Solved

CISCO PIX 501 suspected of malfunction

Posted on 2010-11-11
8
473 Views
Last Modified: 2012-05-10
Hello everyone
I have posted the main part of my problem in the SBS area, but I woild like some input from you pix experts!  I am not great on PIX so I'm not sure if there is anything in my config which is preventing clients from accessing the internet since our DSL modem/router died.
.
link is here
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_26606614.html
any help appreciated
0
Comment
Question by:OmarSenussi
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34113949
I read through the post.    

Here are my thoughts....  
#1 - if the Zytel was broke / replaced with the same configs, then nothing should have changed on the inside and all should still be working.       Was the PIX fiddled with during troubleshooting?    If so, do you have a copy of the original working config?  We could easy compare the 2.  

#2 - The Access lists was up to much discussion.    The only ACL there controls inbound traffic to the network.   All outbound traffic is allowed.  
>>access-group acl_group in interface outside

#3 - You are natting all inbound traffic outbound on the PIX.
>>global (outside) 1 interface
>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So any inside PC should be able to get NAt'd and be sent outbound.   If this is not happening, then check these on the PIX command line.  

>clear xlate
That will remove all current nat's.   Now try getting outbound.
> show xlate
This will show the current nats and you should see 1 for the PC you are testing from.  

If the nat is there then you should have communication outbound.

0
 

Author Comment

by:OmarSenussi
ID: 34115623
Thanks Mike,

As far as I am aware the pix was not fiddled with at all except before the problem happened.. and that was only to allow inbound traffic on the ports mentioned for RWW and Outlook anywhere.. I also removed the lines that were directing traffic from the now defunct smtp and https feed on 217.36.14.220..

There is no NAT on theZyxel router/modem so I am relying on the PIX to fulfill that function..

this is the current status

pixfirewall> enable
Password:
pixfirewall# show xlate
20 in use, 67 most used
PAT Global 217.36.14.221(3821) Local 192.168.0.23(1938)
PAT Global 217.36.14.221(3820) Local 192.168.0.16(3729)
PAT Global 217.36.14.221(3823) Local 192.168.0.23(1939)
PAT Global 217.36.14.221(3822) Local 192.168.0.16(3730)
PAT Global 217.36.14.221(3817) Local 192.168.0.23(1937)
PAT Global 217.36.14.221(3819) Local 192.168.0.11(1945)
PAT Global 217.36.14.221(3818) Local 192.168.0.11(1944)
PAT Global 217.36.14.221(3829) Local 192.168.0.16(3734)
PAT Global 217.36.14.221(3828) Local 192.168.0.23(1942)
PAT Global 217.36.14.221(3831) Local 192.168.0.23(1951)
PAT Global 217.36.14.221(3830) Local 192.168.0.23(1943)
PAT Global 217.36.14.221(3825) Local 192.168.0.11(1948)
PAT Global 217.36.14.221(3824) Local 192.168.0.23(1941)
PAT Global 217.36.14.221(3827) Local 192.168.0.16(3733)
PAT Global 217.36.14.221(3826) Local 192.168.0.11(1949)
PAT Global 217.36.14.221(3832) Local 192.168.0.23(1952)
PAT Global 217.36.14.221(1) Local 192.168.0.13(123)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(2) Local 192.168.0.13(500)
PAT Global 217.36.14.221(1024) Local 192.168.0.27(3076)
pixfirewall#

I cannot get to a pc right now to try and connect .. I'll try tomorrow.. Does the above tell you anything?

Thanks for your help.. Omar
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34121749
The only thing I can tell from that is that there are various machines on 192.168.0.x using the 217.36.14.221 ip for outbound NAT (i assume that's the interface IP).    And that there is a static 1 to 1 for 192.168.0.50 to 217.36.14.210

From this it looks like outbound nat is working.  

0
 

Author Comment

by:OmarSenussi
ID: 34122518
Thanks.. this is the result of connecting.. or attempting ! to connect a client as you requested..
So if Nat'ing is OK.. what on earth is stopping the browsing?? I'm at a loss!!

I thought I might hook up the old server over the weekend and see if that still works with a client attached.. have a nice weekend!

pixfirewall# show xlate
13 in use, 67 most used
PAT Global 217.36.14.221(14517) Local 192.168.0.11(1069)
PAT Global 217.36.14.221(14516) Local 192.168.0.11(1067)
PAT Global 217.36.14.221(14519) Local 192.168.0.11(1072)
PAT Global 217.36.14.221(14518) Local 192.168.0.11(1070)
PAT Global 217.36.14.221(14513) Local 192.168.0.11(1065)
PAT Global 217.36.14.221(14512) Local 192.168.0.105(1771)
PAT Global 217.36.14.221(14515) Local 192.168.0.23(4632)
PAT Global 217.36.14.221(14514) Local 192.168.0.19(3715)
PAT Global 217.36.14.221(14521) Local 192.168.0.23(4633)
PAT Global 217.36.14.221(14520) Local 192.168.0.19(3716)
Global 217.36.14.210 Local 192.168.0.50
PAT Global 217.36.14.221(33) Local 192.168.0.13(123)
PAT Global 217.36.14.221(1026) Local 192.168.0.27(3076)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 34122574
So I would start with the most basic and eliminate all the possibilities again.   Eliminate what you can, and whatever is left must be the answer.  

1) Hop on the PIX CLI.   Ping an internal address, ping an outside address (4.2.2.2).   All 3 should work.  
2)   Since we see the NAT'ing happening, We can assume inside can ping the PIX.  But do it anyway,  from the inside, ping the inside int of the PIX.
3)   WE see NAting happening, so from the inside client, run NSLOOKUP.   Who is your DNS?  try to resolve www.google.com - do you get an answer?  
3a) With nslookup still open, try changing to an external dns server i.e. 208.67.222.222.   Try www.google.com again and see if you resolve.  

(Step 3 should identify if its is a DNS issue or IP issue).  

4) try browsing to http://www.canyouseeme.org and check the IP

During testing, keep an eye on the "Show logging" from the CLI.   It will show if the cisco is dropping any packets.  


Let me know if any of those tests fail.


0
 

Author Comment

by:OmarSenussi
ID: 34124911
Hi Mike,
I thought I'd said in the other post, I m unable to ping any outside addresses from the cisco interface.. This has started since this situation arose.. I can ping any number of internal addresses and they can ping the internali interface on the PIX..

nslookup on server reports default server unknown which is strange! I have the forwarders in place

can you see me gives the right IP but says
Error: I could not see your service on 217.36.14.210 on port (80)
from server:
C:\Users\Omar>nslookup www.google.com
Server:  UnKnown
Address:  fe80::8da:709:ecce:d11c

Non-authoritative answer:
Name:    www.l.google.com
Address:  173.194.37.104
Aliases:  www.google.com
I'll try to get on to a client and run from there
Thanks again
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 250 total points
ID: 34125150
If you can't ping outside on the PIX, then we stop there before testing DNS.  

If the router is set in bridge mode, then the PIX should be doing the job of PPPoE, or is it a static map?   How do you get your ISP service?    Make sure that the PIX is getting an IP if it is DHCP.    If it is static, then the ISP should have given you a default gateway.    If so, can the PIX ping the default gateway?  

So how to get your IP from the ISP?
If dhcp, make sure you are getting an IP and can you ping the gateway?
if static, can you ping the gateway?

If you can't ping the gateway at the ISP (since the next hop is the ISP if the modem is bridged, then its an ISP problem or a bad modem.
0
 

Author Comment

by:OmarSenussi
ID: 34125617
I have a range of 16 IP's one I have assigned to the inside of the router/modem  another to the outsde of the PIX.  I have pointed remote .comapny.co.uk to a third IP and havedirected there my SMTP feed to that address.. and email is comingin ok and going out.
DSL modem is acting purely as a modem NO NAT No DHCP No firewall..

I just spent some time talking to the ISP... transpires someone (God bless hiom/her) gave me some information which was plain wrong.. because they assumed, probably that I had just ONE fixed IP!  So Anyway the clients now connect and I can get on with some useful work again!

Thank you so much for your patience and invaluable pushing to the right direction..

I'm going to split the points.. As nobody else came in with you on this one.. you get them all for this post! Many thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now