Solved

cisco pix

Posted on 2011-02-21
31
585 Views
Last Modified: 2012-05-11
recently we had shifted our data center to a new place.
after this activity users are not able to connect to a remote server (public ip address) and it was working before shifitng the data center. it seems some connection went worng. the scenario of the data center is as follows:

cisco pix is having one public ip and one interface is connceted to cisco router and other end of pix is connected to lan switch. cisco router's 2nd interface is connected to mailmarshal server which has got one public ip. this connection is through a leased line. we have got another adsl line also where we have sonicwall x0 interface is connected to switch, x1 interface is connected to adsl router and x2 interface is connected to another adsl router.

cisco router has got one public ip
mailmarshal has got one public ip
cisco pix has got public ip

while shifting i think may be any connection went worng. there has been no change in any config for any devices made.

how can we resolve this

mainly users are not able to connect to remote server (public ip)

0
Comment
Question by:kurajesh
  • 17
  • 10
  • 4
31 Comments
 
LVL 1

Author Comment

by:kurajesh
ID: 34948882
just to add after shiftingone interface os cisco router and mailmarshal is connected through a cross cable. is that right way. i think this is duw to some connection problem
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949063
Hi,

I advise to move the mail server behind to the pix, give a zone for DMZ, and create STATIC NAT for its public address!

What shows the CRC counters?

Best regards,
Istvan
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 34949155
Hi

As per  your description of the network, i understand it as the drawing attached. where does the sonicwall come into picture ?

Other  than acceess to this remote server, are users able to browse internet ?

Has your public IP changed after moving to the new data center ? If yes, may be there is a firewall at the remote end that allowed access from your old Ip. If this is the case you might have to communicate the new IP to them.
dig.JPG
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34949253
we havent changed any configuration for any devices. it was working before shifting.
users are accessing internet via adsl line by having sonicwall ip as gateway. sonicwall is connected for vpn usage. we have not changed any ip also. everything is the same , we made a mistake in cable connection but couldnt able to figure out. can we do any test from pix or from router to find out the issue, pls help
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949280
Please show us the 'sh int' command output
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949283
Did you set all interfaces to 100M full duplex?
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 34949397
do a trace route from the router/pix to the user system and see if its reaching the system. Similarly do a trace from the user system to the remote server and focus on the device where the drop is happening.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34949893
kindly note the output as follows

i have tried to ping to user ip from pix, which seems to be ok, and tried to tracert the remote server ip from user system , the output is mentioned here


kindly check the same and request to revert

thanks


test.txt
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34949937
at the same time when a user gives http://remoteservername it is asking for authetication but through remote dekstop connection it isnot coming

0
 
LVL 10

Expert Comment

by:ujitnos
ID: 34950232
Under the mentioned scenarios it seems that the remote desktop port is not opened on the server or the service is hung for any reason. One more test from your router/pix do a telnet to the remote server on port 3389. If it fails then the issue is at the remote server/network.

As you are getting authentication prompt while browsing the site, all connection path seems to be OK.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34950343

i tested telenet 216.68.200.28 3389 and output is


Connecting To 216.68.200.28...Could not open connection to the host, on port 338
9: Connect failed
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34950344
it seems no problem with the pix.... what shows the router?
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 34950371
Check with the team managing this remote server if the RDP/Terminal services are up in the server.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34950422

sorry a bit mistake happened in my explanation.  in fact users are not able to access the applications thorugh web (usually they were accessing through https://the ip address and authentication page comes in).  but when i give the same https://ip address from my mailmarshal server it is asking. by the way i indicated that users were accessing through rdp but rdp is disabled at remote side for security reasons, in fact users were going through https://ip address



0
 
LVL 1

Author Comment

by:kurajesh
ID: 34950425
sorry from my worng explanation, apologise for that
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:kurajesh
ID: 34950737
kindly revert back
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34958446
hi,

request you to kindly reply
0
 
LVL 10

Assisted Solution

by:ujitnos
ujitnos earned 500 total points
ID: 34958753
hi.. still ur query is not clear.

Is it working for normal users?
Are u facing issue only from Mailmarshal server?
Does the application connect on any specific port?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34958881
hi,

in fact users are not able to access the applications thorugh web (usually they were accessing through https://the ip address and authentication page comes in).  but when i give the same https://ip address from my mailmarshal server it is asking. by the way i indicated that users were accessing through rdp but rdp is disabled at remote side for security reasons, in fact users were going through https://ip address

it is not working for normal users. from mailmarshal server iam able to connect to that server application. do you need the configuration file for pix and router, if so pls let me know
0
 
LVL 10

Assisted Solution

by:ujitnos
ujitnos earned 500 total points
ID: 34958943
do a trace to remote server from the mailmarshal server and the user system and paste the output from both.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34959218
the tracert from mail marshal server is as

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

tracert 216.68.200.28

Tracing route to 216.68.200.28 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.16.3.1
  2    16 ms    16 ms    16 ms  83.111.224.85
  3    17 ms    17 ms    17 ms  213.42.9.241
  4    18 ms    17 ms    18 ms  194.170.0.142
  5    22 ms    19 ms    19 ms  nyc-emix-ca.at4101.emix.ae [195.229.0.249]
  6    25 ms    21 ms    22 ms  195.229.1.177
  7    24 ms   229 ms    21 ms  195.229.1.166
  8   240 ms   237 ms   235 ms  195.229.0.194
  9   229 ms   235 ms   253 ms  pit-ten2-1-ash-ten7-2.bboi.net [66.216.1.206]
 10   257 ms   257 ms   251 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 11   259 ms   253 ms   258 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 12   256 ms   292 ms   250 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 13   255 ms   248 ms   248 ms  ind-ten1-1-col-ten3-3.bboi.net [66.216.1.110]
 14   262 ms   258 ms   263 ms  edge5-g1-1.dist.fuse.net [216.68.6.54]
 15   266 ms   265 ms     *     edge5-g1-1.dist.fuse.net [216.68.6.54]
 16   258 ms   257 ms   263 ms  edge5-g1-1.dist.fuse.net [216.68.6.54]
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *


the same from user side is as

C:\Users\chari>tracert 216.68.200.28

Tracing route to kao [216.68.200.28]
over a maximum of 30 hops:

  1     3 ms    <1 ms    <1 ms  172.16.0.1
  2    44 ms    43 ms    31 ms  195.229.244.24
  3    34 ms    57 ms    31 ms  195.229.245.145
  4    30 ms    44 ms    29 ms  194.170.0.238
  5    36 ms    36 ms    36 ms  195.229.0.221
  6    47 ms    38 ms   243 ms  195.229.0.194
  7  1642 ms  1262 ms  1250 ms  c00.ny2.g6-0.wvfiber.net [198.32.160.137]
  8  1356 ms  1313 ms   261 ms  ash-ten3-3-nyc-ten1-1.bboi.net [66.216.1.161]
  9   442 ms   240 ms   246 ms  ash-ten3-3-nyc-ten1-1.bboi.net [66.216.1.161]
 10   262 ms   264 ms  1945 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 11   277 ms   274 ms   273 ms  ind-ten1-1-col-ten3-3.bboi.net [66.216.1.110]
 12   281 ms   277 ms   257 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 13   274 ms   286 ms     *     ind-ten1-1-col-ten3-3.bboi.net [66.216.1.110]
 14   286 ms   281 ms   275 ms  64.127.129.50
 15   285 ms     *        *     216.68.6.208
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *


please check the above

0
 
LVL 10

Expert Comment

by:ujitnos
ID: 34959647
As the path taken for mailmarshal and user are almost the same you will need to contact the remote team.

0
 
LVL 1

Author Comment

by:kurajesh
ID: 34959708
is it because that the pix is not functioning properly because whenever i try to log in to that pix (pix501) i get a mssg that the support for the is product is discontinued or so.
i tried to give the internal ip of pix to one user as gateway , but internet browsing was not working

so could be any issue with pix
0
 
LVL 10

Accepted Solution

by:
ujitnos earned 500 total points
ID: 34961538
Support for the product would mean the support from Cisco, i dont feel this is an issue.

Ok, can you configure a laptop/PC with public ip and connect it to the router and check if u are able to get the page? Also paste the configuration of the pix.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34967226
here is the config for pix ,

GCSCI-FW> en            
Password: ********                  
GCSCI-FW# shrun              
Type help or '?' for a list of available commands.                                                  
GCSCI-FW# sh run                
: Saved      
:
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password hGRzxHaem9fvC41s encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname GCSCI-FW                
domain-name gcsci.com                    
clock timezone GST 4                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718                          
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
name 192.168.2.0 GCSCI-LAN                          
name 192.168.1.0 RSHD-NET                        
name 192.168.2.1 Oracle_Server                              
name 192.168.2.3 Exchange-MAIL                              
name 172.16.3.2 Mail-Marshal                            
object-group network VPN-NET                            
  network-object RSHD-NET 255.255.255.0                                      
  network-object GCSCI-LAN 255.255.255.0                                        
access-list inside_access_in permit                                    
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 object-group VPN-                                                                                
NET  
access-list inside_access_in permit icmp GCSCI-LAN 255.255.255.0 any                                                                    
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 host 70.62.31.74                                                                              

access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0                                                                          
access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0                                                                          
access-list outside_access_in permit tcp host Mail-Marshal host 172.16.3.11 eq s                                                                                
mtp  
access-list outside_access_in permit tcp any h                                            
access-list outside_access_in permit tcp any host 172.16.3.11 eq 3389                                                                    
access-list outside_access_in permit ip object-group VPN-NET GCSCI-LAN 255.255.2                                                                                
55.0    
access-list outside_access_in permit icmp any 172.16.3.0 255.255.255.0                                                                      
access-list outside_access_in deny tcp any any                                              
access-list GCSCI-VPN_splitTunnelAcl permit ip GCSCI-LAN 255.255.255.0 any                                                                          
access-list outside_cryptomap_dyn_21 permit ip any GCSCI-LAN 255.255.255.0                                                                          
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 172.16.3.10 255.255.255.24                                            
ip address inside 192.168.2.254 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool vpn-pool 192.168.2.100-192.168.2.150                                                  
pdm location Oracle_Server 255.255.255.255 inside                                                
pdm location RSHD-NET 255.255.255.0 outside                                          
pdm location Exchange-MAIL 255.255.255.255 inside                                                
pdm location Mail-Marshal 255.255.255.255 outside                                                
pdm group VPN-NET outside                        
pdm history enable                  
arp timeout 14400                
global (outside) 10 interface                            
nat (inside) 0 access-list nonat                                
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0                                          
static (inside,outside) 172.16.3.11 Exchange-MAIL netmask 255.255.255.255 0 0                                                                            
access-group outside_access_in in interface outside                                                  
access-group inside_access_in in interface inside                                                
route outside 0.0.0.0 0.0.0.0 172.16.3.9 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
aaa authentication telnet console LOCAL                                      
http server enable                  
http 0.0.0.0 0.0.0.0 outside                            
http Oracle_Server 255.255.255.255 inside                                        
http GCSCI-LAN 255.255.255.0 inside                                  
http Exchange-MAIL 255.255.255.255 inside                                        
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set site2site-set esp-3des esp-sha-hmac                                                              
crypto dynamic-map cisco 1 set transform-set site2site-set                                                          
crypto dynamic-map cisco 21 match address outside_cryptomap_dyn_21              
crypto dynamic-map cisco 21 set transform-set site2site-set
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup GCSCI-VPN address-pool vpn-pool
vpngroup GCSCI-VPN dns-server 192.168.2.2
vpngroup GCSCI-VPN split-tunnel GCSCI-VPN_splitTunnelAcl
vpngroup GCSCI-VPN idle-time 1800
vpngroup GCSCI-VPN password ********
telnet GCSCI-LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username gcsciadmin password U8FCQnEyO8cVgEMU encrypted privilege 15
terminal width 80
Cryptochecksum:b6ae5d945b64f2cf545d2dba0d199466
: end
GCSCI-FW#
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34967696
i will just connect my pc to the router with public ip now and will update the output

menawhile could you pls check the pix config which i posted
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34967884
do i need to remove the connection from router to pix in order to test from laptop directly
right now i have disconnected the cable which was connected to mail marshal server and connected to my laptop. but the other end of router is still connected to pix, do i remove that
0
 
LVL 10

Assisted Solution

by:ujitnos
ujitnos earned 500 total points
ID: 34968530
as things are working fine via the mailmarshal u can disconnect the router to PIX connection and give PIX ip to ur laptop.

Was the link working via the mailmarshal connection ?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34994935
from mailmarshal server iam able to access that application it is from local lan that iam not able to access
0
 
LVL 10

Assisted Solution

by:ujitnos
ujitnos earned 500 total points
ID: 34995168
Did u try to access by giving IP of PIX to ur Laptop ?
0
 
LVL 1

Author Closing Comment

by:kurajesh
ID: 35148327
hi,
in fact by adding the following line to pix it worked
i have added access-list inside_access_in permit tcp GCSCI-LAN 255.255.255.0 any eq https to pix and it started working

anyhow thanks for all suggestions
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now