Solved

PIX Routing issue

Posted on 2009-05-12
106
699 Views
Last Modified: 2012-05-07
Hi experts,

We've been assigned the following I.P's from our ISP:-

91.84.158.57
91.84.158.58
91.84.158.59
91.84.158.60
91.84.158.61
91.84.158.62

Ive configured the following:-

I.P Address: 91.84.158.57 (assigned to the WAN port on the ADSL router)
I.P address: 91.84.158.58 (assigned LAN port on the ADSL router)
I.P address: 91.84.158.59 (assigned to the PIX WAN E0 port)

Subnet mask :- 255.255.255.248

Below is my running PIX configuration file as of this evening:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name xxxxlocal
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 255.255.255.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:baf8beb407e36304abe63376478ef7bd
: end

Using my laptop, assigned a 192.168.16.x I.P from our Windows 2003 server, Im unable to obtain an Internet connection, however when assigning the following configuration to the LAN interface on my laptop:-

I.P address:- 91.84.158.59
SN:- 255.255.255.248
DG:- 91.84.158.59
DNS1:- 81.26.107.2
DNS2:- 81.26.107.3

With the above configuration, Im able to gain Internet access.

Please advise whats wrong with the PIX configuration above?
0
Comment
Question by:dt3itsteam
  • 56
  • 50
106 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24368615
Add this:

conf t
global (outside) 1 interface
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24368665
Hi JFrederick29,

Thanks for the quick response, can you elaborate as to what the above command does?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24368682
It completes the NAT configuration on the PIX.  It basically instructs the PIX to PAT traffic traversing from the inside to the outside and use the outside interface IP address as the PAT address.  If you want, you can use a free IP from your pool for the PAT IP instead....

global (outside) 1 91.84.158.x
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24368719
Hhi JFrederick29,

Thnaks this makes sense, I'll test this tomorrow evening and come back to you, can you see anything else wrong with the config above?  I'll be adding PAT forwarding rules for VPN, owa etc.. once I have a working config (inside > outside)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24369556
Everything else looks good.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24377997
JFrederick29,

I added the following statement:-

global (outside) 1 interface

But still no Internet connectivity, I also added:-

global (outside) 1 91.84.158.60

But again no joy, I'm able to add the following to my laptop :-

I.P address:- 91.84.158.59
SN:- 255.255.255.248
DG:- 91.84.158.59
DNS1:- 81.26.107.2
DNS2:- 81.26.107.3

And I get a connection, so I know the CPE is good and RIP is working

Note other than the "global (outside)" statements, no other chnages have been made to the PIX, so the config above is still on the unit.

When the PIX is connected (on 192.168.1.1), I'm assigned the following via DHCP to my laptop:-

I.P address:- 192.168.16.x
SN:- 255.255.255.0
DG:- 192.168.1.1
DNS:- 192.168.16.2

DNS is forwarding DNS queries from 192.168.16.2 > ISP provided DNS, the SBS server is routing the 16.x to the 1.x subnet, and Internet is operational on the 16.x I.P (with the DSL router in normal PPPOA mode)

Any further thoughts?  
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24378075
Is this a typo?  The PC should have an IP of either 192.168.16.x and a DG of 192.168.16.2 or an IP of 192.168.1.x and a DG of 192.168.1.1.  Also, if the PC is on the 192.168.16.x subnet and the SBS server is it's default gateway, if the SBS server isn't doing NAT, the PIX needs a route to 192.168.1.0/24 via 192.168.1.x <--sbs server NIC on 192.168.1.x subnet.

route inside 192.168.1.0 255.255.255.0 192.168.1.x   <--sbs server IP

The SBS server should have a DG/default route via 192.168.1.1
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24378671
JFrederick29,

Sorry yep a typo, DHCP configured PC's as follows:-

I.P address:- 192.168.16.x
SN:- 255.255.255.0
DG:- 192.168.16.2
DNS:- 192.168.16.2

I've also manually configured:-

I.P address:- 192.168.1.100
SN:- 255.255.255.0
DG:- 192.168.1.1
DNS:- 81.26.107.2

Obviously bypassing the SBS completely, but still no internet connectivity

Thoughts?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24378749
Ahh, looks like your default route is incorrect.

conf t
no route outside 0.0.0.0 255.255.255.0 91.84.158.58 1
route outside 0.0.0.0 0.0.0.0 91.84.158.58
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24378810
OK will try again tomorow evening, I'll keep you posted!  Thx again
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24382455
Hi JFrederick29,

I've changed the config to:-

ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

I'll be implementin this this evening and will advise how it goes.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24387336
Hi JFrederick29,

Great the statement :- route outside 0.0.0.0 0.0.0.0 91.84.158.58 1 did the trick!

I'm now in the process of adding PAT rules to allow SMTP, VPN, HTTPS etc.

I've added the following statements:-

name 192.168.1.4 Exchange
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any interface outside eq pptp
access-list outside permit tcp any interface outside eq ftp

static (inside,outside) tcp 91.84.158.57 smtp Exchange smtp netmask 255.255.255.255 0 0
access-group outside in interface outside

However the "91.84.158.57" I.P is assigned to the router, correct me if I'm wrong but do I need to use the following 'available' I.P's:-

91.84.158.60
91.84.158.61

If so is the static route statement above correct?

Many thanks again, and hope to hear from you soon
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24387493
You can use the interface IP if desired but it is best to use a free IP if you have them available which you do.

I would do this instead:

name 192.168.1.4 Exchange
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq ftp

static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
access-group outside in interface outside

This doesn't change the static route at all.  That is all the config you need.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24387603
JFrederick29,

Many thanks for the quick reply!  I've quickly added the above statements, and I'm currently on the same internal network as the PIX , I was hoping to test this, by trying the following:-

https://91.84.158.60/exchange (obviously substituting FQDN for .60 I.P as FQDN this will still point to .57)

And have tried:-

telnet 91.84.158.60 443

Neither connect
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24387661
I should be clear I have added:-

static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24388697
Yeah, that doesn't work that way.  You'll need to test it from outside the PIX (external).
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24389289
JFrederick29,

I asked a colleague to try an connect to :- https://91.84.158.60/exchange from his DSL connection, still no luck I'm afraid, this should be forwarding to exchange (192.168.1.4)  for OWA (which is fully operational on 91.84.158.57).

Note the PIX firewall is now off line as I'm back at home, and needed to re-instated our original firewall for the office tomorrow AM.

Thoughts?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24390398
My free range of public I.P's are:-

91.84.158.60
91.84.158.61
91.84.158.62

As such should I not have the following statement:-

global (outside) 1 91.84.158.60-91.84.158.62 netmask 255.255.255.248

rather than:-

global (outside) 1 interface

Please advise?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24391388
No, you don't want to assign all your IP's to the PAT pool.  You can assign one of the IP's but I would use the interface IP and use the others for static server NAT's.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24392523
JFrederick29,

Ok this hasn't been configured it was just a thought, the configuration is still as follows:-

ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

name 192.168.1.4 Exchange

access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq ftp

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0

But I still cannot connect to our Exchange box on port 25

I will test the router isnlt blocking anything (i..e firewall switched on!, which I recall "was" turned off) but other thanh this, do you see anything wrong with the above config? (note 192.168.1.4 is pingable from the PIX)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24394560
You also added this, right?

access-group outside in interface outside

Can you "telnet 192.168.1.4 25" from a command prompt on a PC on the inside?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24394621
Hi JFrederick29,

Current config:-

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name xxxxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.61 eq smtp
access-list outside permit tcp any host 91.84.158.61 eq https
access-list outside permit tcp any host 91.84.158.61 eq ftp
access-list outside permit tcp any host 91.84.158.61 eq pptp
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 smtp test_lab smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 pptp test_lab pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.61 https test_lab https netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24394632
And sorry to answer your question in full, I'm able to telnet to 192.168.1.4 (port 25) from a local PC
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24394665
Okay, try this:

conf t
no fixup protocol smtp 25

Does HTTPS work?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24394690
Hi JFrederick29,

Let me check the router iisn't to blame here!  As I tried both HTTPS and SMTP on the .60 I.P neither worked

I'll come back to you later this afternoon, as I'll be dropping our network around 15:00 GMT
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24394708
Yeah, sounds like the router as your PIX config is good.  Does outbound Internet access work?  If so, definitely focus on the router.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24394754
Hi JFrederick29,

Yep outbound traffic through the PIX as the DG works faultlessly!  Also I suspect the damn router is to blame (hence have configured another DSL router in a no nat configuration, to rule out issue with the 1st router).

One final question if I may, I need to tunnel all internet traffic from .61 to .1.245 (which will hit another internal firewall which will undertake PAT, do these statements look right:-

names
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.61 test_lab
static (inside,outside) tcp 91.84.158.61 any test_lab any netmask 255.255.255.255 0 0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24394800
Close, I would do this if you want all IP traffic to that other Firewall:

names
name 192.168.1.245 test_lab
access-list outside permit ip any host 91.84.158.61
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0

This will forward all traffic from .61 to 1.245.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395086
JFrederick29,

I've swapped out the router but get exactly the same problem, :( I've tried enabling the DMZ and port forwarding on the router to both 59 (outside int on the PIX) and .60 but no joy.

If you want me to enable you to look at this remotely, maybe that's an option?

Any thoughts?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395125
Well, using port forwarding or the DMZ will still NAT the traffic to the WAN interface of the router.  Can you completely disable NAT on the router?  What model router is it?  Your ISP is routing the 91.84.158.56/29 subnet to the WAN interface of the router, right?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395182
JFrederick29,

It's a Linksys WA54GS and Ive alos tried a WAG200G DSL router, both routers have NAT switched off, and RIP enabled, along with the firewall turned off.

And yes Eclipse are routing the 91.84.158.56/29 subnet to the WAN interface of the router.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395225
Okay, so from a PC on the inside, go to "www.whatismyip.com".  Does it say you are coming from 91.84.158.59 or from the WAN interface IP on the Linksys?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395251
it states :- 91.84.158.59
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395373
Okay, then, NAT is disabled and routing is there.  You are positive the Linksys isn't doing any kind of port filtering?  Not port forwarding or DMZ, but ACL type filtering.

Remove this from the PIX also:

conf t
no fixup protocol smtp 25
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395396
By the way, if the connection from your ISP is ethernet (assuming it is since you are using the Linksys), you can remove the Linksys the simply plug the ISP connection into the PIX outside and assign the PIX outside the static IP that is on the Linksys WAN interface.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395397
I'm absolutely positive there's no port forwarding, DMZ, or port range mappings on the Linksys DSL router

will remove the config statement now
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395454
This is becoming a nightmare, done the config change, still cannot connect to:-

https://91.84.158.60/exchange

Really appreciate your help on this BTW!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395479
I really suspect it is the Firewall in the Linksys.  Trying to find out for sure and how to disable it if possible.  Your ADSL line is phone line into the Linksys, right? or did your provider give you a DSL modem that hands off ethernet to the Linksys?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395526
To verify the PIX config is fine and to narrow it down to the Linksys, assign your PC 91.84.158.62 and plug it into the router and try to access https://91.84.158.60/exchange.  If it works, it's definitely not the PIX and you can focus all your attention on the router (trying to find the Firewall).
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24395535
I can try a modem, rather than a router as you and I suspect, I don't think NAT's "really" turned off.  I'll add a modem in 5 mins
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24395558
Great, I think that should take care of it.  You'll need to readdress the PIX outside interface to the WAN IP provided by your ISP (the IP they are routing your block of IP's to).
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396005
Ok I've added a different DSL router (unfortunately it's still a router) but again with the following disabled:-

NAT
Firewall
Port forwarding
DMZ

I've enabled RIP V1.1

But still no luck, I've changed the static mapping to:-

static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255  0 0
&
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255  0 0

But I still cannot connect, is it possible this is an ISP issue?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396046
No, since you are going out to the Internet as the outside of the PIX.  Can you try the PC on the outside of the PIX to make sure you can access exchange?  That would rule out the PIX and anything with the server if it works.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396121
Sorry I'm not clear what you mean by:-

"Can you try the PC on the outside of the PIX to make sure you can access exchange?  That would rule out the PIX and anything with the server if it works"

please advise?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396147
Assign a PC 91.84.158.62 and plug it into a free switch port on the router and try to access https://91.84.158.60/exchange.  This will verify the PIX config is good.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396250
Ok thanks, I have done this and still annot access the Exchange URL

Please advise?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396262
Okay, you can however access that Exchange URL from the inside right? using the inside IP?

Try doing this on the PIX:

wr mem
reload

This will save change and then reboot the PIX.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396332
I can access the Exchange box internally through :-

https://192.168.1.4/exchange

Will try the comman now
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396366
have written the configuration and reloaded, additionally I ran a ran clear xlate previously

Still no access :(
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396439
So from the PC that is on the outside with 91.84.158.62 255.255.255.248, you can't access it?  Strange.

Do this on the PIX:

conf t
icmp permit any outside

Then make sure from the PC you can ping 91.84.158.59.  If that works, enable logging:

conf t
logging on
logging timestamp
logging buffered debug

Then try to access exchange again and do a "show log" on the PIX right after.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396625
Hi JFrederick29,

e. your 1st comment, yep I cannot access https://91.84.158.60\exchange from a Pc assigned 91.84.158.62 on th same interface

I have added:-

icmp permit any outside

*but* i cannot ping 91.84.158.59 (from a PC assigned a LAN I.P), I have reloaded the PIX again but still no joy

Obviously we need to get poast this stage before I start sending logs

Many thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396685
I meant to ping 91.84.158.59 from the PC on the outside with the 91.84.158.62 IP just to verify connectivity to the PIX from that PC.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396788
I have assigned  91.84.158.62 to my PC, Internet acess is good, and I can ping 91.84.158.59
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396808
Okay, enable the logging and then access the exchange URL again and post the show log.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24396852
Log output as promised below:-

Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 71 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
quest discarded from 192.168.1.4/63302 to inside:192.168.1.1/domain
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/56462 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
305011: Built dynamic TCP translation from inside:192.168.1.4/63303 to outside:9
1.84.158.59/1219
302013: Built outbound TCP connection 1439 for outside:77.242.193.137/80 (77.242
.193.137/80) to inside:192.168.1.4/63303 (91.84.158.59/1219)
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/60553 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.4/63302 to inside:192.168.1.1/domai
n
710005: UDP request discarded from 192.168.1.245/64751 to inside:192.168.1.1/dom
ain
7ide:91.84.158.57/63855 (91.84.158.57/63855) to inside:192.168.1.4/63308 (91.84.
158.59/1229)
302015: Built outbound UDP connection 1466 for outside:213.22.1.85/31508 (213.22
.1.85/31508) to inside:192.168.1.4/63308 (91.84.158.59/1229)
106023: Deny icmp src outside:91.84.158.57 dst inside:91.84.158.59 (type 3, code
 3) by access-group "outside"
710005: UDP request discarded from 192.168.1.245/65056 to inside:192.168.1.1/dom
ain
710005: UDP request discarded from 192.168.1.245/49856 to inside:192.168.1.1/dom
ain
302015: Built outbound UDP connection 1467 for outside:91.139.201.95/53313 (91.1
39.201.95/53313) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1468 for outside:91.90.8.111/16569 (91.90.
8.111/16569) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1469 for outside:88.176.148.211/62649 (88.
176.148.211/62649) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1470 for outside:82.17.215.230/49632 (82.1
7.215.230/49632) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1471 for outside:80.7.70.47/32229 (80.7.70
.47/32229) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1472 for outside:86.6.55.166/63527 (86.6.5
5.166/63527) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1473 for outside:91.124.48.144/64506 (91.1
24.48.144/64506) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1474 for outside:91.187.175.69/46208 (91.1
87.175.69/46208) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1475 for outside:89.201.124.78/22517 (89.2
01.124.78/22517) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1476 for outside:91.108.113.55/38309 (91.1
08.113.55/38309) to inside:192.168.1.4/63308 (91.84.158.59/1229)
.39.65.31/39814 (82.39.65.31/39814) to inside:192.168.1.4/63308 (91.84.158.59/12
29)
302015: Built outbound UDP connection 1451 for outside:76.252.21.8/30847 (76.252
.21.8/30847) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1452 for outside:86.13.180.84/41480 (86.13
.180.84/41480) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1453 for outside:89.241.190.7/32927 (89.24
1.190.7/32927) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1454 for outside:82.47.56.83/35844 (82.47.
56.83/35844) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1455 for outside:92.234.148.231/29268 (92.
234.148.231/29268) to inside:192.168.1.4/63308 (91.84.158.59/1229)
302015: Built outbound UDP connection 1456 for outside:82.9.70.17/54190 (82.9.70
pix506e(config)#  de:192.168.1.4/63308 (91.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396911
Okay, lets try that again but narrowing down the log output:

Do this from the .62 PC (from a command prompt)

telnet 91.84.158.60 443

Then immediately on the PIX do a "show log | i 91.84.158.60"
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24397007
As promised:-

pix506e(config)# show log i 91.84.158.60
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 3964 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/23024 to outsid
e:91.84.158.59/1565 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/37294 to outsid
e:91.84.158.59/1566 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.1.4/1713 to outside
:91.84.158.59/1567 duration 0:00:31
302014: Teardown TCP connection 2030 for outside:205.227.136.116/8801 to inside:
192.168.1.4/63588 duration 0:02:13 bytes 1866 TCP Reset-O
302014: Teardown TCP connection 2031 for outside:205.227.136.116/8801 to inside:
192.168.1.4/63589 duration 0:02:13 bytes 1871 TCP Reset-O
305011: Built dynamic TCP translation from inside:192.168.1.4/63663 to outside:9
1.84.158.59/1542
302013: Built outbound TCP connection 2297 for outside:77.242.193.129/443 (77.24
2.193.129/443) to inside:192.168.1.4/63663 (91.84.158.59/1542)
302015: Built outbound UDP connection 2298 for outside:89.176.40.72/61692 (89.17
6.40.72/61692) to inside:192.168.1.4/63646 (91.84.158.59/1568)
302015: Built outbound UDP connection 2299 for outside:129.240.81.103/44858 (129
.240.81.103/44858) to inside:192.168.1.4/63646 (91.84.158.59/1568)
305011: Built dynamic TCP translation from inside:192.168.1.4/63664 to outside:9
1.84.158.59/1543
302013: Built outbound TCP connection 2300 for outside:72.14.221.103/80 (72.14.2
21.103/80) to inside:192.168.1.4/63664 (91.84.158.59/1543)
304001: 192.168.1.4 Accessed URL 72.14.221.103:/
305011: Built dynamic UDP translation from inside:192.168.1.4/63665 to outside:9
1.84.158.59/1579
302015: Built outbound UDP connection 2301 for outside:133.25.155.5/59965 (133.2
5.155.5/59965) to inside:192.168.1.4/63665 (91.84.158.59/1579)
305011: Built dynamic UDP translation from inside:192.168.1.4/4224 to outside:91
.84.158.59/1580
305011: Built dynamic UDP translation from inside:192.168.1.4/48938 to outside:9
1.84.158.59/1581
302015: Built outbound UDP connection 2302 for outside:64.233.161.9/53 (64.233.1
61.9/53) to inside:192.168.1.4/4224 (91.84.158.59/4224)
302016: Teardown UDP connection 2302 for outside:64.233.161.9/53 to inside:192.1
68.1.4/4224 duration 0:00:01 bytes 156
305011: Built dynamic TCP translation from inside:192.168.1.4/63666 to outside:9
1.84.158.59/1544
302013: Built outbound TCP connection 2303 for outside:74.125.43.102/80 (74.125.
43.102/80) to inside:192.168.1.4/63666 (91.84.158.59/1544)
304001: 192.168.1.4 Accessed URL 74.125.43.102:/generate_204
305011: Built dynamic UDP translation from inside:192.168.1.4/63667 to outside:9
1.84.158.59/1582
302015: Built outbound UDP connection 2304 for outside:91.139.201.95/53313 (91.1
39.201.95/53313) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2305 for outside:91.90.8.111/16569 (91.90.
8.111/16569) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2306 for outside:88.176.148.211/62649 (88.
176.148.211/62649) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2307 for outside:82.17.215.230/49632 (82.1
7.215.230/49632) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2308 for outside:80.7.70.47/32229 (80.7.70
.47/32229) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2309 for outside:86.6.55.166/63527 (86.6.5
5.166/63527) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2310 for outside:91.124.48.144/64506 (91.1
24.48.144/64506) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2311 for outside:91.187.175.69/46208 (91.1
87.175.69/46208) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2312 for outside:89.201.124.78/22517 (89.2
01.124.78/22517) to inside:192.168.1.4/63667 (91.84.158.59/1582)
302015: Built outbound UDP connection 2313 for outside:91.108.113.55/38309 (91.1
08.113.55/38309) to inside:192.168.1.4/63667 (91.84.158.59/1582)
305012: Teardown dynamic TCP translation from inside:192.168.1.4/63647 to outsid
e:91.84.158.59/1534 duration 0:00:34
pix506e(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397101
Try doing this:

conf t
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0
clear xlate

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

The try again.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24397355
added, and have got a collegue to test this externally, still no joy!

I have to leave this for today, and will pick this back up on Monday, again many thanks for your time, which is greatly appreciated!

i'll leave you with the "curent" running config:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.25
5.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:bd4ba9d5097faf11db9a0de51811582e
: end
pix506e(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397387
Okay, need to remove these as well:

no static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.255.255 0 0
clear xlate
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397760
Oh, DUH, overlooking the obvious here.

Confirm the 192.168.1.4 server has a default gateway of 192.168.1.1.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24400199
Hi JFrederick29,

I'll add the revised static statements on Monday, and yes 192.168.1.4 has a DG of 192.168.1.1

Will come back to you on Monday with testing results around the new static entries.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24413764
Hi JFrederick29,

The issue is the PIX cannot see the Exchange host (192.168.1.4) see output from my PC below:-

C:\Users\user>ping 192.168.1.4

Pinging 192.168.1.4 with 32 bytes of data:

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

now running a ping test from the PIX:-

pix506e# conf t
pix506e(config)# ping 192.168.1.4
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms

Please advise why the PIX cannot see the above host?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24413880
Good question, can you ping anything else on the 192.168.1.0/24 subnet?  Do a "show arp | i 192.168.1.4" on the PIX to see if an entry exists.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24413987
I can ping another host 192.168.1.6 so leads me to suspect it's a server thing!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414026
Yeah, this server isn't running a Firewall or ISA, is it?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24414656
It's running SBS 2003, I;ve justed disabled SBS's FW, getting a colleage to test my external OWA:-

https://91.84.158.59/exchange

Thought I'd cracked it, but it's STILL not working!!
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24414695
AS an FYI this server has two NICS, do you think this could be cause any issues?  Configured as follows:-

1st NIC:-

I.P:- 192.168.1.4
SB:- 255.255.255.0
DG:- 192.168.1.1

2nd NIC:-

I.P:- 192.168.16.2
SB:- 255.255.255.0
DG:- n/a
DNS:- 192.168.16.2
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414723
Strange, the fact that you can access OWA from other 192.168.1.x PC's though would indicate the server is fine.  Can you ping the PIX from 192.168.1.4?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24414766
yeah I agree!  This is now becoming really odd!  to the piint I;m going to giove up on the 506E :(

I can ping 192.168.1.1 from the server
&
I can ping 192.168.1.4 from the PIX

pix506e(config)# ping 192.168.1.4
        Exchange response received -- 0ms
        Exchange response received -- 0ms
        Exchange response received -- 0ms
pix506e(config)#

HELP!!!!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414806
So, you CAN ping 192.168.1.1 from the server but you CAN'T ping the server from the PIX?

Can you post a "route print" from the server.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24414864
I "can" ping 192.168.1.1 from the server and I "can" ping 192.168.1.4 from the PIX

Route print from the server:-

C:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 91 a3 f6 ...... VMware Accelerated AMD PCNet Adapter
0x40005 ...00 0c 29 91 a3 00 ...... VMware Accelerated AMD PCNet Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0      192.168.1.4      192.168.1.4     10
      192.168.1.4  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.255  255.255.255.255      192.168.1.4      192.168.1.4     10
     192.168.16.0    255.255.255.0     192.168.16.2     192.168.16.2     10
     192.168.16.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.16.255  255.255.255.255     192.168.16.2     192.168.16.2     10
        224.0.0.0        240.0.0.0      192.168.1.4      192.168.1.4     10
        224.0.0.0        240.0.0.0     192.168.16.2     192.168.16.2     10
  255.255.255.255  255.255.255.255      192.168.1.4      192.168.1.4      1
  255.255.255.255  255.255.255.255     192.168.16.2     192.168.16.2      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\>
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414932
That looks good.  Can you post the latest PIX config?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24414964
As promised:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.25
5.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:7b57318c971361b4003390d31297bcee
: end
pix506e#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415014
FIrst off, you should be accessing .60:

https://91.84.158.60/exchange

If still not working, do this:

conf t
no static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255.255 0 0

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

access-list outside permit tcp any host 91.84.158.60 eq http

Then try accessing:

https://91.84.158.60/exchange

then this:

http://91.84.158.60/exchange
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415063
Amended the config but still a ao on both counts I'm afraid!!

I'm getting a colleague to test this externally to my network

What is it with this Damn firewall! the config is good, & everything is pingable and telnetable!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415126
Can you post config again just to double check the changes?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415135
This *was* the running config that was running on the PIX (prior to it being given to me) with no issues, if this helps??

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password q2Y6D/RDXLXEcrD6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name nrtc.local

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

names
name 192.168.16.3 E4H-Server1
name 82.68.202.107 Webmail
name 82.68.202.0 ZENRange
name 82.68.202.108 RDC
name 192.168.16.2 Athenaeum
name 192.168.16.0 E4HLAN
name 82.68.202.111 ZenSpare5
name 82.68.202.106 ZenSpare3
name 82.68.202.105 ZenSpare2
name 82.68.202.104 ZenSpare1
name 82.68.202.10 ZenSpare4

access-list outside_access_in permit tcp host 10.0.0.223 any
access-list outside_access_in permit tcp interface outside any

pager lines 24
mtu outside 1500
mtu inside 1500

ip address outside 82.68.202.109 255.255.255.0
ip address inside 192.168.16.254 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
ip local pool Remote1 192.168.16.200-192.168.16.220
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.47 255.255.255.255 outside
pdm location Athenaeum 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location E4H-Server1 255.255.255.255 inside
pdm location RDC 255.255.255.255 outside
pdm location E4HLAN 255.255.255.0 inside
pdm location Webmail 255.255.255.255 outside
pdm location ZenSpare4 255.255.255.255 outside
pdm location ZenSpare1 255.255.255.255 outside
pdm location ZenSpare2 255.255.255.255 outside
pdm location ZenSpare3 255.255.255.255 outside
pdm location ZenSpare5 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp RDC 3389 E4H-Server1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp Webmail smtp Athenaeum smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp RDC www Athenaeum www netmask 255.255.255.255 0 0
static (inside,outside) tcp Webmail https Athenaeum https netmask 255.255.255.255 0 0

conduit permit tcp any any
conduit permit tcp any eq 3389 any
conduit permit tcp any eq smtp any

route outside 0.0.0.0 0.0.0.0 82.68.202.110 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http E4HLAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

telnet 10.0.0.47 255.255.255.255 outside
telnet timeout 5

ssh timeout 5
console timeout 0

vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication pap
vpdn group L2TP-VPDN-GROUP ppp authentication chap
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local Remote1
vpdn group L2TP-VPDN-GROUP client configuration dns Athenaeum
vpdn group L2TP-VPDN-GROUP client configuration wins Athenaeum
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60

vpdn username nrtc01 password *********
vpdn enable outside

dhcpd address E4H-Server1-192.168.16.253 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

terminal width 80
Cryptochecksum:82ed0614652d93670f054ce69917ab96
: end
pixfirewall#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415195
Pretty sure that in 6.3(1), you didn't need to use conduit statement but why not, give it a try:

conf t
conduit permit tcp any any
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415265
Added and externally tested still no go!

The LED's on the PIX show the ACT as green (solid) this this correct?  power is also obviously solid, and the network flashed with transmission of data

Just wanted to confirm the ACT LED should also be solid green?  as I tread this indicates it's in failover mode?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415306
No, no issues.  Hardware appears to be fine.  Can you post the logs again while attempting a connection.

show log | include 91.84.158.60

Make sure you try several times until you see output.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415331
conf t
logging on
logging timestamp
logging buffered debug

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
302013: Built outbound TCP connection 59 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63357 (91.84.158.59/1067)
pix506e(config)#
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415352
&:-

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
302013: Built outbound TCP connection 59 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63357 (91.84.158.59/1067)
pix506e(config)# show log | include 91.84.158.60
302014: Teardown TCP connection 57 for outside:91.84.158.60/443 to inside:192.16
8.1.4/63351 duration 0:02:01 bytes 0 SYN Timeout
302013: Built outbound TCP connection 65 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63363 (91.84.158.59/1073)
302013: Built outbound TCP connection 66 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63364 (91.84.158.59/1074)
302013: Built outbound TCP connection 67 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63365 (91.84.158.59/1075)
302013: Built outbound TCP connection 68 for outside:91.84.158.60/443 (91.84.158
.60/443) to inside:192.168.1.4/63366 (91.84.158.59/1076)
pix506e(config)# show log | include 91.84.158.60
302013: Built outbound TCP connection 109 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63398 (91.84.158.59/1108)
302013: Built outbound TCP connection 110 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63399 (91.84.158.59/1109)
302013: Built outbound TCP connection 111 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63400 (91.84.158.59/1110)
302013: Built outbound TCP connection 112 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63401 (91.84.158.59/1111)
302013: Built outbound TCP connection 113 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63402 (91.84.158.59/1112)
302013: Built outbound TCP connection 114 for outside:91.84.158.60/443 (91.84.15
8.60/443) to inside:192.168.1.4/63403 (91.84.158.59/1113)
pix506e(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415353
Okay, hold on, the exchange server is .59?  Please post the PIX config
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415368
Okay, nevermind, you are trying to access .60 from 192.168.1.4?  That won't work.  Can you have the person test from the outside while you check the logs?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415407
No I tested it from a machine on the 192.168.16.x subnet (which routable to the 192.168.1.x subnet)

My colleague freshed his browser a number of times, but I only get this below, which clearly shows nothing is hitting the firewall:-

pix506e(config)# show log | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
111009: User 'enable_15' executed cmd: show logging | include 91.84.158.60
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415433
Yeah, he is using the .60 URL right, not the .59 URL that you posted earlier?  Just making sure he isn't trying to connect to an invalid IP.

Do you still have a PC on the outside of the PIX?  If not, I would put it back and assign it .62 again then try accessing the URL to rule out the router and beyond...
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415443
OK I have leave the office now, I've been trying this for nearly 10 days out of hours it's now 20:10 and I was in the office at 08:30, these are typical hours in attempt to get this damn thing to work :(

This PIX is clearly not going to work, which is very frustrating, Internet access is 100% operational when the PIX is plugged in, I simply cannot route any traffic inbound, I suggest this is closed off, unless you can think of anything else?

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415473
The PIX config is fine.  The only other thing to try would be to upgrade it to 6.3(5) if you have privileges to download software from Cisco.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415487
I read your comments, yes my colleague is using the .60 I.P re:-

"Do you still have a PC on the outside of the PIX?  If not, I would put it back and assign it .62 again then try accessing the URL to rule out the router and beyond..."

I don't see how this is going to help?  The .1.4 subnet is not addressible by the .158.x subnet the PIX will translate the outside I.P to the inside I.P, so I don't see how this is goingg to rule out the router?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24415514
Unfortunately I don't have access to the Cisco support area, so looks like this thing at present is as good as a door stop?

I have a 501 at home running, 6.3(5), I'll try this running the above config and let you know how I get on

Thanks for all your assistance again JFrederick29
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415531
Well, if using the .158 PC and you CAN connect to the .158.60 (exchange URL) from that PC, you know the PIX config is fine but the traffic is being blocked by the router (or further upstream, i.e. ISP).  If it doesn't work from this PC, well, its either the PIX or the server itself.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415535
Okay, let me know how it works out with the 501.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24416814
Hi JFrederick29,

I've dug out an IOSs CD, and via TFTP I have upgraded the IOS on the 506E from 6.3(1) to 6.3(5) hopefully this will resolve the issues!  Out of interest what's the most recent IOS for the 506e?

Now I'm on 6.3(5)  do you think my issues will be resolved?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24417889
Crossing my fingers.

6.3(5) is the latest for the PIX 501 and 506E.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24433982
Hi JFrederick29,

Sorry for the delay, things have been hectic!

OK I'm now getting close!  I''ve swapped out the Linksys router for a Zxytel 600 serries running as before in a NO NAT configuration, and I'm getting close!!

Below is a couple of working statement from the current running config:-

access-list outside permit tcp any host 91.84.158.59 eq https
access-list outside permit tcp any host 91.84.158.59 eq smtp
static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.59 https Exchange https netmask 255.255.255..255 0 0

Going to Shields UP both ports are now showing as open!

However I cannot get the following to work:-

access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq smtp
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

Is this an ISP routing issue?  Or am I looking again at a PIX issue?

Look forward to hearing from you
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24434063
Try this:

conf t
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0


0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24434191
JFrederick29,

Yes :- https://91.84.158.60/exchange is working!

How do I use :-

91.84.158.61
91.84.158.62

I'm assuming:-

static (inside,outside) 91.84.158.61 Exchange netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.62 Exchange netmask 255.255.255.255 0 0

but isn't this forwarding :-

access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp

Also to 'exchnage' ?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24434224
Well, you only need one IP for the exchange server.  If you need to access that server from the Internet via SMTP, PPTP, HTTP, HTTPS, FTP, you simply use the 91.84.158.60 IP but allow those protocols via the access-list.  The access-list should be used to control access to the host (not the static NAT statements).  

You can use .61 and .62 for other servers that need to be accessible from the Internet.

If the FTP and PPTP server are different servers, you can use the .61 and .62 addresses for them.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24434359
ok looking good!

Out of interest why does:-

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0
but
static (inside,outside) tcp 91.84.158.60 Exchange netmask 255.255.255.255 0 0

Does not?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24434419
I would say either a limitation in 6.3(1) (if still running that) or a bug.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24434452
ok there is still one issue,

firewall rules on:-

91.84.158.60 are working, but other I.P's it is not, here is an extract of my running config:-

names
name 192.168.1.245 test_lab
name 192.168.1.121 ftp_server
name 192.168.1.4 sbs_server

access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.62 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit ip any host 91.84.158.61

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 91.84.158.60 sbs_server netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.62 ftp_server netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

Please advise?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24434482
The config is good.  Are the .61 and .62 servers listening on those ports?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24434513
OK is there a www site I can test ports listening on 91.84.158.62?  As all firewall testing sites I've visisted (Shields up for example) see my I.P as 91.84.158.60 which obviously won't work
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24434530
Not that I am aware of.  You'll have to test from home or somewhere else offering Internet.  So what isn't working?  How did you test?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24434573
OK great I'll do some testing at home, I'm happy the PIX is now working as it should, albeit some serious issues with the original Linksys routers coupled with IOS issues which caused me no end of problems!

JFrederick29 you are a legend!  Many thanks again for all your patience, proactiviness and rapid help surrounding this matter, I very nearly gave up!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now