cisco 515e pix help... 1

[sinisterr1]

Hey guys,

Need some help here. I have 2 515e pix firewalls. One is in production and the other is a spare. The one in production has IOS 6.3 and the spare has IOS 7.0. I'm trying to get the spare one to work with the same configuration as the one in production but it doesn't work. I can ping various websites from the spare pix but when I try to access the internet from my workstation, it times out. Any idea? I have my config attached below. Any help is greatly appreciated..

PIX Version 7.0(2)
names
!
interface Ethernet0
shutdown
nameif outside
security-level 0
ip address 98.173.152.40 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.16.0.10 255.255.0.0
!
enable password bKJPYyg\mnpTwPVj encrypted
passwd o55.VJXirDgnB5ei encrypted
hostname DEF.B1.515.F
domain-name rd.com
ftp mode passive
access-list internet extended permit tcp host 10.16.18.60 any eq www
access-list internet extended permit tcp host 10.16.18.74 any eq www
access-list internet extended deny tcp any any eq www
access-list internet extended permit ip any any
access-list internet extended permit tcp host 10.16.18.120 any eq 3101
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any any eq https
access-list acl-out extended permit udp any any eq 443
access-list acl-out extended permit tcp any any eq 1745
access-list acl-out extended permit udp any any eq 1745
access-list acl-out extended permit icmp any any unreachable
access-list acl-out extended permit icmp any any time-exceeded
access-list acl-out extended permit esp any any
access-list acl-out extended permit udp any any eq isakmp
access-list acl-out extended permit udp any eq isakmp any
access-list acl-out extended permit tcp any any eq www
access-list acl-out extended permit tcp any any eq 1863
access-list acl-out extended permit tcp any host 98.173.152.35 eq pptp
access-list acl-out extended permit tcp any host 98.173.152.34 eq 3389
access-list acl-out extended permit gre any host 98.173.152.35
access-list acl-out extended permit tcp any host 98.173.152.34 eq ftp
access-list acl-out extended permit tcp any host 98.173.152.37 eq smtp
access-list acl-out extended permit tcp any host 98.173.152.37 eq www
access-list acl-out extended permit tcp any host 98.173.152.37 eq https
access-list acl-out extended permit tcp any host 98.173.152.34 eq https
access-list acl-out extended permit tcp any host 98.173.152.37 eq imap4
access-list acl-out extended permit tcp any host 98.173.152.37 eq 993
access-list acl-out extended permit tcp any host 98.173.152.38 eq 3299
access-list acl-out extended permit udp any host 98.173.152.36 range 3230 3247
access-list acl-out extended permit tcp any host 98.173.152.36 range 3230 3235
access-list acl-out extended permit udp any host 98.173.152.36 range 1718 1719
access-list acl-out extended permit tcp any host 98.173.152.36 eq h323
access-list acl-out extended permit tcp any host 98.173.152.36 eq 1731
access-list acl-out extended permit tcp any host 98.173.152.36 eq 1503
access-list acl-out extended permit tcp any host 98.173.152.36 eq ldap
pager lines 24
logging enable
logging trap debugging
logging history notifications
logging device-id hostname
logging host inside 10.16.16.10
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
asdm image flash:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 98.173.152.42-98.173.152.45 netmask 255.255.255.224
global (outside) 1 98.173.152.41 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 98.173.152.37 smtp 10.16.20.60 smtp netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37 https 10.16.18.121 https netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37

http://www 10.16.18.121

http://www netmask

255.255.255.255
static (inside,outside) tcp 98.173.152.37 993 10.16.18.121 993 netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37 imap4 10.16.18.121 imap4 netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.38 3299 10.16.60.107 3299 netmask 255.255.255.255
static (inside,outside) 98.173.152.35 10.16.18.16 netmask 255.255.255.255
static (inside,outside) 98.173.152.34 10.16.16.10 netmask 255.255.255.255
static (inside,outside) 98.173.152.36 10.16.62.100 netmask 255.255.255.255
access-group internet in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 98.173.152.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.16.16.68 community m0n1t0rThi$!
snmp-server location B1-NOC
snmp-server contact Network Administrator
snmp-server community m0n1t0rThi$!
snmp-server enable traps snmp
snmp-server enable traps syslog
telnet 10.16.0.0 255.255.255.0 inside
telnet 10.16.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:5615fcf2311157d29953d3a6a67b9bd9
: end

 

[North323]

first glaring issue:
nterface Ethernet0
shutdown
nameif outside
security-level 0
ip address 98.173.152.40 255.255.255.224

that should not be 'shutdown'

 

[North323]

are these pixes in active stanby?

 

[sinisterr1]

Sorry, that was an old config. here is the current one. the rest is the same

interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 98.173.152.40 255.255.255.224
!
interface Ethernet1
duplex full
nameif inside
security-level 100
ip address 10.16.0.10 255.255.0.0

right now, this pix isn't hooked up to the network.

 

[North323]

then how are you able to ping various websites? are you pinging them by IP address or by name? what is the IP of the host you are trying this from?

 

[sinisterr1]

to test the pix, i disconnect the pix in production and hook up the spare pix i'm trying to get to work. Once the spare pix is on the production line, i was able to telnet into it and ping sites like yahoo.com and google.com.

 

[North323]

what is the IP address of your inside host you are trying this from?

 

[sinisterr1]

the IP would be 10.16.48.110. the only time i can ping out is from the pix but not from any hosts inside our network.

 

[North323]

access-list internet extended deny tcp any any eq www

your access-list is denying you, try this

no access-list internet extended permit tcp host 10.16.18.60 any eq www
no access-list internet extended permit tcp host 10.16.18.74 any eq www
no access-list internet extended deny tcp any any eq www
no access-list internet extended permit ip any any
no access-list internet extended permit tcp host 10.16.18.120 any eq 3101
access-list internet extended permit tcp host 10.16.18.60 any eq www
access-list internet extended permit tcp host 10.16.18.74 any eq www
access-list internet extended permit tcp host 10.16.48.110 any
access-list internet extended permit tcp host 10.16.18.120 any eq 3101
access-list internet extended deny ip any any

make sure you have the correct gateway also

 

[North323]

clear arp and xlate also

 

[sinisterr1]

is this line below allowing access to go out to the internet?

access-list internet extended permit tcp host 10.16.48.110 any

I should have mentioned that internet access is allowed through MS Proxy which is address 10.16.18.60 which corresponds to this line

access-list internet extended permit tcp host 10.16.18.60 any eq www

Not too sure if that matters..

 

[North323]

yes that does matter. in the production pix do you have a line similar to this: url-server (inside) vendor MS Proxy host 10.16.18.60 ?
then another line like filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

 

[sinisterr1]

unfortunately no. there is no line like you mentioned above. i don't understand why its not working. i can only guess its because of the different os versions. same exact configuration too.

 

[North323]

what are the devices before the pix and after the pix? and are you sure that the configs are exact? did you use beyond compare?

 

[sinisterr1]

basically, to get to the internet it goes like this:

pix e0 is hooked up to a 3550 switch on port 2. on port 1 of the switch, its hooked to the isp gateway router.

pix e1 is hooked up to another network switch.

side note, the proxy has 2 nics (one outside and one inside address) that is connected to the 3550 switch as well.

 

[North323]

hook up the standby pix, log in and clear arp, and xlate, then log into the switch and clear arp. can you post an ipconfig/all and a netstat -r

 

[sinisterr1]

sure. I will have to do it after hours.

 

[North323]

when you set up the standby pix, are you going through the production switch? or a different switch?

 

[unclerico]

if everything is the exact same including the inside ip address of the pix you may have an issue with the arp cache on the client machine itself. what os's are you using?? when the pix is plugged into the switch it should issue a gratuitous arp updating the mac address tables of each switch down the line. it's the hosts that may need their cache's flushed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sinisterr1]

yes i'm going through the same production switch. i just simply swapped the pix firewalls out. I did restart the proxy after the pix was swapped out but it still didn't work on my workstation. I can't recall if i tried to access the internet on the proxy itself after it was restarted.

If the proxy was restarted after the spare pix was installed on the network, it should have cleared the arp on it right?