Solved

Cisco Pix firewall

Posted on 2011-02-22
51
772 Views
Last Modified: 2012-05-11
hi,

even though i had posted one request pertaining my issue with connection iam once again posting my query here. since i was not receiving any updates since yesterday to that iam here once again asking for help.

i have a group office where the server room got shifted to another room within same premise. before shofting all local users were able to access an application hosted outside. users were accessing through internet explorer (http://servername). after shifting the serves users are not able to access the application now. they have a cisco pix firewall, cisco router , mail marshal server, sonicwall devices.
after shifting scenario looks like as follows

1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall
how we can find out the issue

kindly help me

0
Comment
Question by:kurajesh
  • 27
  • 22
  • 2
51 Comments
 
LVL 4

Expert Comment

by:Kendzast
ID: 34958983
What has changed after you moved your servers? Topology, IP address range, cabeling? Post config or debug from your PIX.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34959773
nothing has been changed, no changes in config also.
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34959861
Can you ping the server? If ICMP is allowed on firewall.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34959931
i cannot ping to that server only from mailmarshal server the application can be accessed
not from user side
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34960109
You wrote "users are having gateway of sonicwall". Where are they connected? They are remote users via VPN?
0
 
LVL 1

Expert Comment

by:hermidae
ID: 34960116
what does it means "...users are not able to access the application now..."? They have any specific error message?
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34960191
You described your scenario:

1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall

I want to know where are your clients located? Where are they connected? To switch with dsl lines?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34967215

users are part of lan and they are using vpn for accessing another application , also they brwose through adsl line where sonicwall is connected. so users are having sonicwall lan ip as gateway. now in the same network they have cisco pix , cisco router , mailmarshal server and exchange server.
i will explain the cisco network

one interface of cisco pix is connected to lan swtich, otehr interface connected to cisco router. 2nd interface of router is connected to mailmarshal server.
in case if you need the pix and router config i can provide
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34967770
So you have remote users who use VPN connect to local lan ? VPNs are terminated on Sonicwall ? Router or PIX config is useless without IP plan  :)
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34967821
local users are accessing erp application via vpn through sonicwall, the issue here is same local users are not able to access an application which is hosted on a server outside.
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34967893
Now I'm confused :) Who are local and who are remote users ?
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34967984
Is this your network infrastructure?
net1.jpg
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34968048
just a change in the diagram, local lan users will come instead remote vpn users in the diagram. and 2nd interface of router is connected to mailmrashal server. the same local users are accessing erp application via vpn. also they are accessing another sap application from a server which is hosted outside. users are accessing this sap applications by http://servername. now the issue is users are not able to access this sap applications. but when i try this from mailmarshal server i can access that application.
i hope you got the scenario, please let me know in case if you need further details

0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34968503
Ok. So we are not interested in "local users" on my schema. Our local users are now users who are connecting to this network with VPN connect (on picture "Remote VPN users", ok? :) We will call them VPN users.
Just two more things.
1) What is VPN concentrator for VPN users (where is VPN terminated) ? Sonicwall or PIX?
2) Where is the SAP application hosted? Between PIX and Sonicwall? Somewhere in the internet?

When you answer my questions you can post PIX config.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34968591
vpn terminated in sonicwall
sap is hosted outside the premise (in US precisely) and cisco pix is doing the natting.

cisco pix and router config are as

Cisco pix config

---------------

 

GCSCI-FW> en            

Password: ********                  

GCSCI-FW# shrun              

Type help or '?' for a list of available commands.                                                  

GCSCI-FW# sh run                

: Saved      

:

PIX Version 6.3(5)                  

interface ethernet0 auto                        

interface ethernet1 auto                        

nameif ethernet0 outside security0                                  

nameif ethernet1 inside security100                                  

enable password hGRzxHaem9fvC41s encrypted                                          

passwd 2KFQnbNIdI.2KYOU encrypted                                

hostname GCSCI-FW                

domain-name gcsci.com                    

clock timezone GST 4                    

fixup protocol dns maximum-length 512                                    

fixup protocol ftp 21                    

fixup protocol h323 h225 1720                            

fixup protocol h323 ras 1718                          

fixup protocol http 80                      

fixup protocol rsh 514                      

fixup protocol rtsp 554                      

fixup protocol sip 5060                      

fixup protocol sip udp 5060                          

fixup protocol skinny 2000                          

no fixup protocol smtp 25                        

fixup protocol sqlnet 1521                          

fixup protocol tftp 69                      

names    

name 192.168.2.0 GCSCI-LAN                          

name 192.168.1.0 RSHD-NET                        

name 192.168.2.1 Oracle_Server                              

name 192.168.2.3 Exchange-MAIL                              

name 172.16.3.2 Mail-Marshal                            

object-group network VPN-NET                            

  network-object RSHD-NET 255.255.255.0                                      

  network-object GCSCI-LAN 255.255.255.0                                        

access-list inside_access_in permit                                    

access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 object-group VPN-                                                                                

NET  

access-list inside_access_in permit icmp GCSCI-LAN 255.255.255.0 any                                                                    

access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 host 70.62.31.74                                                                              

 

access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0                                                                          

access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0                                                                          

access-list outside_access_in permit tcp host Mail-Marshal host 172.16.3.11 eq s                                                                                

mtp  

access-list outside_access_in permit tcp any h                                            

access-list outside_access_in permit tcp any host 172.16.3.11 eq 3389                                                                    

access-list outside_access_in permit ip object-group VPN-NET GCSCI-LAN 255.255.2                                                                                

55.0    

access-list outside_access_in permit icmp any 172.16.3.0 255.255.255.0                                                                      

access-list outside_access_in deny tcp any any                                              

access-list GCSCI-VPN_splitTunnelAcl permit ip GCSCI-LAN 255.255.255.0 any                                                                          

access-list outside_cryptomap_dyn_21 permit ip any GCSCI-LAN 255.255.255.0                                                                          

pager lines 24              

mtu outside 1500                

mtu inside 1500              

ip address outside 172.16.3.10 255.255.255.24                                            

ip address inside 192.168.2.254 255.255.255.0                                            

ip audit info action alarm                          

ip audit attack action alarm                            

ip local pool vpn-pool 192.168.2.100-192.168.2.150                                                  

pdm location Oracle_Server 255.255.255.255 inside                                                

pdm location RSHD-NET 255.255.255.0 outside                                          

pdm location Exchange-MAIL 255.255.255.255 inside                                                

pdm location Mail-Marshal 255.255.255.255 outside                                                

pdm group VPN-NET outside                        

pdm history enable                  

arp timeout 14400                

global (outside) 10 interface                            

nat (inside) 0 access-list nonat                                

nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0                                          

static (inside,outside) 172.16.3.11 Exchange-MAIL netmask 255.255.255.255 0 0                                                                            

access-group outside_access_in in interface outside                                                  

access-group inside_access_in in interface inside                                                

route outside 0.0.0.0 0.0.0.0 172.16.3.9 1                                          

timeout xlate 3:00:00                    

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              

timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                

timeout uauth 0:05:00 absolute                              

aaa-server TACACS+ protocol tacacs+                                  

aaa-server TACACS+ max-failed-attempts 3                                        

aaa-server TACACS+ deadtime 10                              

aaa-server RADIUS protocol radius                                

aaa-server RADIUS max-failed-attempts 3                                      

aaa-server RADIUS deadtime 10                            

aaa-server LOCAL protocol local                              

aaa authentication telnet console LOCAL                                      

http server enable                  

http 0.0.0.0 0.0.0.0 outside                            

http Oracle_Server 255.255.255.255 inside                                        

http GCSCI-LAN 255.255.255.0 inside                                  

http Exchange-MAIL 255.255.255.255 inside                                        

no snmp-server location                      

no snmp-server contact                      

snmp-server community public                            

no snmp-server enable traps                          

floodguard enable                

sysopt connection permit-ipsec                              

crypto ipsec transform-set site2site-set esp-3des esp-sha-hmac                                                              

crypto dynamic-map cisco 1 set transform-set site2site-set                                                          

crypto dynamic-map cisco 21 match address outside_cryptomap_dyn_21              

crypto dynamic-map cisco 21 set transform-set site2site-set

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

vpngroup GCSCI-VPN address-pool vpn-pool

vpngroup GCSCI-VPN dns-server 192.168.2.2

vpngroup GCSCI-VPN split-tunnel GCSCI-VPN_splitTunnelAcl

vpngroup GCSCI-VPN idle-time 1800

vpngroup GCSCI-VPN password ********

telnet GCSCI-LAN 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username gcsciadmin password U8FCQnEyO8cVgEMU encrypted privilege 15

terminal width 80

Cryptochecksum:b6ae5d945b64f2cf545d2dba0d199466

: end

GCSCI-FW#

 

 

 

 

Cisco router config

---------------------------

 

User Access Verification

 

Password:

GCSCI_GW>en

Password:

Password:

GCSCI_GW#clear

% Type "clear ?" for a list of subcommands

GCSCI_GW#sh run

Building configuration...

 

Current configuration : 1619 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname GCSCI_GW

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gRMzP/

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip domain lookup

!

!

!

!

interface FastEthernet0/0

 description $ETH-LAN$

 ip address 172.16.3.9 255.255.255.248

 ip nat inside

 duplex auto

 speed auto

!

interface FastEthernet0/1

 description $ETH-LAN$

 ip address 172.16.3.1 255.255.255.248

 ip nat inside

 duplex auto

 speed auto

!

interface Serial0/0/0

 description Connection Internet via 128kbps LD:314326127

 ip address 83.111.224.86 255.255.255.252

 ip nat outside

!

ip classless

ip route 0.0.0.0 0.0.0.0 83.111.224.85

!

ip http server

ip nat inside source static 172.16.3.10 83.111.70.66

ip nat inside source static 172.16.3.2 83.111.70.67

ip nat inside source static 172.16.3.11 83.111.70.68

!

access-list 101 permit ip any host 83.111.70.66

access-list 101 permit tcp any host 83.111.70.68 eq 443

access-list 101 permit tcp any host 83.111.70.68 eq 3389

access-list 101 permit tcp any host 83.111.70.67 eq 3389

access-list 101 permit tcp any host 83.111.70.67 eq smtp

access-list 101 permit icmp any any

access-list 110 remark SDM_ACL Category=16

access-list 110 permit ip 172.16.3.8 0.0.0.7 any

!

control-plane

!

!

line con 0

 password 7 070C705F4D59485744

 logging synchronous

 login

line aux 0

line vty 0 4

 password 7 104D580A064743595F

 login

!

end

 

GCSCI_GW#sh run

Building configuration...

 

Current configuration : 1619 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname GCSCI_GW

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gRMzP/

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip domain lookup

!

!

!

!

interface FastEthernet0/0

 description $ETH-LAN$

 ip address 172.16.3.9 255.255.255.248

 ip nat inside

 duplex auto

 speed auto

!

interface FastEthernet0/1

 description $ETH-LAN$

 ip address 172.16.3.1 255.255.255.248

 ip nat inside

 duplex auto

 speed auto

!

interface Serial0/0/0

 description Connection Internet via 128kbps LD:314326127

 ip address 83.111.224.86 255.255.255.252

 ip nat outside

!

ip classless

ip route 0.0.0.0 0.0.0.0 83.111.224.85

!

ip http server

ip nat inside source static 172.16.3.10 83.111.70.66

ip nat inside source static 172.16.3.2 83.111.70.67

ip nat inside source static 172.16.3.11 83.111.70.68

!

access-list 101 permit ip any host 83.111.70.66

access-list 101 permit tcp any host 83.111.70.68 eq 443

access-list 101 permit tcp any host 83.111.70.68 eq 3389

access-list 101 permit tcp any host 83.111.70.67 eq 3389

access-list 101 permit tcp any host 83.111.70.67 eq smtp

access-list 101 permit icmp any any

access-list 110 remark SDM_ACL Category=16

access-list 110 permit ip 172.16.3.8 0.0.0.7 any

!

control-plane

!

!

line con 0

 password 7 070C705F4D59485744

 logging synchronous

 login

line aux 0

line vty 0 4

 password 7 104D580A064743595F

 login

!

end

 

GCSCI_GW#
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34969110
There must be something wrong in schema. It doesn't match with your config. Outside and inside interface on PIX are switched? I still don't understand where is the SAP server located :)
Example:
You said SAP server is located somewhere in US. I make VPN connect to your network and when trying to reach SAP server I have to go back to the internet with the same line I used for VPN. I don't go through PIX because SAP server is not behind him. The result is that it will look like my source public IP address is that on Sonicwall, nothing else. And I thing this in not our goal. Are you sure there is no other internet connectivity behind PIX ?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34969189
they have got adsl lines and leased lines , adsl lines are terminated in sonicwall and leased line in cisco router. any request thorugh pix has to pass thru cisco router
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34969391
Ok so VPN clients have IP address 192.168.2.0/24 (or 192.168.1.0/24). What's the destination IP of SAP server?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34970985
the destination ip is 216.68.200.28

iam extermely sorry to drag this as it was bit confusing for me as well to diagnose

kindly assist
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34972641
At first check this in PIX config. Maybe you copyed it wrong from PIX :) You posted:
ip address outside 172.16.3.10 255.255.255.24
The mask should be 255.255.255.248

Omg man. Please don't tell me that you have made this configurations :) It looks like configuration of 20 network admins where each of them wrote 1-2 lines without knowing what's going to configure the next one :)))))) I'm sorry for my words. It's really hard to decrypt config. I will forus on your example and try to write what's going on.
If I something misunderstood please let me know. Ok let's go.

VPN Users come out from Sonicwall with IP address 192.168.2.0/24 (GCSCI-LAN). They belong to network object VPN-NET
Now they are facing PIX inside interface (IP 192.168.2.254/24).

Let's take a look at NAT control. You have defined NAT 0 (bypass nat) based on ACL "nonat".
nat (inside) 0 access-list nonat    

Tell me what's the purpose of this ACL?
access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0                                                                          

access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0    


This ACL will never match. I don't know where is network 192.168.1.0/24 (RSHD-NET) located but you defined it in network object VPN-NET where belong "our" VPN User :)

Next one is NAT 10:

global (outside) 10 interface                                                        
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0    

This will NAT VPN users (GCSCI-LAN) to PIX outside interface. So they will come out from PIX with IP address  172.16.3.10 255.255.255.240



 

ACL inside_access_in will pass traffic through PIX. That's ok.

route outside 0.0.0.0 0.0.0.0 172.16.3.9
PIX forwards all traffic to routers FastEthernet0/0 - That's ok.

Now we are on router.

Serial0/0/0 is connected to internet. This is the way to SAP server. Also you use this interface for access to you local servers from outside (internet connected to serial 0/0/0)
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68


Here is the problem. I think serial interface connected to internet is (currently) only used for inbound connection to this servers
172.16.3.10
172.16.3.2
172.16.3.11
Try to browse on internet from any of this servers.

Next try to ping  83.111.224.85 from ROUTER ! If it fails problem is with internet connection. This IP should be default gateway to interfnet for serial interface.

access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
This ACL in nowhere used. I think it was applyed on serial interface to permit only specific ports on servers which can be accessed from outside via static NAT (172.16.3.10,172.16.3.2,172.16.3.11).

And here is ACL 110
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
Someone has removed it from Serial0/0/0 interface. Add this line to your config.

ip nat inside source list 110 interface Serial0/0/0 overload

I hope it works ;)

Don't forget to reconfigure your PIX and router. It has many  security holes and a lot of illogical commands.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34990306
thanks for your detailed explanation, as i had mentioned this organisation is our group company where we dont have direct access, hence whatever iam trying to troubleshoot with your support is thorugh the remote desktop connection to their site. i am going to add the line whihc you mentioned
"ip nat inside source list 110 interface Serial0/0/0 overload" in router. is there anything to do with pix after adding this to router?

0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34990462
No.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34990591
i have added "ip nat inside source list 110 interface Serial0/0/0 overload", restared the pix and router, tested from one host still not working. i then gave tracert 216.68.200.28 from router and the output is as



GCSCI_GW#traceroute 216.68.200.28

Type escape sequence to abort.
Tracing the route to 216.68.200.28

  1 83.111.224.85 16 msec 16 msec 20 msec
  2 213.42.9.226 16 msec 16 msec 20 msec
  3 194.170.0.138 16 msec 20 msec 20 msec
  4 195.229.1.101 96 msec
    195.229.1.181 88 msec
    195.229.2.241 24 msec
  5 195.229.1.173 20 msec 24 msec
    195.229.1.166 20 msec
  6 195.229.0.194 228 msec 228 msec 228 msec
  7 198.32.160.137 228 msec 228 msec 232 msec
  8 66.216.1.161 232 msec 240 msec 236 msec
  9 66.216.1.206 248 msec 252 msec 244 msec
 10 66.216.1.102 452 msec 256 msec 252 msec
 11 66.216.1.110 252 msec 260 msec 248 msec
 12 64.127.129.46 260 msec 264 msec 264 msec
 13 216.68.7.208 268 msec 268 msec 268 msec
 14 216.68.6.54 264 msec 260 msec 264 msec
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34990624
the tracert from host side is as follows

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\chari>tracert 216.68.200.28

Tracing route to kao [216.68.200.28]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  172.16.3.9
  2    17 ms    17 ms    17 ms  83.111.224.85
  3    17 ms    17 ms    17 ms  213.42.9.242
  4    18 ms    17 ms    18 ms  194.170.0.138
  5    20 ms    22 ms    20 ms  195.229.1.181
  6    23 ms    23 ms    23 ms  195.229.1.173
  7   229 ms   236 ms   227 ms  nyc-r1-atm64-0-0-0.emix.net.ae [195.229.0.82]
  8   231 ms   224 ms   232 ms  c00.ny2.g6-0.wvfiber.net [198.32.160.137]
  9   240 ms   234 ms   240 ms  ash-ten3-3-nyc-ten1-1.bboi.net [66.216.1.161]
 10   252 ms   246 ms   253 ms  pit-ten2-1-ash-ten7-2.bboi.net [66.216.1.206]
 11   251 ms   259 ms   253 ms  col-ten2-2-pit-ten2-2.bboi.net [66.216.1.102]
 12   258 ms   262 ms   279 ms  ind-ten1-1-col-ten3-3.bboi.net [66.216.1.110]
 13   263 ms   269 ms   271 ms  64.127.129.46
 14   260 ms   262 ms   276 ms  216.68.7.208
 15   264 ms   264 ms   258 ms  edge5-g1-1.dist.fuse.net [216.68.6.54]
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18


0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34990626
Try to make http request from VPN use to SAP server. Maybe ICMP is not allowed to remote site.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:kurajesh
ID: 34990635
i did that from host , coming as internet page cannot display the page
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34990645
Something blocls this traffic but not your router or pix. Is it allowed on remote site?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34991015
but iam able to access thru mail marshal server 172.16.3.2  and the gateway for this server is 172.16.3.1

0
 
LVL 1

Author Comment

by:kurajesh
ID: 34991017
which means request from users on lan is not pasing thru
0
 
LVL 1

Expert Comment

by:hermidae
ID: 34991165
Sorry, some silly questions:

Are you able to browse any other website from the hosts? If so, are they using the same adsl connections?

You have two different adsl lines to connect to Internet (and so, to the remote site). Could it be possible that one of them isn't allowed in the remote site? could you try with a computer connected to each of those adsl in order to check if both are working?

0
 
LVL 1

Author Comment

by:kurajesh
ID: 34991176
users are able to browse the net. tlan network is 192.168.2.0 gateway for users are 192.168.2.251, cisco pix lan ip 192.168.2.254 (connected to switch), wan ip 172.16.3.10 connected to router (172.16.3.9), other int of router to mail marshal server (3.2)

0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34991612
It is ok. VPN users go out through serial interface. You can see it on traceroute command. Is your SAP running?
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34993877
Sap I srunning as I mentioned that we are able to access. Sap thru mailmarshal server
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34993885
Do we need to check sonicwall config also. In case if you need pls let me know
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34994692
It looks like you have no route back. Add this line to router.

(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10

This should forward return traffic from VPN users back to PIX.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34994717
i have gven this to router and do we need to restart the router, pix and sonicwall
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34994803
no
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34994830
tried https://servername from host but coming as page cannot be dispalyed
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34994849
try https://{ip address}
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34994853
even that too i tried, i then gave ping the servername it returns that ip address correctly but may be that ping request is blocked at thier end it was giving request timed out. hence namelookup is also working

so what could be next try
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34995072
Sorry this line is wrong:
(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10
remove it
(config)#no ip route 192.168.2.0 255.255.255.0 172.16.3.10

 go to PIX and enable logging:
logging on
logging buffered warning

then make https request to SAP

GO back to PIX and show logging
What's the output?

0
 
LVL 1

Author Comment

by:kurajesh
ID: 34995607
i removed the route entry and added the following to pix
logging on
logging buffered warning


do i need to restart the pix after adding those.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34995624
the output is as



User Access Verification

Username: gcsciadmin
Password: ********
Type help or '?' for a list of available commands.
GCSCI-FW> en
Password: ********
Invalid password
Password: ********
GCSCI-FW# shor logging
Type help or '?' for a list of available commands.
GCSCI-FW# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level warnings, 9 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
106023: Deny tcp src outside:14.96.221.188/2643 dst inside:172.16.3.11/445 by ac
cess-group "outside_access_in"
106023: Deny tcp src outside:14.96.221.188/2643 dst inside:172.16.3.11/445 by ac
cess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/1118 dst inside:172.16.3.11/445 by a
ccess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/1118 dst inside:172.16.3.11/445 by a
ccess-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/1366 dst inside:172.16.3.11/445 by
access-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/1366 dst inside:172.16.3.11/445 by
access-group "outside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
GCSCI-FW#

i did try https://servername from host 192.168.2.241

0
 
LVL 1

Author Comment

by:kurajesh
ID: 34995955

any clue from the pix log
0
 
LVL 4

Accepted Solution

by:
Kendzast earned 500 total points
ID: 34996115
Yes here is the "error" :) I don't know how could't I noticed this!

This is why you could tracert to the destination

access-list inside_access_in permit icmp GCSCI-LAN 255.255.255.0 any

If you need just to allow https connection from VPN hosts to SAP add this line:

access-list inside_access_in permit tcp GCSCI-LAN 255.255.255.0 any eq https

Let me know.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34998577
i have added access-list inside_access_in permit tcp GCSCI-LAN 255.255.255.0 any eq https to pix and do i need to restart the pix


0
 
LVL 4

Expert Comment

by:Kendzast
ID: 34998698
No. You need to restart cisco devices just in specific cases.
0
 
LVL 1

Author Comment

by:kurajesh
ID: 34999098
I culdnt check the session as users left for the day. I will defntly chek it tmrow morng and will update you. Thanks
0
 
LVL 1

Author Comment

by:kurajesh
ID: 35004196
dear Kendzast:,

congrats , and you actually saved us. it was a great effort and the result was amazing. even though i am still not clear with the reason why it was not allowing https request i request you to provide the reason.
anyhow it was a great effort from your end and thanks a ton again.  

cheers
0
 
LVL 1

Author Closing Comment

by:kurajesh
ID: 35004210
it was a perfect solution and worked well , thanks a lot  Kendzast
0
 
LVL 4

Expert Comment

by:Kendzast
ID: 35004427
Some must have changed your config :) Liked to help you.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now