Solved

CISCO PIX 501 suspected of malfunction

Posted on 2010-11-11
8
483 Views
Last Modified: 2012-05-10
Hello everyone
I have posted the main part of my problem in the SBS area, but I woild like some input from you pix experts!  I am not great on PIX so I'm not sure if there is anything in my config which is preventing clients from accessing the internet since our DSL modem/router died.
.
link is here
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_26606614.html
any help appreciated
0
Comment
Question by:OmarSenussi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34113949
I read through the post.    

Here are my thoughts....  
#1 - if the Zytel was broke / replaced with the same configs, then nothing should have changed on the inside and all should still be working.       Was the PIX fiddled with during troubleshooting?    If so, do you have a copy of the original working config?  We could easy compare the 2.  

#2 - The Access lists was up to much discussion.    The only ACL there controls inbound traffic to the network.   All outbound traffic is allowed.  
>>access-group acl_group in interface outside

#3 - You are natting all inbound traffic outbound on the PIX.
>>global (outside) 1 interface
>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So any inside PC should be able to get NAt'd and be sent outbound.   If this is not happening, then check these on the PIX command line.  

>clear xlate
That will remove all current nat's.   Now try getting outbound.
> show xlate
This will show the current nats and you should see 1 for the PC you are testing from.  

If the nat is there then you should have communication outbound.

0
 

Author Comment

by:OmarSenussi
ID: 34115623
Thanks Mike,

As far as I am aware the pix was not fiddled with at all except before the problem happened.. and that was only to allow inbound traffic on the ports mentioned for RWW and Outlook anywhere.. I also removed the lines that were directing traffic from the now defunct smtp and https feed on 217.36.14.220..

There is no NAT on theZyxel router/modem so I am relying on the PIX to fulfill that function..

this is the current status

pixfirewall> enable
Password:
pixfirewall# show xlate
20 in use, 67 most used
PAT Global 217.36.14.221(3821) Local 192.168.0.23(1938)
PAT Global 217.36.14.221(3820) Local 192.168.0.16(3729)
PAT Global 217.36.14.221(3823) Local 192.168.0.23(1939)
PAT Global 217.36.14.221(3822) Local 192.168.0.16(3730)
PAT Global 217.36.14.221(3817) Local 192.168.0.23(1937)
PAT Global 217.36.14.221(3819) Local 192.168.0.11(1945)
PAT Global 217.36.14.221(3818) Local 192.168.0.11(1944)
PAT Global 217.36.14.221(3829) Local 192.168.0.16(3734)
PAT Global 217.36.14.221(3828) Local 192.168.0.23(1942)
PAT Global 217.36.14.221(3831) Local 192.168.0.23(1951)
PAT Global 217.36.14.221(3830) Local 192.168.0.23(1943)
PAT Global 217.36.14.221(3825) Local 192.168.0.11(1948)
PAT Global 217.36.14.221(3824) Local 192.168.0.23(1941)
PAT Global 217.36.14.221(3827) Local 192.168.0.16(3733)
PAT Global 217.36.14.221(3826) Local 192.168.0.11(1949)
PAT Global 217.36.14.221(3832) Local 192.168.0.23(1952)
PAT Global 217.36.14.221(1) Local 192.168.0.13(123)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(2) Local 192.168.0.13(500)
PAT Global 217.36.14.221(1024) Local 192.168.0.27(3076)
pixfirewall#

I cannot get to a pc right now to try and connect .. I'll try tomorrow.. Does the above tell you anything?

Thanks for your help.. Omar
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34121749
The only thing I can tell from that is that there are various machines on 192.168.0.x using the 217.36.14.221 ip for outbound NAT (i assume that's the interface IP).    And that there is a static 1 to 1 for 192.168.0.50 to 217.36.14.210

From this it looks like outbound nat is working.  

0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 

Author Comment

by:OmarSenussi
ID: 34122518
Thanks.. this is the result of connecting.. or attempting ! to connect a client as you requested..
So if Nat'ing is OK.. what on earth is stopping the browsing?? I'm at a loss!!

I thought I might hook up the old server over the weekend and see if that still works with a client attached.. have a nice weekend!

pixfirewall# show xlate
13 in use, 67 most used
PAT Global 217.36.14.221(14517) Local 192.168.0.11(1069)
PAT Global 217.36.14.221(14516) Local 192.168.0.11(1067)
PAT Global 217.36.14.221(14519) Local 192.168.0.11(1072)
PAT Global 217.36.14.221(14518) Local 192.168.0.11(1070)
PAT Global 217.36.14.221(14513) Local 192.168.0.11(1065)
PAT Global 217.36.14.221(14512) Local 192.168.0.105(1771)
PAT Global 217.36.14.221(14515) Local 192.168.0.23(4632)
PAT Global 217.36.14.221(14514) Local 192.168.0.19(3715)
PAT Global 217.36.14.221(14521) Local 192.168.0.23(4633)
PAT Global 217.36.14.221(14520) Local 192.168.0.19(3716)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(33) Local 192.168.0.13(123)
PAT Global 217.36.14.221(1026) Local 192.168.0.27(3076)
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 34122574
So I would start with the most basic and eliminate all the possibilities again.   Eliminate what you can, and whatever is left must be the answer.  

1) Hop on the PIX CLI.   Ping an internal address, ping an outside address (4.2.2.2).   All 3 should work.  
2)   Since we see the NAT'ing happening, We can assume inside can ping the PIX.  But do it anyway,  from the inside, ping the inside int of the PIX.
3)   WE see NAting happening, so from the inside client, run NSLOOKUP.   Who is your DNS?  try to resolve www.google.com - do you get an answer?  
3a) With nslookup still open, try changing to an external dns server i.e. 208.67.222.222.   Try www.google.com again and see if you resolve.  

(Step 3 should identify if its is a DNS issue or IP issue).  

4) try browsing to http://www.canyouseeme.org and check the IP

During testing, keep an eye on the "Show logging" from the CLI.   It will show if the cisco is dropping any packets.  


Let me know if any of those tests fail.


0
 

Author Comment

by:OmarSenussi
ID: 34124911
Hi Mike,
I thought I'd said in the other post, I m unable to ping any outside addresses from the cisco interface.. This has started since this situation arose.. I can ping any number of internal addresses and they can ping the internali interface on the PIX..

nslookup on server reports default server unknown which is strange! I have the forwarders in place

can you see me gives the right IP but says
Error: I could not see your service on 217.36.14.210 on port (80)
from server:
C:\Users\Omar>nslookup www.google.com
Server:  UnKnown
Address:  fe80::8da:709:ecce:d11c

Non-authoritative answer:
Name:    www.l.google.com
Address:  173.194.37.104
Aliases:  www.google.com
I'll try to get on to a client and run from there
Thanks again
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 250 total points
ID: 34125150
If you can't ping outside on the PIX, then we stop there before testing DNS.  

If the router is set in bridge mode, then the PIX should be doing the job of PPPoE, or is it a static map?   How do you get your ISP service?    Make sure that the PIX is getting an IP if it is DHCP.    If it is static, then the ISP should have given you a default gateway.    If so, can the PIX ping the default gateway?  

So how to get your IP from the ISP?
If dhcp, make sure you are getting an IP and can you ping the gateway?
if static, can you ping the gateway?

If you can't ping the gateway at the ISP (since the next hop is the ISP if the modem is bridged, then its an ISP problem or a bad modem.
0
 

Author Comment

by:OmarSenussi
ID: 34125617
I have a range of 16 IP's one I have assigned to the inside of the router/modem  another to the outsde of the PIX.  I have pointed remote .comapny.co.uk to a third IP and havedirected there my SMTP feed to that address.. and email is comingin ok and going out.
DSL modem is acting purely as a modem NO NAT No DHCP No firewall..

I just spent some time talking to the ISP... transpires someone (God bless hiom/her) gave me some information which was plain wrong.. because they assumed, probably that I had just ONE fixed IP!  So Anyway the clients now connect and I can get on with some useful work again!

Thank you so much for your patience and invaluable pushing to the right direction..

I'm going to split the points.. As nobody else came in with you on this one.. you get them all for this post! Many thanks
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Forwarding web requests to different web servers 15 221
ipsec tunnel comme not up 10 136
Firewall blocking images 4 108
Blocking outside IP Addresses 16 130
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question