Cisco PIX 515e Problems... Please Help

[snemes]

Good Morning--

I have a few questions dealing with the Cisco Pix 515e Firewall and I would appreciate it if someone could help. Currently, our router servers as the gateway device for our network and the pix is sitting behind it. The pix will be running NAT, creating an inside private network. We do not currently have a DMZ so all other devices besides the gateway router will be behind the firewall.

We created a test network with our primary dns, webserver, and a client behind the firewall. During testing we would simply try to browse the internet and was unable to do so. Also, a user on the outside of our network tried to resolve our website from the outside and was unable to.

Internal Network: 10.27.1.0
pix inside address: 10.27.1.254
pix outside address: 198.xxx.xxx.230
Router inside addres:198.xxx.xxx.254


If anyone could review these and see if we are missing anything, or what our problem could be, it would be greatly appreciated.

The config files are as follows:


Router Configuration
!
version 11.1
service slave-log
service udp-small-servers
service tcp-small-servers
!
hostname skipper
!
enable secret
enable password
!
no ip source-route
!
interface Ethernet0
ip address 198.xxx.xxx.254 255.255.255.0
ip access-group 103 in
ip access-group 104 out
ip accounting access-violations
no ip redirect
no ip directed-broadcast
!
interface Ethernet1
no ip address
no ip redirect
no ip directed-broadcast
shutdown
!
interface Serial0
ip address 63.xxx.xxx.54 255.255.255.252
ip access-group 101 in
ip access-group 102 out
ip accounting access-violations
no ip redirect
no ip directed-broadcast
no fair-queue
!
interface Serial1
no ip address
no ip redirect
no ip directed-broadcast
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 63.xxx.xxx.53

!
snmp-server community public RO
snmp-server enable traps isdn
snmp-server enable traps config
snmp-server enable traps bgp
snmp-server enable traps frame-relay
!
line con 0
line aux 0
line vty 0 4
password
login
!
end




Cisco Pix 515E Configuration

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 10full
interface ethernet1 10full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password encrypted
passwd encrypted
hostname professor
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.27.1.3 Pony_Express
name 10.27.1.10 PowerLAN
name 10.27.1.25 ProfessorWeb
name 10.27.1.252 Gateway2
name 10.27.1.9 Synthesis_UPS
name 10.27.1.8 Connectivity
name 10.27.1.7 Sales
name 10.27.1.6 UPS_Engineering
name 10.27.1.4 Devserver
name 10.27.1.2 Ginger
name 10.27.1.1 Orion
name 10.27.1.0 Professor_Network
name 10.27.1.12 EDP_UPS
name 10.27.1.11 Safegaurd
name 10.27.1.26 Professor_TV
name 10.27.1.5 MUN_Adapter
name 10.27.1.13 VPN_Server
access-list acl_outside permit tcp any host 198.xxx.xxx.141 eq smtp
access-list acl_outside permit tcp any host 198.xxx.xxx.219 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.105 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.252 eq domain
access-list acl_outside permit tcp any host 198.xxx.xxx.11 eq www
access-list acl_outside permit tcp any any eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.2 eq https
access-list acl_outside permit udp any host 198.xxx.xxx.2 eq ntp
access-list acl_outside permit tcp any host 198.xxx.xxx.2 eq ssh
access-list acl_outside permit tcp any host 198.xxx.xxx.2 eq 6000
access-list acl_outside permit tcp any host 198.xxx.xxx.10 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.60 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.62 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.63 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.64 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.65 eq www
access-list acl_outside permit tcp any host 198.xxx.xxx.253
access-list acl_outside permit udp any host 198.xxx.xxx.252 eq domain
access-list acl-inside permit tcp any any eq domain
access-list acl-inside permit udp any any eq domain
access-list acl-inside permit tcp any any eq www
access-list acl-inside permit tcp any any eq telnet
access-list acl-outside permit tcp any any eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 198.xxx.xxx.230 255.255.255.0
ip address inside 10.27.1.254 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 0.0.0.0 0.0.0.0 inside
pdm location Professor_Network 255.255.255.0 inside
pdm location Orion 255.255.255.255 inside
pdm location Ginger 255.255.255.255 inside
pdm location Pony_Express 255.255.255.255 inside
pdm location Devserver 255.255.255.255 inside
pdm location MUN_Adapter 255.255.255.255 inside
pdm location UPS_Engineering 255.255.255.255 inside
pdm location Sales 255.255.255.255 inside
pdm location Connectivity 255.255.255.255 inside
pdm location Synthesis_UPS 255.255.255.255 inside
pdm location PowerLAN 255.255.255.255 inside
pdm location Safegaurd 255.255.255.255 inside
pdm location EDP_UPS 255.255.255.255 inside
pdm location Gateway2 255.255.255.255 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location ProfessorWeb 255.255.255.255 inside
pdm location Professor_TV 255.255.255.255 inside
pdm location 198.xxx.xxx.0 255.255.255.0 outside
pdm location Pony_Express 255.255.255.255 outside
pdm location VPN_Server 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 198.xxx.xxx.208-198.xxx.xxx.213 netmask 255.255.255.0
global (outside) 1 198.xxx.xxx.214 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 198.xxx.xxx.141 Orion netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.219 Ginger netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.105 Pony_Express netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.2 Devserver netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.3 MUN_Adapter netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.10 UPS_Engineering netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.11 Sales netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.60 Connectivity netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.62 Synthesis_UPS netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.63 PowerLAN netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.64 Safegaurd netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.65 EDP_UPS netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.252 ProfessorWeb netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.223 Professor_TV netmask 255.255.255.255 0 0
static (inside,outside) 198.xxx.xxx.253 VPN_Server netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl-inside in interface inside
route outside 0.0.0.0 0.0.0.0 198.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 198.xxx.xxx.0 255.255.255.0 outside
http Professor_Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 198.xxx.xxx.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
username pixchgo password encrypted privilege 2
terminal width 80
Cryptochecksum:
: end
[OK]

 

[themut]

What is the default gateway on the internal host? Can you try to ping 198.133.219.25 from the internal host? Are you able to ping this IP address? If not, issue the following command on the PIX &quot;show local <internal-host-ip>&quot;. Can you see a translation (xlate) for this host?

 

[snemes]

Mut....appreciate the help

Our default gateway is 10.27.1.254
Our primary DNS is: 10.27.1.25

All our devices are attached to the same switch, therefore when we ping our private ip's we recieve a response, however not when we ping outside our network.

This is the response the pix gives to the show local 10.27.1.25 command:

Interface inside: 2 active, 7 maximum active, 0 denied
local host: <ProfessorWeb>, conn(s)/limit = 0/0
embryonic(s)/limit = 0/0, incomplete(s) = 0
AAA:
Xlate(s):
Global 198.xxx.xxx.252 Local ProfessorWeb
Conn(s):
UDP out 198.xxx.xxx.252:137 in ProfessorWeb:137 idle 0:00:56 flags -
Interface outside: 1 active, 2 maximum active, 0 denied

As for pinging 198.133.219.25, I am unsure of where you got this ip and wish you would clarify.

Thanks

 

[themut]

Add the following line:

access-list acl_outside permit icmp any any echo-reply

and try to ping again the IP address I gave you... Do an nslookup and you will find out this IP address.

Are you able to ping this IP address now?

 

[snemes]

mut-

We added the acl command and we still cannot ping to the ip address 198.133.219.25

Any suggestions?

 

[themut]

Access the PIX through the console port and issue the following command:

debug packet outside dst 198.133.219.25 netmask 255.255.255.255

try to ping again... are you able to see any information (packets) on the screen? If not issue the show local <internal-host-ip> command to see if there is a translation. After the test remove the debug with the &quot;no debug packet outside&quot; command.

 

[themut]

One last thing... are you able to ping 198.133.219.25 from the PIX? How about from the router?

 

[praks25]

add the following line to to your PIX firewall configuration

access-list acl_inside permit udp any any

remove the following

access-list acl_inside permit udp any any eq domain

this will fix your internet access from behind the firewall.

 

[praks25]

also do the same for the access list for the TCP command line on the inside interface.

add

access-list acl_inside permit tcp any any

remove

access-list acl_inside permit tcp any any eq domain.

since you are using port mapping you gotta allow internal-to-extranl access through all ports rather than just one (domain)

 

[snemes]

Mut-

We can now ping from our client inside the network to 198.133.219.25 however when we try

http://www.cisco.com,

we cannot resolve. We our currently running our own primary dns behind the firewall which I know is unusual. If you have any more recomendations please let me know...

Thanks for your help... we are getting there

 

[dx1]

You have access list on your router interface. What does the acl look like?

 

[snemes]

The router access-list is access-list xxx premit ip any any for all interfaces.
I have made the changes suggested by praks and mut and here is where we are at. I can ping 198.133.219.25 from our test client through the pix. I can browse

http://63.83.37.54

but I cannot resolve

http://www.toro.com

and get to their site.

NSLOOKUPs fail DNS request timed out
timeout was 2 seconds
*** can't find server name for address 10.27.1.25: timed out
*** default servers are not available
Server: Unknown
Address: 10.27.1.25
I can ping 10.27.1.25 from client successfully.

Thanks for all your help.

 

[themut]

Have you configured reverse DNS?

 

[snemes]

Our DNS server (Win2000) is configured for reverse DNS. Does the PIX need anything configured?

We have: Router-->PIX-->|DNS Server
|Web Server (IIS)
|Client
for our test network. We are planning to implement the PIX without a DMZ so everything on our net will be behind the PIX.

We are the primary DNS for our domain. Therefore our DNS server needs to be accessed by the internet community and our internal network. Internally we use our DNS as a host file for printers, etc as well as resolving domains for web browsing. The outside resolves our domain for website (2 different domains) and our MX records (one domain)for mail.

Thanks in advance

 

[themut]

It is a DNS issue not a PIX issue. Your DNS server is not available by name so it fails. If you are able to ping it by IP address then your PIX is setup fine.

 

[snemes]

Themut,
You are right. We were using a clone of our live DNS and it still had the zones defined with our public ip's. I recreated the zone on our test DNS server using the private 10.1.27.0 ip range and created the reverse dns for it.

I then added one 'A' record 10.27.1.25 Professor and from the client I tried a nslookup which failed.

Am I missing somethng simple?

Thanks.

 

[snemes]

To all whom helped...thanks. We are almost to the point of putting our pix into action. Thanks for all the help...It is very much appreciated.

Have a good one.