cisco 515e pix help... 1

[sinisterr1]

Hey guys,

Need some help here. I have 2 515e pix firewalls. One is in production and the other is a spare. The one in production has IOS 6.3 and the spare has IOS 7.0. I'm trying to get the spare one to work with the same configuration as the one in production but it doesn't work. I can ping various websites from the spare pix but when I try to access the internet from my workstation, it times out. Any idea? I have my config attached below. Any help is greatly appreciated..

PIX Version 7.0(2)
names
!
interface Ethernet0
shutdown
nameif outside
security-level 0
ip address 98.173.152.40 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.16.0.10 255.255.0.0
!
enable password bKJPYyg\mnpTwPVj encrypted
passwd o55.VJXirDgnB5ei encrypted
hostname DEF.B1.515.F
domain-name rd.com
ftp mode passive
access-list internet extended permit tcp host 10.16.18.60 any eq www
access-list internet extended permit tcp host 10.16.18.74 any eq www
access-list internet extended deny tcp any any eq www
access-list internet extended permit ip any any
access-list internet extended permit tcp host 10.16.18.120 any eq 3101
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any any eq https
access-list acl-out extended permit udp any any eq 443
access-list acl-out extended permit tcp any any eq 1745
access-list acl-out extended permit udp any any eq 1745
access-list acl-out extended permit icmp any any unreachable
access-list acl-out extended permit icmp any any time-exceeded
access-list acl-out extended permit esp any any
access-list acl-out extended permit udp any any eq isakmp
access-list acl-out extended permit udp any eq isakmp any
access-list acl-out extended permit tcp any any eq www
access-list acl-out extended permit tcp any any eq 1863
access-list acl-out extended permit tcp any host 98.173.152.35 eq pptp
access-list acl-out extended permit tcp any host 98.173.152.34 eq 3389
access-list acl-out extended permit gre any host 98.173.152.35
access-list acl-out extended permit tcp any host 98.173.152.34 eq ftp
access-list acl-out extended permit tcp any host 98.173.152.37 eq smtp
access-list acl-out extended permit tcp any host 98.173.152.37 eq www
access-list acl-out extended permit tcp any host 98.173.152.37 eq https
access-list acl-out extended permit tcp any host 98.173.152.34 eq https
access-list acl-out extended permit tcp any host 98.173.152.37 eq imap4
access-list acl-out extended permit tcp any host 98.173.152.37 eq 993
access-list acl-out extended permit tcp any host 98.173.152.38 eq 3299
access-list acl-out extended permit udp any host 98.173.152.36 range 3230 3247
access-list acl-out extended permit tcp any host 98.173.152.36 range 3230 3235
access-list acl-out extended permit udp any host 98.173.152.36 range 1718 1719
access-list acl-out extended permit tcp any host 98.173.152.36 eq h323
access-list acl-out extended permit tcp any host 98.173.152.36 eq 1731
access-list acl-out extended permit tcp any host 98.173.152.36 eq 1503
access-list acl-out extended permit tcp any host 98.173.152.36 eq ldap
pager lines 24
logging enable
logging trap debugging
logging history notifications
logging device-id hostname
logging host inside 10.16.16.10
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
asdm image flash:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 98.173.152.42-98.173.152.45 netmask 255.255.255.224
global (outside) 1 98.173.152.41 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 98.173.152.37 smtp 10.16.20.60 smtp netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37 https 10.16.18.121 https netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37

http://www 10.16.18.121

http://www netmask

255.255.255.255
static (inside,outside) tcp 98.173.152.37 993 10.16.18.121 993 netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.37 imap4 10.16.18.121 imap4 netmask 255.255.255.255
static (inside,outside) tcp 98.173.152.38 3299 10.16.60.107 3299 netmask 255.255.255.255
static (inside,outside) 98.173.152.35 10.16.18.16 netmask 255.255.255.255
static (inside,outside) 98.173.152.34 10.16.16.10 netmask 255.255.255.255
static (inside,outside) 98.173.152.36 10.16.62.100 netmask 255.255.255.255
access-group internet in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 98.173.152.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.16.16.68 community m0n1t0rThi$!
snmp-server location B1-NOC
snmp-server contact Network Administrator
snmp-server community m0n1t0rThi$!
snmp-server enable traps snmp
snmp-server enable traps syslog
telnet 10.16.0.0 255.255.255.0 inside
telnet 10.16.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:5615fcf2311157d29953d3a6a67b9bd9
: end

 

[unclerico]

If the proxy was restarted after the spare pix was installed on the network, it should have cleared the arp on it right?

yes. is the pix the default gateway for all hosts on your LAN??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sinisterr1]

no. our gateway for all hosts on the lan is a cisco 2948-L3 which is 10.16.0.1

 

[North323]

i would clear the arp on the pix and xlate, clear arp on the switch and your desktop....i would also recycle the ISP router. that has the mac add of the prod pix

 

[unclerico]

no. our gateway for all hosts on the lan is a cisco 2948-L3 which is 10.16.0.1

Ok then that removes the arp issue on the client side. Have you run a traceroute from a client machine??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sinisterr1]

Thanks North. Those are very good suggestions. And Thank you for the time in trying to solve this with me. When we finally get it solved, you'll have to let me know how to get a hold of you so i can buy you a cold one. SERIOUSLY!!

 

[North323]

hope that works

 

[sinisterr1]

unclerico,

funny you should ask. I just did a tracert to google on my production pix and i got this


1 3 ms <1 ms <1 ms 10.16.0.1
2 1 ms 2 ms 1 ms def-mx1.remecrds.com [gateway IP]
3 2 ms 2 ms 2 ms wsip-98-173-150-45.sd.sd.cox.net [98.173.150.45]

I don't get how our front end exchange server is associated with the ISP gateway address.

 

[North323]

are they routing your email?

 

[sinisterr1]

no they're not. i think its just a dns error on their end. it works though.

 

[unclerico]

the address returned in your traceroute is 98.173.152.37, but your default route is pointing to .33 as the next hop. What is the IP of the interface connecting the ISP router to the pix??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sinisterr1]

the default route is correct..its suppose to be .33. if you do a nslookup on both .33 and .37, it comes back with the same mx record. .33 is our gateway, and .37 is our front end server.

 

[sinisterr1]

thanks for the help guys. it turns out all i had to do was restart the router. for some reason, the router wasn't refreshing its arp cache.