We help IT Professionals succeed at work.

CISCO PIX 501 suspected of malfunction

OmarSenussi
OmarSenussi asked
on
621 Views
Last Modified: 2012-05-10
Hello everyone
I have posted the main part of my problem in the SBS area, but I woild like some input from you pix experts!  I am not great on PIX so I'm not sure if there is anything in my config which is preventing clients from accessing the internet since our DSL modem/router died.
.
link is here
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_26606614.html
any help appreciated
Comment
Watch Question

Top Expert 2010

Commented:
I read through the post.    

Here are my thoughts....  
#1 - if the Zytel was broke / replaced with the same configs, then nothing should have changed on the inside and all should still be working.       Was the PIX fiddled with during troubleshooting?    If so, do you have a copy of the original working config?  We could easy compare the 2.  

#2 - The Access lists was up to much discussion.    The only ACL there controls inbound traffic to the network.   All outbound traffic is allowed.  
>>access-group acl_group in interface outside

#3 - You are natting all inbound traffic outbound on the PIX.
>>global (outside) 1 interface
>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So any inside PC should be able to get NAt'd and be sent outbound.   If this is not happening, then check these on the PIX command line.  

>clear xlate
That will remove all current nat's.   Now try getting outbound.
> show xlate
This will show the current nats and you should see 1 for the PC you are testing from.  

If the nat is there then you should have communication outbound.

Author

Commented:
Thanks Mike,

As far as I am aware the pix was not fiddled with at all except before the problem happened.. and that was only to allow inbound traffic on the ports mentioned for RWW and Outlook anywhere.. I also removed the lines that were directing traffic from the now defunct smtp and https feed on 217.36.14.220..

There is no NAT on theZyxel router/modem so I am relying on the PIX to fulfill that function..

this is the current status

pixfirewall> enable
Password:
pixfirewall# show xlate
20 in use, 67 most used
PAT Global 217.36.14.221(3821) Local 192.168.0.23(1938)
PAT Global 217.36.14.221(3820) Local 192.168.0.16(3729)
PAT Global 217.36.14.221(3823) Local 192.168.0.23(1939)
PAT Global 217.36.14.221(3822) Local 192.168.0.16(3730)
PAT Global 217.36.14.221(3817) Local 192.168.0.23(1937)
PAT Global 217.36.14.221(3819) Local 192.168.0.11(1945)
PAT Global 217.36.14.221(3818) Local 192.168.0.11(1944)
PAT Global 217.36.14.221(3829) Local 192.168.0.16(3734)
PAT Global 217.36.14.221(3828) Local 192.168.0.23(1942)
PAT Global 217.36.14.221(3831) Local 192.168.0.23(1951)
PAT Global 217.36.14.221(3830) Local 192.168.0.23(1943)
PAT Global 217.36.14.221(3825) Local 192.168.0.11(1948)
PAT Global 217.36.14.221(3824) Local 192.168.0.23(1941)
PAT Global 217.36.14.221(3827) Local 192.168.0.16(3733)
PAT Global 217.36.14.221(3826) Local 192.168.0.11(1949)
PAT Global 217.36.14.221(3832) Local 192.168.0.23(1952)
PAT Global 217.36.14.221(1) Local 192.168.0.13(123)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(2) Local 192.168.0.13(500)
PAT Global 217.36.14.221(1024) Local 192.168.0.27(3076)
pixfirewall#

I cannot get to a pc right now to try and connect .. I'll try tomorrow.. Does the above tell you anything?

Thanks for your help.. Omar
Top Expert 2010

Commented:
The only thing I can tell from that is that there are various machines on 192.168.0.x using the 217.36.14.221 ip for outbound NAT (i assume that's the interface IP).    And that there is a static 1 to 1 for 192.168.0.50 to 217.36.14.210

From this it looks like outbound nat is working.  

Author

Commented:
Thanks.. this is the result of connecting.. or attempting ! to connect a client as you requested..
So if Nat'ing is OK.. what on earth is stopping the browsing?? I'm at a loss!!

I thought I might hook up the old server over the weekend and see if that still works with a client attached.. have a nice weekend!

pixfirewall# show xlate
13 in use, 67 most used
PAT Global 217.36.14.221(14517) Local 192.168.0.11(1069)
PAT Global 217.36.14.221(14516) Local 192.168.0.11(1067)
PAT Global 217.36.14.221(14519) Local 192.168.0.11(1072)
PAT Global 217.36.14.221(14518) Local 192.168.0.11(1070)
PAT Global 217.36.14.221(14513) Local 192.168.0.11(1065)
PAT Global 217.36.14.221(14512) Local 192.168.0.105(1771)
PAT Global 217.36.14.221(14515) Local 192.168.0.23(4632)
PAT Global 217.36.14.221(14514) Local 192.168.0.19(3715)
PAT Global 217.36.14.221(14521) Local 192.168.0.23(4633)
PAT Global 217.36.14.221(14520) Local 192.168.0.19(3716)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(33) Local 192.168.0.13(123)
PAT Global 217.36.14.221(1026) Local 192.168.0.27(3076)
Top Expert 2010
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi Mike,
I thought I'd said in the other post, I m unable to ping any outside addresses from the cisco interface.. This has started since this situation arose.. I can ping any number of internal addresses and they can ping the internali interface on the PIX..

nslookup on server reports default server unknown which is strange! I have the forwarders in place

can you see me gives the right IP but says
Error: I could not see your service on 217.36.14.210 on port (80)
from server:
C:\Users\Omar>nslookup www.google.com
Server:  UnKnown
Address:  fe80::8da:709:ecce:d11c

Non-authoritative answer:
Name:    www.l.google.com
Address:  173.194.37.104
Aliases:  www.google.com
I'll try to get on to a client and run from there
Thanks again
Top Expert 2010
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I have a range of 16 IP's one I have assigned to the inside of the router/modem  another to the outsde of the PIX.  I have pointed remote .comapny.co.uk to a third IP and havedirected there my SMTP feed to that address.. and email is comingin ok and going out.
DSL modem is acting purely as a modem NO NAT No DHCP No firewall..

I just spent some time talking to the ISP... transpires someone (God bless hiom/her) gave me some information which was plain wrong.. because they assumed, probably that I had just ONE fixed IP!  So Anyway the clients now connect and I can get on with some useful work again!

Thank you so much for your patience and invaluable pushing to the right direction..

I'm going to split the points.. As nobody else came in with you on this one.. you get them all for this post! Many thanks

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.