Solved

PIX 506e Static Route issue

Posted on 2009-05-15
23
423 Views
Last Modified: 2012-06-21
Hi Experts,

I have the following I.P's assigned from my ISP:-

91.84.158.57
91.84.158.58
91.84.158.59
91.84.158.60
91.84.158.61
91.84.158.62

I have a DSL router in a "no nat" configuration, with no port forwarding, or DMZ configuration and is assigned 91.84.158.58 on the LAN port

And have 91.84.158.59 assigned on the outside interface on the PIX

I have the following configuration:-

names
name 192.168.1.4 Exchange
access-list outside permit tcp any host 91.84.158.60 eq https
pager lines 24
icmp deny any outside
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.25
5.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1

However I'm unable to connect to our OWA box as per the static assignment above.

Note 192.168.1.4 has a DG of 192.168.1.1, OWA on 192.168.1.4 is accessible

Please urgently advise, as I'm tearing my hair out on this one!
0
Comment
Question by:dt3itsteam
  • 11
  • 10
  • 2
23 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 24401585
For the ASA:

static (inside,outside) tcp interface 443 <ip address of exchange server> 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside

Whoever holds your domain public primary DNS records needs to make sure they have a MX / A record for mail.example.com to resolve to the public IP of the outside interface on your ASA.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24402119
Hi Quori,

Regarding your statements above, can I use:-

static (inside,outside) tcp 91.84.158.60 443 exchange 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside

Can I then add the follow statements if I wished to add PPTP, and FTP:-

static (inside,outside) tcp 91.84.158.60 pptp exchange pptp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 1723

static (inside,outside) tcp 91.84.158.60 ftp exchange ftp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 21

Please advise?  As I've been struggling with this for over a week.  Note Outgoing (Internet) for NAT'd clients if fine, just really struggling with "inbound" connections

Many thanks!
0
 
LVL 13

Expert Comment

by:Quori
ID: 24404255
Should be able to.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24404262
OK thanks, will test this on Monday evening (GMT) and will let you know if this works
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24404997
Hi

<<static (inside,outside) tcp 91.84.158.60 443 exchange 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside>>

That won't work as you are translating the exchange server to .60 and then allowing https through to the PX outside interface of .59.

What you have in place should work already - do you need to open www for OWA also or is it just set to run on https?

To test if the traffic is going through correctly.
sh access-list outside
Then from outside your firewall, open a https connection to the public ip of the exchange server
Again, run
sh access-list outside

Post the output of both and we can see if its incrementing hits on the access-list.  
Is your nat to outside internet browsing working ok?

0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24409795
OK I think I have an issue possibly outside of the PIX here, as when using the ping statement I'm unable to ping 192.168.1.4, the DG on 192.168.1.4 is 192.168.1.1

However I can port forward to 192.168.1.4 from my WAG200G DSL router, so I suspect it could be a routing issue?  Cabling is exactly the same as the WAG200G, in that all CAT5 terminates into a single (non vlan'd) 10/100 Linksys managed switch, as does the inside interface connection from the PIX, but I cannot ping 192.168.1.4 from the PIX, but I can from any PC when the PIX is removed and the Linksys is the DG

Any thoughts around this?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24410093
Can you post your full config?  Do you have an access-list applied to your inside interface?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24410126
Current running config:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:bd4ba9d5097faf11db9a0de51811582e
: end
pix506e(config)#
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24410142
whoa - PIX Version 6.3(1)!!

Can you upgrade to 6.3(5)?  I haven't seen 6.3(1) in years...it has heaps of bugs in it.

You need valid CCO to download from Cisco if you don't have it already
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24410248
OH!

Unfortunately I don't have access to the Cisco support portal, is this something I can sign up for for "free"?  Or is there a subscription cost involved?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24410290
Afraid not.  You can get Cisco Smartnet support from a Cisco reseller.  This gives you technical support and a CCO logon to download software images.  I think this is the cheapest way to download new software releases but you would need to confirm this with your local Cisco reseller.

To be honest, I wouldn't spend a lot of time trying to fix this on dodgy code.

One thing I am curious about though

When your test_lab machine goes on the internet do you get public ip 91.84.158.61 (test it by going to whatismyip.com)

Your access-list and static are correct - are you able to ftp/smtp/pptp to 91.84.158.60?  When you try (from outside the PIX) can you post the output of
sh access-list outside


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:dt3itsteam
ID: 24413715
Sorry I don't believe in this case the issue is around the IOS, a colleague who had this PIX before me had it fully operational in exactly the same scenario I'm trying to acheive, the issue is the PIX cannot see the Exchange host (192.168.1.4) see output from my PC below:-

C:\Users\user>ping 192.168.1.4

Pinging 192.168.1.4 with 32 bytes of data:

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

now running a ping test from the PIX:-

pix506e# conf t
pix506e(config)# ping 192.168.1.4
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms

Please advise why the PIX cannot see the above host?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24415716
Can your exchange box ping the PIX?  Can it go on the internet via the PIX?

Pls advise:
When your test_lab machine goes on the internet do you get public ip 91.84.158.61 (test it by going to whatismyip.com)

Your access-list and static are correct - are you able to ftp/smtp/pptp to 91.84.158.60?  When you try (from outside the PIX) can you post the output of
sh access-list outside
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24416823
Hi nodisco:,

I've dug out an IOS CD, and via TFTP I have upgraded the IOS on the 506E from 6.3(1) to 6.3(5) hopefully this will resolve the issues!  Out of interest what's the most recent IOS for the 506e?

Now I'm on 6.3(5)  do you think my issues will be resolved?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24416887
6.3(5) is the latest.

It may or may not resolve it but to be honest, I wouldn't spend a lot of time testing on 6.3(1) as you can get skewed results.

Let me know on the above tests when you are ready

cheers
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24433975
nodisco,

OK I'm now getting close!  I''ve swapped out the Linksys router for a Zxytel 600 serries running as before in a NO NAT configuration, and I;m getting close!!

Below is a couple of working statement from the current running config:-

access-list outside permit tcp any host 91.84.158.59 eq https
access-list outside permit tcp any host 91.84.158.59 eq smtp
static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.59 https Exchange https netmask 255.255.255..255 0 0

Going to Shields UP both ports are now showing as open!

However I cannot get the following to work:-

access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq smtp
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

Is this an ISP routing issue?  Or am I looking again at a PIX issue?

Look forward to hearing from you
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24436699
I wonder have you got an arp issue on your outside router or is this range definitely being routed by your ISP?

A quick way to tell would be remove these 2 lines;
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

and add a 1:1 static for your exchange box
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

then go on the internet and go to whatismyip.com.

See if you are getting 91.84.158.60 as your ip address.


0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24436730
I've undertaken he following:-

no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

And this works!

My final question is, why:-

access-list outside permit tcp any host 91.84.158.59 eq smtp works!
but
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0 Doesn't?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24436789
I have not encountered a situation where a 1:1 static works ok but a port redirected static using the same addresses doesn't.

If you have the 1:1 static in the config now:
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

You should be able to access this address over https/smtp by :
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https


Just to clarify - what is the ip address that your ISP has your MX record sent to deliver mail to?

0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24436866
It's my understanding that you can have "either":-

access-list outside permit tcp interface  91.84.158.60 any
static (inside,outside) tcp https exchange smtp netmask 255.255.255.255 0 0

"Or" the inverse (port redirect) which is:-

access-list outside permit tcp any host 91.84.158.60 eq https
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255..255 0 0

Now I have the firewall correctly routing the desired ports to the correct hosts, I will be changing the resolving I.P for our MX records over the weekend.

I was advised I had to use the following statement on the 506E:-

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255..255 0 0

Due to a "bug" in 6.3(5), however I have a PIX 501 running the same IOS, and I know it uses port redirect statements for PAT which thinking back works fine

Given my understanding of the above, I donlt belieave the bug statement to be correct, and this is the command line usage "by design" please correct me if I'm wrong?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24436918
Ok to clear this up:-)

<<It's my understanding that you can have "either":-
access-list outside permit tcp interface  91.84.158.60 any
static (inside,outside) tcp https exchange smtp netmask 255.255.255.255 0 0
"Or" the inverse (port redirect) which is:-
access-list outside permit tcp any host 91.84.158.60 eq https
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255..255 0 0>>

Yes you can port redirect off the interface or use the 1:1 static but you have the syntax wrong on the first one and the terminology wrong for the second!

To use the interface to port redirect https:
access-list outside permit tcp any interface eq https
static (inside,outside) tcp interface https  exchange https netmask 255.255.255.255

To use a seperate public ip to port redirect https:
access-list outside permit tcp any [public ip] eq https
static (inside,outside) tcp [public ip] https  exchange https netmask 255.255.255.255

And to use a 1:1 static with no port redirection but just allowing https:
access-list outside permit tcp any host [public ip] eq https
static (inside,outside) [public ip] Exchange netmask 255.255.255.255

<<I donlt belieave the bug statement to be correct, >>
When someone said you should use the static to correct a bug in 6.3(5) - what were they telling you to use it instead of?  I have never heard of any bug that would relate to this.







0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 24436979
Hi,

Thanks for clarifying, I did notice the error in the following statement, unfortunately after I hit the submit button:-

access-list outside permit tcp interface 91.84.158.60 any
This thould have been:-
access-list outside permit tcp any 91.84.158.60 any

As mentioned in my last post,  was advised I had to use the following statement on the 506E:-

access-list outside permit tcp any host 91.84.158.60 eq https
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0

Due to a "bug" in 6.3(5)

Thanks again, I'm still relatively new to the PIX, but I think I'm getting there!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24437005
No worries mate - you'll get there!

I'm still at a loss as to what this bug is that you were advised about.  6.3(5) is pretty stable.  

cheers
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now