 
JFrederick29Commented:
No, no issues.  Hardware appears to be fine.  Can you post the logs again while attempting a connection.

show log | include 91.84.158.60

Make sure you try several times until you see output.
0
 
dt3itsteamAuthor Commented:
conf t
logging on
logging timestamp
logging buffered debug

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
302013: Built outbound TCP connection 59 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63357 (91.84.158.59/1067)
pix506e(config)#
0
 
dt3itsteamAuthor Commented:
&:-

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
302013: Built outbound TCP connection 59 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63357 (91.84.158.59/1067)
pix506e(config)# show log | include 91.84.158.60
302014: Teardown TCP connection 57 for outside:91.84.158.60/443 to inside:192.16
8.1.4/63351 duration 0:02:01 bytes 0 SYN Timeout
302013: Built outbound TCP connection 65 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63363 (91.84.158.59/1073)
302013: Built outbound TCP connection 66 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63364 (91.84.158.59/1074)
302013: Built outbound TCP connection 67 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63365 (91.84.158.59/1075)
302013: Built outbound TCP connection 68 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63366 (91.84.158.59/1076)
pix506e(config)# show log | include 91.84.158.60
302013: Built outbound TCP connection 109 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63398 (91.84.158.59/1108)
302013: Built outbound TCP connection 110 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63399 (91.84.158.59/1109)
302013: Built outbound TCP connection 111 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63400 (91.84.158.59/1110)
302013: Built outbound TCP connection 112 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63401 (91.84.158.59/1111)
302013: Built outbound TCP connection 113 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63402 (91.84.158.59/1112)
302013: Built outbound TCP connection 114 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63403 (91.84.158.59/1113)
pix506e(config)#
0
 
JFrederick29Commented:
Okay, hold on, the exchange server is .59?  Please post the PIX config
0
 
JFrederick29Commented:
Okay, nevermind, you are trying to access .60 from 192.168.1.4?  That won't work.  Can you have the person test from the outside while you check the logs?
0
 
dt3itsteamAuthor Commented:
No I tested it from a machine on the 192.168.16.x subnet (which routable to the 192.168.1.x subnet)

My colleague freshed his browser a number of times, but I only get this below, which clearly shows nothing is hitting the firewall:-

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
0
 
JFrederick29Commented:
Yeah, he is using the .60 URL right, not the .59 URL that you posted earlier?  Just making sure he isn't trying to connect to an invalid IP.

Do you still have a PC on the outside of the PIX?  If not, I would put it back and assign it .62 again then try accessing the URL to rule out the router and beyond...
0
 
dt3itsteamAuthor Commented:
OK I have leave the office now, I've been trying this for nearly 10 days out of hours it's now 20:10 and I was in the office at 08:30, these are typical hours in attempt to get this damn thing to work :(

This PIX is clearly not going to work, which is very frustrating, Internet access is 100% operational when the PIX is plugged in, I simply cannot route any traffic inbound, I suggest this is closed off, unless you can think of anything else?

0
 
JFrederick29Commented:
The PIX config is fine.  The only other thing to try would be to upgrade it to 6.3(5) if you have privileges to download software from Cisco.
0
 
dt3itsteamAuthor Commented:
I read your comments, yes my colleague is using the .60 I.P re:-

"Do you still have a PC on the outside of the PIX?  If not, I would put it back and assign it .62 again then try accessing the URL to rule out the router and beyond..."

I don't see how this is going to help?  The .1.4 subnet is not addressible by the .158.x subnet the PIX will translate the outside I.P to the inside I.P, so I don't see how this is goingg to rule out the router?
0
 
dt3itsteamAuthor Commented:
Unfortunately I don't have access to the Cisco support area, so looks like this thing at present is as good as a door stop?

I have a 501 at home running, 6.3(5), I'll try this running the above config and let you know how I get on

Thanks for all your assistance again JFrederick29
0
 
JFrederick29Commented:
Well, if using the .158 PC and you CAN connect to the .158.60 (exchange URL) from that PC, you know the PIX config is fine but the traffic is being blocked by the router (or further upstream, i.e. ISP).  If it doesn't work from this PC, well, its either the PIX or the server itself.
0
 
JFrederick29Commented:
Okay, let me know how it works out with the 501.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

I've dug out an IOSs CD, and via TFTP I have upgraded the IOS on the 506E from 6.3(1) to 6.3(5) hopefully this will resolve the issues!  Out of interest what's the most recent IOS for the 506e?

Now I'm on 6.3(5)  do you think my issues will be resolved?
0
 
JFrederick29Commented:
Crossing my fingers.

6.3(5) is the latest for the PIX 501 and 506E.
0
 
dt3itsteamAuthor Commented:
Hi JFrederick29,

Sorry for the delay, things have been hectic!

OK I'm now getting close!  I''ve swapped out the Linksys router for a Zxytel 600 serries running as before in a NO NAT configuration, and I'm getting close!!

Below is a couple of working statement from the current running config:-

access-list outside permit tcp any host 91.84.158.59 eq https
access-list outside permit tcp any host 91.84.158.59 eq smtp
static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.59 https Exchange https netmask 255.255.255..255 0 0

Going to Shields UP both ports are now showing as open!

However I cannot get the following to work:-

access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq smtp
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

Is this an ISP routing issue?  Or am I looking again at a PIX issue?

Look forward to hearing from you
0
 
JFrederick29Commented:
Try this:

conf t
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0


0
 
dt3itsteamAuthor Commented:
JFrederick29,

Yes :- https://91.84.158.60/exchange is working!

How do I use :-

91.84.158.61
91.84.158.62

I'm assuming:-

static (inside,outside) 91.84.158.61 Exchange netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.62 Exchange netmask 255.255.255.255 0 0

but isn't this forwarding :-

access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp

Also to 'exchnage' ?
0
 
JFrederick29Commented:
Well, you only need one IP for the exchange server.  If you need to access that server from the Internet via SMTP, PPTP, HTTP, HTTPS, FTP, you simply use the 91.84.158.60 IP but allow those protocols via the access-list.  The access-list should be used to control access to the host (not the static NAT statements).  

You can use .61 and .62 for other servers that need to be accessible from the Internet.

If the FTP and PPTP server are different servers, you can use the .61 and .62 addresses for them.
0
 
dt3itsteamAuthor Commented:
ok looking good!

Out of interest why does:-

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0
but
static (inside,outside) tcp 91.84.158.60 Exchange netmask 255.255.255.255 0 0

Does not?
0
 
JFrederick29Commented:
I would say either a limitation in 6.3(1) (if still running that) or a bug.
0
 
dt3itsteamAuthor Commented:
ok there is still one issue,

firewall rules on:-

91.84.158.60 are working, but other I.P's it is not, here is an extract of my running config:-

names
name 192.168.1.245 test_lab
name 192.168.1.121 ftp_server
name 192.168.1.4 sbs_server

access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.62 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit ip any host 91.84.158.61

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 91.84.158.60 sbs_server netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.62 ftp_server netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

Please advise?
0
 
JFrederick29Commented:
The config is good.  Are the .61 and .62 servers listening on those ports?
0
 
dt3itsteamAuthor Commented:
OK is there a www site I can test ports listening on 91.84.158.62?  As all firewall testing sites I've visisted (Shields up for example) see my I.P as 91.84.158.60 which obviously won't work
0
 
JFrederick29Commented:
Not that I am aware of.  You'll have to test from home or somewhere else offering Internet.  So what isn't working?  How did you test?
0
 
dt3itsteamAuthor Commented:
OK great I'll do some testing at home, I'm happy the PIX is now working as it should, albeit some serious issues with the original Linksys routers coupled with IOS issues which caused me no end of problems!

JFrederick29 you are a legend!  Many thanks again for all your patience, proactiviness and rapid help surrounding this matter, I very nearly gave up!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 56
  • 50
Tackle projects and never again get stuck behind a technical roadblock.
Join Now