kurajesh
asked on
Cisco Pix firewall
hi,
even though i had posted one request pertaining my issue with connection iam once again posting my query here. since i was not receiving any updates since yesterday to that iam here once again asking for help.
i have a group office where the server room got shifted to another room within same premise. before shofting all local users were able to access an application hosted outside. users were accessing through internet explorer (http://servername). after shifting the serves users are not able to access the application now. they have a cisco pix firewall, cisco router , mail marshal server, sonicwall devices.
after shifting scenario looks like as follows
1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall
how we can find out the issue
kindly help me
even though i had posted one request pertaining my issue with connection iam once again posting my query here. since i was not receiving any updates since yesterday to that iam here once again asking for help.
i have a group office where the server room got shifted to another room within same premise. before shofting all local users were able to access an application hosted outside. users were accessing through internet explorer (http://servername). after shifting the serves users are not able to access the application now. they have a cisco pix firewall, cisco router , mail marshal server, sonicwall devices.
after shifting scenario looks like as follows
1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall
how we can find out the issue
kindly help me
Kendzast
What has changed after you moved your servers? Topology, IP address range, cabeling? Post config or debug from your PIX.
ASKER
nothing has been changed, no changes in config also.
Can you ping the server? If ICMP is allowed on firewall.
ASKER
i cannot ping to that server only from mailmarshal server the application can be accessed
not from user side
not from user side
You wrote "users are having gateway of sonicwall". Where are they connected? They are remote users via VPN?
what does it means "...users are not able to access the application now..."? They have any specific error message?
You described your scenario:
1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall
I want to know where are your clients located? Where are they connected? To switch with dsl lines?
1) one interface of cisco router is connected to cisco pix and other interface of router is connected to mailmarshal server
2)second interface of cisco pix is connected local switch
3)x0 int of sonicwall is connected to local switch and x1,x2 interfaces are connected to adsl routers.
all users are having gateway of sonicwall
I want to know where are your clients located? Where are they connected? To switch with dsl lines?
ASKER
users are part of lan and they are using vpn for accessing another application , also they brwose through adsl line where sonicwall is connected. so users are having sonicwall lan ip as gateway. now in the same network they have cisco pix , cisco router , mailmarshal server and exchange server.
i will explain the cisco network
one interface of cisco pix is connected to lan swtich, otehr interface connected to cisco router. 2nd interface of router is connected to mailmarshal server.
in case if you need the pix and router config i can provide
So you have remote users who use VPN connect to local lan ? VPNs are terminated on Sonicwall ? Router or PIX config is useless without IP plan :)
ASKER
local users are accessing erp application via vpn through sonicwall, the issue here is same local users are not able to access an application which is hosted on a server outside.
Now I'm confused :) Who are local and who are remote users ?
ASKER
just a change in the diagram, local lan users will come instead remote vpn users in the diagram. and 2nd interface of router is connected to mailmrashal server. the same local users are accessing erp application via vpn. also they are accessing another sap application from a server which is hosted outside. users are accessing this sap applications by http://servername. now the issue is users are not able to access this sap applications. but when i try this from mailmarshal server i can access that application.
i hope you got the scenario, please let me know in case if you need further details
i hope you got the scenario, please let me know in case if you need further details
Ok. So we are not interested in "local users" on my schema. Our local users are now users who are connecting to this network with VPN connect (on picture "Remote VPN users", ok? :) We will call them VPN users.
Just two more things.
1) What is VPN concentrator for VPN users (where is VPN terminated) ? Sonicwall or PIX?
2) Where is the SAP application hosted? Between PIX and Sonicwall? Somewhere in the internet?
When you answer my questions you can post PIX config.
Just two more things.
1) What is VPN concentrator for VPN users (where is VPN terminated) ? Sonicwall or PIX?
2) Where is the SAP application hosted? Between PIX and Sonicwall? Somewhere in the internet?
When you answer my questions you can post PIX config.
ASKER
vpn terminated in sonicwall
sap is hosted outside the premise (in US precisely) and cisco pix is doing the natting.
cisco pix and router config are as
Cisco pix config
---------------
GCSCI-FW> en
Password: ********
GCSCI-FW# shrun
Type help or '?' for a list of available commands.
GCSCI-FW# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hGRzxHaem9fvC41s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname GCSCI-FW
domain-name gcsci.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 GCSCI-LAN
name 192.168.1.0 RSHD-NET
name 192.168.2.1 Oracle_Server
name 192.168.2.3 Exchange-MAIL
name 172.16.3.2 Mail-Marshal
object-group network VPN-NET
network-object RSHD-NET 255.255.255.0
network-object GCSCI-LAN 255.255.255.0
access-list inside_access_in permit
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 object-group VPN-
NET
access-list inside_access_in permit icmp GCSCI-LAN 255.255.255.0 any
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 host 70.62.31.74
access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0
access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0
access-list outside_access_in permit tcp host Mail-Marshal host 172.16.3.11 eq s
mtp
access-list outside_access_in permit tcp any h
access-list outside_access_in permit tcp any host 172.16.3.11 eq 3389
access-list outside_access_in permit ip object-group VPN-NET GCSCI-LAN 255.255.2
55.0
access-list outside_access_in permit icmp any 172.16.3.0 255.255.255.0
access-list outside_access_in deny tcp any any
access-list GCSCI-VPN_splitTunnelAcl permit ip GCSCI-LAN 255.255.255.0 any
access-list outside_cryptomap_dyn_21 permit ip any GCSCI-LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.3.10 255.255.255.24
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.2.100-192.168.2.15
pdm location Oracle_Server 255.255.255.255 inside
pdm location RSHD-NET 255.255.255.0 outside
pdm location Exchange-MAIL 255.255.255.255 inside
pdm location Mail-Marshal 255.255.255.255 outside
pdm group VPN-NET outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0
static (inside,outside) 172.16.3.11 Exchange-MAIL netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.3.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http Oracle_Server 255.255.255.255 inside
http GCSCI-LAN 255.255.255.0 inside
http Exchange-MAIL 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set site2site-set esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set site2site-set
crypto dynamic-map cisco 21 match address outside_cryptomap_dyn_21
crypto dynamic-map cisco 21 set transform-set site2site-set
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup GCSCI-VPN address-pool vpn-pool
vpngroup GCSCI-VPN dns-server 192.168.2.2
vpngroup GCSCI-VPN split-tunnel GCSCI-VPN_splitTunnelAcl
vpngroup GCSCI-VPN idle-time 1800
vpngroup GCSCI-VPN password ********
telnet GCSCI-LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username gcsciadmin password U8FCQnEyO8cVgEMU encrypted privilege 15
terminal width 80
Cryptochecksum:b6ae5d945b6
: end
GCSCI-FW#
Cisco router config
--------------------------
User Access Verification
Password:
GCSCI_GW>en
Password:
Password:
GCSCI_GW#clear
% Type "clear ?" for a list of subcommands
GCSCI_GW#sh run
Building configuration...
Current configuration : 1619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GCSCI_GW
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gR
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.3.9 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 172.16.3.1 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
description Connection Internet via 128kbps LD:314326127
ip address 83.111.224.86 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 83.111.224.85
!
ip http server
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
!
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
!
control-plane
!
!
line con 0
password 7 070C705F4D59485744
logging synchronous
login
line aux 0
line vty 0 4
password 7 104D580A064743595F
login
!
end
GCSCI_GW#sh run
Building configuration...
Current configuration : 1619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GCSCI_GW
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gR
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.3.9 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 172.16.3.1 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
description Connection Internet via 128kbps LD:314326127
ip address 83.111.224.86 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 83.111.224.85
!
ip http server
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
!
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
!
control-plane
!
!
line con 0
password 7 070C705F4D59485744
logging synchronous
login
line aux 0
line vty 0 4
password 7 104D580A064743595F
login
!
end
GCSCI_GW#
sap is hosted outside the premise (in US precisely) and cisco pix is doing the natting.
cisco pix and router config are as
Cisco pix config
---------------
GCSCI-FW> en
Password: ********
GCSCI-FW# shrun
Type help or '?' for a list of available commands.
GCSCI-FW# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hGRzxHaem9fvC41s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname GCSCI-FW
domain-name gcsci.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 GCSCI-LAN
name 192.168.1.0 RSHD-NET
name 192.168.2.1 Oracle_Server
name 192.168.2.3 Exchange-MAIL
name 172.16.3.2 Mail-Marshal
object-group network VPN-NET
network-object RSHD-NET 255.255.255.0
network-object GCSCI-LAN 255.255.255.0
access-list inside_access_in permit
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 object-group VPN-
NET
access-list inside_access_in permit icmp GCSCI-LAN 255.255.255.0 any
access-list inside_access_in permit ip GCSCI-LAN 255.255.255.0 host 70.62.31.74
access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0
access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0
access-list outside_access_in permit tcp host Mail-Marshal host 172.16.3.11 eq s
mtp
access-list outside_access_in permit tcp any h
access-list outside_access_in permit tcp any host 172.16.3.11 eq 3389
access-list outside_access_in permit ip object-group VPN-NET GCSCI-LAN 255.255.2
55.0
access-list outside_access_in permit icmp any 172.16.3.0 255.255.255.0
access-list outside_access_in deny tcp any any
access-list GCSCI-VPN_splitTunnelAcl permit ip GCSCI-LAN 255.255.255.0 any
access-list outside_cryptomap_dyn_21 permit ip any GCSCI-LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.3.10 255.255.255.24
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.2.100-192.168.2.15
pdm location Oracle_Server 255.255.255.255 inside
pdm location RSHD-NET 255.255.255.0 outside
pdm location Exchange-MAIL 255.255.255.255 inside
pdm location Mail-Marshal 255.255.255.255 outside
pdm group VPN-NET outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0
static (inside,outside) 172.16.3.11 Exchange-MAIL netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.3.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http Oracle_Server 255.255.255.255 inside
http GCSCI-LAN 255.255.255.0 inside
http Exchange-MAIL 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set site2site-set esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set site2site-set
crypto dynamic-map cisco 21 match address outside_cryptomap_dyn_21
crypto dynamic-map cisco 21 set transform-set site2site-set
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup GCSCI-VPN address-pool vpn-pool
vpngroup GCSCI-VPN dns-server 192.168.2.2
vpngroup GCSCI-VPN split-tunnel GCSCI-VPN_splitTunnelAcl
vpngroup GCSCI-VPN idle-time 1800
vpngroup GCSCI-VPN password ********
telnet GCSCI-LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username gcsciadmin password U8FCQnEyO8cVgEMU encrypted privilege 15
terminal width 80
Cryptochecksum:b6ae5d945b6
: end
GCSCI-FW#
Cisco router config
--------------------------
User Access Verification
Password:
GCSCI_GW>en
Password:
Password:
GCSCI_GW#clear
% Type "clear ?" for a list of subcommands
GCSCI_GW#sh run
Building configuration...
Current configuration : 1619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GCSCI_GW
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gR
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.3.9 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 172.16.3.1 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
description Connection Internet via 128kbps LD:314326127
ip address 83.111.224.86 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 83.111.224.85
!
ip http server
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
!
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
!
control-plane
!
!
line con 0
password 7 070C705F4D59485744
logging synchronous
login
line aux 0
line vty 0 4
password 7 104D580A064743595F
login
!
end
GCSCI_GW#sh run
Building configuration...
Current configuration : 1619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GCSCI_GW
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PN0m$t1TAWM71TUSnAG.7gR
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.3.9 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 172.16.3.1 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
description Connection Internet via 128kbps LD:314326127
ip address 83.111.224.86 255.255.255.252
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 83.111.224.85
!
ip http server
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
!
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
!
control-plane
!
!
line con 0
password 7 070C705F4D59485744
logging synchronous
login
line aux 0
line vty 0 4
password 7 104D580A064743595F
login
!
end
GCSCI_GW#
There must be something wrong in schema. It doesn't match with your config. Outside and inside interface on PIX are switched? I still don't understand where is the SAP server located :)
Example:
You said SAP server is located somewhere in US. I make VPN connect to your network and when trying to reach SAP server I have to go back to the internet with the same line I used for VPN. I don't go through PIX because SAP server is not behind him. The result is that it will look like my source public IP address is that on Sonicwall, nothing else. And I thing this in not our goal. Are you sure there is no other internet connectivity behind PIX ?
Example:
You said SAP server is located somewhere in US. I make VPN connect to your network and when trying to reach SAP server I have to go back to the internet with the same line I used for VPN. I don't go through PIX because SAP server is not behind him. The result is that it will look like my source public IP address is that on Sonicwall, nothing else. And I thing this in not our goal. Are you sure there is no other internet connectivity behind PIX ?
ASKER
they have got adsl lines and leased lines , adsl lines are terminated in sonicwall and leased line in cisco router. any request thorugh pix has to pass thru cisco router
Ok so VPN clients have IP address 192.168.2.0/24 (or 192.168.1.0/24). What's the destination IP of SAP server?
ASKER
the destination ip is 216.68.200.28
iam extermely sorry to drag this as it was bit confusing for me as well to diagnose
kindly assist
iam extermely sorry to drag this as it was bit confusing for me as well to diagnose
kindly assist
At first check this in PIX config. Maybe you copyed it wrong from PIX :) You posted:
ip address outside 172.16.3.10 255.255.255.24
The mask should be 255.255.255.248
Omg man. Please don't tell me that you have made this configurations :) It looks like configuration of 20 network admins where each of them wrote 1-2 lines without knowing what's going to configure the next one :)))))) I'm sorry for my words. It's really hard to decrypt config. I will forus on your example and try to write what's going on.
If I something misunderstood please let me know. Ok let's go.
VPN Users come out from Sonicwall with IP address 192.168.2.0/24 (GCSCI-LAN). They belong to network object VPN-NET
Now they are facing PIX inside interface (IP 192.168.2.254/24).
Let's take a look at NAT control. You have defined NAT 0 (bypass nat) based on ACL "nonat".
nat (inside) 0 access-list nonat
Tell me what's the purpose of this ACL?
access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0
access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0
This ACL will never match. I don't know where is network 192.168.1.0/24 (RSHD-NET) located but you defined it in network object VPN-NET where belong "our" VPN User :)
Next one is NAT 10:
global (outside) 10 interface
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0
This will NAT VPN users (GCSCI-LAN) to PIX outside interface. So they will come out from PIX with IP address 172.16.3.10 255.255.255.240
ACL inside_access_in will pass traffic through PIX. That's ok.
route outside 0.0.0.0 0.0.0.0 172.16.3.9
PIX forwards all traffic to routers FastEthernet0/0 - That's ok.
Now we are on router.
Serial0/0/0 is connected to internet. This is the way to SAP server. Also you use this interface for access to you local servers from outside (internet connected to serial 0/0/0)
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
Here is the problem. I think serial interface connected to internet is (currently) only used for inbound connection to this servers
172.16.3.10
172.16.3.2
172.16.3.11
Try to browse on internet from any of this servers.
Next try to ping 83.111.224.85 from ROUTER ! If it fails problem is with internet connection. This IP should be default gateway to interfnet for serial interface.
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
This ACL in nowhere used. I think it was applyed on serial interface to permit only specific ports on servers which can be accessed from outside via static NAT (172.16.3.10,172.16.3.2,17
And here is ACL 110
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
Someone has removed it from Serial0/0/0 interface. Add this line to your config.
ip nat inside source list 110 interface Serial0/0/0 overload
I hope it works ;)
Don't forget to reconfigure your PIX and router. It has many security holes and a lot of illogical commands.
ip address outside 172.16.3.10 255.255.255.24
The mask should be 255.255.255.248
Omg man. Please don't tell me that you have made this configurations :) It looks like configuration of 20 network admins where each of them wrote 1-2 lines without knowing what's going to configure the next one :)))))) I'm sorry for my words. It's really hard to decrypt config. I will forus on your example and try to write what's going on.
If I something misunderstood please let me know. Ok let's go.
VPN Users come out from Sonicwall with IP address 192.168.2.0/24 (GCSCI-LAN). They belong to network object VPN-NET
Now they are facing PIX inside interface (IP 192.168.2.254/24).
Let's take a look at NAT control. You have defined NAT 0 (bypass nat) based on ACL "nonat".
nat (inside) 0 access-list nonat
Tell me what's the purpose of this ACL?
access-list nonat permit ip GCSCI-LAN 255.255.255.0 RSHD-NET 255.255.255.0
access-list nonat permit ip GCSCI-LAN 255.255.255.0 GCSCI-LAN 255.255.255.0
This ACL will never match. I don't know where is network 192.168.1.0/24 (RSHD-NET) located but you defined it in network object VPN-NET where belong "our" VPN User :)
Next one is NAT 10:
global (outside) 10 interface
nat (inside) 10 GCSCI-LAN 255.255.255.0 0 0
This will NAT VPN users (GCSCI-LAN) to PIX outside interface. So they will come out from PIX with IP address 172.16.3.10 255.255.255.240
ACL inside_access_in will pass traffic through PIX. That's ok.
route outside 0.0.0.0 0.0.0.0 172.16.3.9
PIX forwards all traffic to routers FastEthernet0/0 - That's ok.
Now we are on router.
Serial0/0/0 is connected to internet. This is the way to SAP server. Also you use this interface for access to you local servers from outside (internet connected to serial 0/0/0)
ip nat inside source static 172.16.3.10 83.111.70.66
ip nat inside source static 172.16.3.2 83.111.70.67
ip nat inside source static 172.16.3.11 83.111.70.68
Here is the problem. I think serial interface connected to internet is (currently) only used for inbound connection to this servers
172.16.3.10
172.16.3.2
172.16.3.11
Try to browse on internet from any of this servers.
Next try to ping 83.111.224.85 from ROUTER ! If it fails problem is with internet connection. This IP should be default gateway to interfnet for serial interface.
access-list 101 permit ip any host 83.111.70.66
access-list 101 permit tcp any host 83.111.70.68 eq 443
access-list 101 permit tcp any host 83.111.70.68 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq 3389
access-list 101 permit tcp any host 83.111.70.67 eq smtp
access-list 101 permit icmp any any
This ACL in nowhere used. I think it was applyed on serial interface to permit only specific ports on servers which can be accessed from outside via static NAT (172.16.3.10,172.16.3.2,17
And here is ACL 110
access-list 110 permit ip 172.16.3.8 0.0.0.7 any
Someone has removed it from Serial0/0/0 interface. Add this line to your config.
ip nat inside source list 110 interface Serial0/0/0 overload
I hope it works ;)
Don't forget to reconfigure your PIX and router. It has many security holes and a lot of illogical commands.
ASKER
thanks for your detailed explanation, as i had mentioned this organisation is our group company where we dont have direct access, hence whatever iam trying to troubleshoot with your support is thorugh the remote desktop connection to their site. i am going to add the line whihc you mentioned
"ip nat inside source list 110 interface Serial0/0/0 overload" in router. is there anything to do with pix after adding this to router?
"ip nat inside source list 110 interface Serial0/0/0 overload" in router. is there anything to do with pix after adding this to router?
No.
ASKER
i have added "ip nat inside source list 110 interface Serial0/0/0 overload", restared the pix and router, tested from one host still not working. i then gave tracert 216.68.200.28 from router and the output is as
GCSCI_GW#traceroute 216.68.200.28
Type escape sequence to abort.
Tracing the route to 216.68.200.28
1 83.111.224.85 16 msec 16 msec 20 msec
2 213.42.9.226 16 msec 16 msec 20 msec
3 194.170.0.138 16 msec 20 msec 20 msec
4 195.229.1.101 96 msec
195.229.1.181 88 msec
195.229.2.241 24 msec
5 195.229.1.173 20 msec 24 msec
195.229.1.166 20 msec
6 195.229.0.194 228 msec 228 msec 228 msec
7 198.32.160.137 228 msec 228 msec 232 msec
8 66.216.1.161 232 msec 240 msec 236 msec
9 66.216.1.206 248 msec 252 msec 244 msec
10 66.216.1.102 452 msec 256 msec 252 msec
11 66.216.1.110 252 msec 260 msec 248 msec
12 64.127.129.46 260 msec 264 msec 264 msec
13 216.68.7.208 268 msec 268 msec 268 msec
14 216.68.6.54 264 msec 260 msec 264 msec
15 * * *
16 * * *
17 * * *
18 * * *
GCSCI_GW#traceroute 216.68.200.28
Type escape sequence to abort.
Tracing the route to 216.68.200.28
1 83.111.224.85 16 msec 16 msec 20 msec
2 213.42.9.226 16 msec 16 msec 20 msec
3 194.170.0.138 16 msec 20 msec 20 msec
4 195.229.1.101 96 msec
195.229.1.181 88 msec
195.229.2.241 24 msec
5 195.229.1.173 20 msec 24 msec
195.229.1.166 20 msec
6 195.229.0.194 228 msec 228 msec 228 msec
7 198.32.160.137 228 msec 228 msec 232 msec
8 66.216.1.161 232 msec 240 msec 236 msec
9 66.216.1.206 248 msec 252 msec 244 msec
10 66.216.1.102 452 msec 256 msec 252 msec
11 66.216.1.110 252 msec 260 msec 248 msec
12 64.127.129.46 260 msec 264 msec 264 msec
13 216.68.7.208 268 msec 268 msec 268 msec
14 216.68.6.54 264 msec 260 msec 264 msec
15 * * *
16 * * *
17 * * *
18 * * *
ASKER
the tracert from host side is as follows
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\chari>tracert 216.68.200.28
Tracing route to kao [216.68.200.28]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 172.16.3.9
2 17 ms 17 ms 17 ms 83.111.224.85
3 17 ms 17 ms 17 ms 213.42.9.242
4 18 ms 17 ms 18 ms 194.170.0.138
5 20 ms 22 ms 20 ms 195.229.1.181
6 23 ms 23 ms 23 ms 195.229.1.173
7 229 ms 236 ms 227 ms nyc-r1-atm64-0-0-0.emix.ne
8 231 ms 224 ms 232 ms c00.ny2.g6-0.wvfiber.net [198.32.160.137]
9 240 ms 234 ms 240 ms ash-ten3-3-nyc-ten1-1.bboi
10 252 ms 246 ms 253 ms pit-ten2-1-ash-ten7-2.bboi
11 251 ms 259 ms 253 ms col-ten2-2-pit-ten2-2.bboi
12 258 ms 262 ms 279 ms ind-ten1-1-col-ten3-3.bboi
13 263 ms 269 ms 271 ms 64.127.129.46
14 260 ms 262 ms 276 ms 216.68.7.208
15 264 ms 264 ms 258 ms edge5-g1-1.dist.fuse.net [216.68.6.54]
16 * * * Request timed out.
17 * * * Request timed out.
18
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\chari>tracert 216.68.200.28
Tracing route to kao [216.68.200.28]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 172.16.3.9
2 17 ms 17 ms 17 ms 83.111.224.85
3 17 ms 17 ms 17 ms 213.42.9.242
4 18 ms 17 ms 18 ms 194.170.0.138
5 20 ms 22 ms 20 ms 195.229.1.181
6 23 ms 23 ms 23 ms 195.229.1.173
7 229 ms 236 ms 227 ms nyc-r1-atm64-0-0-0.emix.ne
8 231 ms 224 ms 232 ms c00.ny2.g6-0.wvfiber.net [198.32.160.137]
9 240 ms 234 ms 240 ms ash-ten3-3-nyc-ten1-1.bboi
10 252 ms 246 ms 253 ms pit-ten2-1-ash-ten7-2.bboi
11 251 ms 259 ms 253 ms col-ten2-2-pit-ten2-2.bboi
12 258 ms 262 ms 279 ms ind-ten1-1-col-ten3-3.bboi
13 263 ms 269 ms 271 ms 64.127.129.46
14 260 ms 262 ms 276 ms 216.68.7.208
15 264 ms 264 ms 258 ms edge5-g1-1.dist.fuse.net [216.68.6.54]
16 * * * Request timed out.
17 * * * Request timed out.
18
Try to make http request from VPN use to SAP server. Maybe ICMP is not allowed to remote site.
ASKER
i did that from host , coming as internet page cannot display the page
Something blocls this traffic but not your router or pix. Is it allowed on remote site?
ASKER
but iam able to access thru mail marshal server 172.16.3.2 and the gateway for this server is 172.16.3.1
ASKER
which means request from users on lan is not pasing thru
Sorry, some silly questions:
Are you able to browse any other website from the hosts? If so, are they using the same adsl connections?
You have two different adsl lines to connect to Internet (and so, to the remote site). Could it be possible that one of them isn't allowed in the remote site? could you try with a computer connected to each of those adsl in order to check if both are working?
Are you able to browse any other website from the hosts? If so, are they using the same adsl connections?
You have two different adsl lines to connect to Internet (and so, to the remote site). Could it be possible that one of them isn't allowed in the remote site? could you try with a computer connected to each of those adsl in order to check if both are working?
ASKER
users are able to browse the net. tlan network is 192.168.2.0 gateway for users are 192.168.2.251, cisco pix lan ip 192.168.2.254 (connected to switch), wan ip 172.16.3.10 connected to router (172.16.3.9), other int of router to mail marshal server (3.2)
It is ok. VPN users go out through serial interface. You can see it on traceroute command. Is your SAP running?
ASKER
Sap I srunning as I mentioned that we are able to access. Sap thru mailmarshal server
ASKER
Do we need to check sonicwall config also. In case if you need pls let me know
It looks like you have no route back. Add this line to router.
(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10
This should forward return traffic from VPN users back to PIX.
(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10
This should forward return traffic from VPN users back to PIX.
ASKER
i have gven this to router and do we need to restart the router, pix and sonicwall
no
ASKER
tried https://servername from host but coming as page cannot be dispalyed
ASKER
even that too i tried, i then gave ping the servername it returns that ip address correctly but may be that ping request is blocked at thier end it was giving request timed out. hence namelookup is also working
so what could be next try
so what could be next try
Sorry this line is wrong:
(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10
remove it
(config)#no ip route 192.168.2.0 255.255.255.0 172.16.3.10
go to PIX and enable logging:
logging on
logging buffered warning
then make https request to SAP
GO back to PIX and show logging
What's the output?
(config)#ip route 192.168.2.0 255.255.255.0 172.16.3.10
remove it
(config)#no ip route 192.168.2.0 255.255.255.0 172.16.3.10
go to PIX and enable logging:
logging on
logging buffered warning
then make https request to SAP
GO back to PIX and show logging
What's the output?
ASKER
i removed the route entry and added the following to pix
logging on
logging buffered warning
do i need to restart the pix after adding those.
logging on
logging buffered warning
do i need to restart the pix after adding those.
ASKER
the output is as
User Access Verification
Username: gcsciadmin
Password: ********
Type help or '?' for a list of available commands.
GCSCI-FW> en
Password: ********
Invalid password
Password: ********
GCSCI-FW# shor logging
Type help or '?' for a list of available commands.
GCSCI-FW# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level warnings, 9 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
106023: Deny tcp src outside:14.96.221.188/2643
cess-group "outside_access_in"
106023: Deny tcp src outside:14.96.221.188/2643
cess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/111
ccess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/111
ccess-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/13
access-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/13
access-group "outside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
GCSCI-FW#
i did try https://servername from host 192.168.2.241
User Access Verification
Username: gcsciadmin
Password: ********
Type help or '?' for a list of available commands.
GCSCI-FW> en
Password: ********
Invalid password
Password: ********
GCSCI-FW# shor logging
Type help or '?' for a list of available commands.
GCSCI-FW# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level warnings, 9 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
106023: Deny tcp src outside:14.96.221.188/2643
cess-group "outside_access_in"
106023: Deny tcp src outside:14.96.221.188/2643
cess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/111
ccess-group "outside_access_in"
106023: Deny tcp src outside:193.224.246.95/111
ccess-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/13
access-group "outside_access_in"
106023: Deny tcp src outside:220.143.156.188/13
access-group "outside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
106023: Deny tcp src inside:192.168.2.241/2070 dst outside:216.68.200.28/443 by
access-group "inside_access_in"
GCSCI-FW#
i did try https://servername from host 192.168.2.241
ASKER
any clue from the pix log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i have added access-list inside_access_in permit tcp GCSCI-LAN 255.255.255.0 any eq https to pix and do i need to restart the pix
No. You need to restart cisco devices just in specific cases.
ASKER
I culdnt check the session as users left for the day. I will defntly chek it tmrow morng and will update you. Thanks
ASKER
dear Kendzast:,
congrats , and you actually saved us. it was a great effort and the result was amazing. even though i am still not clear with the reason why it was not allowing https request i request you to provide the reason.
anyhow it was a great effort from your end and thanks a ton again.
cheers
congrats , and you actually saved us. it was a great effort and the result was amazing. even though i am still not clear with the reason why it was not allowing https request i request you to provide the reason.
anyhow it was a great effort from your end and thanks a ton again.
cheers
ASKER
it was a perfect solution and worked well , thanks a lot Kendzast
Some must have changed your config :) Liked to help you.