Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot ping public IP's through PIX 506

Status
Not open for further replies.
JeremyUTSI

JeremyUTSI

IS-IT--Management
Jul 26, 2002
9
US
Someone help, I am having a problem with my PIX 506, and I am not to familiar with the pix ios, so please bear with me. Here is the problem. I cannot seem to ping my public IP's from inside my network (inside eth interface). I have not cared up until now, but I am having a problem with a few web servers being available to the public. I have several machines that are public right now, with no problems. But the two I am having an issue with are 12.x.x.125, and 126. Cant seem to get to them from outside my firewall, and I can ping them when outside my firewall, but cannot access pop/smtp, etc. Can someone take a look at the config script and let me know why I cant A) Access public IP's on my LAN, and B) Why people can ping .125, and .126, but cant get to any internet services ie: http/pop/smtp?

Here is the config, and I KNOW that I have lines in here that are not needed, how do I take them out? I tried a clear static and it took out all my static routes...any clues?
Also, if any of you are pretty advanced with 802.11 then check out my thread in the TCP/IP and the Wireless Section.

pixfirewall# show config
: Saved
:
PIX Version 5.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Yn8Esq3NcXIHL35v encrypted
passwd vkj8zPQHKzY9SuRe encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 12.x.x.116 255.255.255.240
ip address inside 13.13.13.1 255.255.0.0
arp timeout 14400
global (outside) 1 12.x.x.117
nat (inside) 1 10.1.1.0 255.255.255.0 0 200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.x.x.114 13.13.13.3 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.115 13.13.13.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.118 13.13.13.4 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.119 13.13.13.5 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.120 13.13.13.6 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.125 13.13.13.25 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.126 13.13.13.26 netmask 255.255.255.255 0 0
static (inside,outside) 13.13.13.0 12.x.x.0 netmask 255.255.255.255 0 0
static (inside,outside) 12.x.x.0 13.13.13.0 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.x.x.114 eq 5631 any
conduit permit udp host 12.x.x.114 eq 5632 any
conduit permit tcp host 12.x.x.115 eq 5631 any
conduit permit udp host 12.x.x.115 eq 5632 any
conduit permit tcp host 12.x.x.114 eq 2027 any
conduit permit tcp host 12.x.x.114 eq lpd any
conduit permit tcp host 12.x.x.115 eq 2027 any
conduit permit tcp host 12.x.x.115 eq lpd any
conduit permit tcp host 12.x.x.114 eq smtp any
conduit permit tcp host 12.x.x.114 eq pop3 any
conduit permit tcp host 12.x.x.115 eq smtp any
conduit permit tcp host 12.x.x.115 eq pop3 any
conduit permit tcp host 12.x.x.114 eq 2025 any
conduit permit tcp host 12.x.x.114 eq conduit permit tcp host 12.x.x.115 eq conduit permit tcp host 12.x.x.115 eq 2025 any
conduit permit tcp host 12.x.x.114 eq 2045 any
conduit permit tcp host 12.x.x.115 eq 2045 any
conduit permit tcp host 12.x.x.118 eq smtp any
conduit permit tcp host 12.x.x.118 eq 3389 any
conduit permit tcp host 12.x.x.118 eq pop3 any
conduit permit tcp host 12.x.x.119 eq smtp any
conduit permit tcp host 12.x.x.119 eq 3389 any
conduit permit tcp host 12.x.x.119 eq pop3 any
conduit permit tcp host 12.x.x.118 eq conduit permit tcp host 12.x.x.119 eq conduit permit tcp host 12.x.x.119 eq 5631 any
conduit permit udp host 12.x.x.119 eq 5632 any
conduit permit tcp host 12.x.x.119 eq lpd any
conduit permit tcp host 12.x.x.119 eq 8000 any
conduit permit tcp host 12.x.x.120 eq 5631 any
conduit permit udp host 12.x.x.120 eq 5632 any
conduit permit tcp host 12.x.x.120 eq pop3 any
conduit permit tcp host 12.x.x.120 eq conduit permit tcp host 12.x.x.120 eq smtp any
conduit permit tcp host 12.x.x.120 eq 3389 any
conduit permit tcp host 12.x.x.120 eq lpd any
conduit permit tcp host 12.x.x.125 eq smtp any
conduit permit tcp host 12.x.x.125 eq pop3 any
conduit permit tcp host 12.x.x.125 eq conduit permit tcp host 12.x.x.125 eq lpd any
conduit permit tcp host 12.x.x.125 eq 81 any
conduit permit tcp host 12.x.x.126 eq lpd any
conduit permit tcp host 12.x.x.126 eq conduit permit tcp host 12.x.x.126 eq pop3 any
conduit permit tcp host 12.x.x.126 eq 81 any
conduit permit tcp host 12.x.x.126 eq smtp any
conduit permit tcp host 12.x.x.125 eq domain any
conduit permit udp host 12.x.x.125 eq domain any
conduit permit udp host 12.x.x.125 eq 82 any
conduit permit tcp host 12.x.x.125 eq 82 any
conduit permit tcp host 12.x.x.126 eq 82 any
conduit permit tcp host 12.x.x.126 eq domain any
conduit permit udp host 12.x.x.126 eq 82 any
route outside 0.0.0.0 0.0.0.0 12.x.x.113 1
timeout xlate 3:00:00 conn 3:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:15:00 h323 0:15:00
timeout uauth 0:15:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet 10.1.1.3 255.255.255.255 inside
telnet 10.1.1.2 255.255.255.255 inside
telnet 13.13.13.72 255.255.0.0 inside
telnet 13.13.13.5 255.255.0.0 inside
telnet timeout 5
terminal width 80
Cryptochecksum:6fa353ef66cfe24ea972ce8988532b7b
pixfirewall#
 
Sort by date Sort by votes
Most lines can be cleared by entering them from a config prompt with "no" in front of them. As in:
"no static (inside,outside) 12.x.x.119 13.13.13.5 netmask 255.255.255.255 0 0"

Sounds like your trouble is related to obsolete entries in an arp cache. Try rebooting devices. Start with the router immediately outside the firewall. Oh yeah, make sure your configurations are saved first!
-gbiello
 
Upvote 0 Downvote
HI.

> I cannot seem to ping my public IP's from inside my network ?
This is normal. The pix will not allow ping to its own interface from the "wrong" side.

> Why people can ping .125, and .126, but cant get to any internet services ie: http/pop/smtp?
The pix does proxy arp for the translated addresses.
So, when someone from outside pings 12.x.x.125, the pix replies, NOT the host! So if you can ping but not get TCP connections, troubleshoot from the pix to the host:
Can the pix inside interface ant the server ping each other?
Check ip configuration of the server - did you forget the default gateway? Other basic TCP/IP settings not updated?
Check phisical cabling of those servers - is the NIC configured with proper or auto detect link speed and duplex to connect to the inside switch/hub?
Can you access thoses servers from inside?

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Thank you for the help guys. LAN/Network connectivity is fine, everything works good internally. Just not via a public address from outside the firewall. I can also ping the servers from my pix's internal interface. I will try rebooting the router outside of my pix to clear arp cache. Any other ideas?
 
Upvote 0 Downvote
Nope, No IP Conflict. I did reboot the router this morning and it did not help. I can still ping the address, and as you say. That is a direct ping to the PIX, not through the PIX. The outside Router is a Managed T1. Its AT&T's, and I dont want to risk breaking into it. So I am not sure if it NAT's or not. But that is a good point. I would not think that they would block them, but I could be wrong. I can contact them and ask, but anymore ideas if that does not work?

Thanks
 
Upvote 0 Downvote
HI.

Try to connect a PC/Laptop directly to the pix outside interface with proper ip addressing and check from it.
What do you get?

Ask the ISP or whoever manages the router for the router configuration and also for assistant with troubleshooting this issue. It seems to me that the problem is outside of the pix.
Take a close look on the perimeter ip addressing, *subnet mask*, routing, and NAT.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
117
Garbear
Garbear
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
141
iggsterman
iggsterman
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
148
ISDPCMAN
ISDPCMAN
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
145
DivemasterBill
DivemasterBill
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top