My pix (506E) for some reason will run out of xlates at which point it stops allowing any traffic out or in and needless to say pisses me and my whole network off. I changed the xlate timeout from 3 hours down to 1 hour and then down to 40 minutes and it still after a while stops allowing traffic. When I changed it to 1 hour it took about 3-4 months before it did it again. Could it be that there is just too much traffic for the 506 to handle for my network? That is the only thing I can think that would cause this. I worked with Cisco and their only suggestion was to change the timeout. It is running PIX 6.2(1) and PDM 2(0)147. Any suggestions?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX 506E xlate problem
- Thread starter westarhsv
- Start date
- Thread starter
- #3
I have around 100 machines on the internal network. I have static translations for machines that need a public IP such as my exchange server for OWA, a few websites, and a couple of folks that use windows built in IPSEC vpn to connect to another network. The default gateway is the internal interface of the PIX, the external has a static public IP. We are using dynamic PAT/NAT. I also have 3 site to site VPN's setup.
- Thread starter
- #5
Where do I tell how big the pool is? Looking at the IP and subnet 192.168.168.0 255.255.255.0 I assume it covers everything on the internal of our network. Looking at the global address pools I have one for the internal interface which has no pool ID and no IP addresses and I have one for the external which has a pool ID of 1 and set to use the IP of the interface.
Do you have the command (let's say your public ip is 207.155.1.0-207.155.1.125):
static (inside,outside) 207.155.1.0 192.168.135.0 netmask 255.255.255.128 0 0
if you do a show static?
If you do, then you are bound by the number of global ip's assigned by your ISP. Do a show xlate and change the public ip's if you want and post it here along with a show static, show dynamic, and route. Just change the public stuff so as to not compramise your security.
static (inside,outside) 207.155.1.0 192.168.135.0 netmask 255.255.255.128 0 0
if you do a show static?
If you do, then you are bound by the number of global ip's assigned by your ISP. Do a show xlate and change the public ip's if you want and post it here along with a show static, show dynamic, and route. Just change the public stuff so as to not compramise your security.
- Thread starter
- #8
Result of PIX command: "show static"
static (inside,outside) ATTCLTF-External ATTCLTF-Internal netmask 255.255.255.255 0 0
static (inside,outside) CobroExchExtern CobroExcngInt netmask 255.255.255.255 0 0
static (inside,outside) UNIRAMWebPorEX UNIRAMWebPortal netmask 255.255.255.255 0 0
static (inside,outside) LargessExtern DaveLargess netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 MarciaMacias netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 Srv-dataInternal netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 LeadTheFleet netmask 255.255.255.255 0 0
static (inside,outside) GPTProjectExt GPTProjectInt netmask 255.255.255.255 0 0
Result of PIX command: "show dynamic"
Crypto Map Template"outside_dyn_map" 20
access-list outside_cryptomap_dyn_20; 2 elements
access-list outside_cryptomap_dyn_20 permit ip 192.168.168.0 255.255.255.0 192.168.168.96 255.255.255.240 (hitcnt=45)
access-list outside_cryptomap_dyn_20 permit ip any Result of PIX command: "show dynamic"
Crypto Map Template"outside_dyn_map" 20
access-list outside_cryptomap_dyn_20; 2 elements
access-list outside_cryptomap_dyn_20 permit ip 192.168.168.0 255.255.255.0 192.168.168.96 255.255.255.240 (hitcnt=45)
access-list outside_cryptomap_dyn_20 permit ip any 192.168.168.96 255.255.255.240 (hitcnt=4)
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, } 255.255.255.240 (hitcnt=4)
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }
Result of PIX command: "show route"
outside 0.0.0.0 0.0.0.0 111.111.111.111 1 OTHER static
inside 192.168.168.0 255.255.255.0 192.168.168.10 1 CONNECT static
outside 111.111.111.111 255.255.255.224 HECFirewallExt 1 CONNECT static
Here is what I get with those commands...changed all public IP's to 1's.
static (inside,outside) ATTCLTF-External ATTCLTF-Internal netmask 255.255.255.255 0 0
static (inside,outside) CobroExchExtern CobroExcngInt netmask 255.255.255.255 0 0
static (inside,outside) UNIRAMWebPorEX UNIRAMWebPortal netmask 255.255.255.255 0 0
static (inside,outside) LargessExtern DaveLargess netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 MarciaMacias netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 Srv-dataInternal netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.111 LeadTheFleet netmask 255.255.255.255 0 0
static (inside,outside) GPTProjectExt GPTProjectInt netmask 255.255.255.255 0 0
Result of PIX command: "show dynamic"
Crypto Map Template"outside_dyn_map" 20
access-list outside_cryptomap_dyn_20; 2 elements
access-list outside_cryptomap_dyn_20 permit ip 192.168.168.0 255.255.255.0 192.168.168.96 255.255.255.240 (hitcnt=45)
access-list outside_cryptomap_dyn_20 permit ip any Result of PIX command: "show dynamic"
Crypto Map Template"outside_dyn_map" 20
access-list outside_cryptomap_dyn_20; 2 elements
access-list outside_cryptomap_dyn_20 permit ip 192.168.168.0 255.255.255.0 192.168.168.96 255.255.255.240 (hitcnt=45)
access-list outside_cryptomap_dyn_20 permit ip any 192.168.168.96 255.255.255.240 (hitcnt=4)
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, } 255.255.255.240 (hitcnt=4)
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }
Result of PIX command: "show route"
outside 0.0.0.0 0.0.0.0 111.111.111.111 1 OTHER static
inside 192.168.168.0 255.255.255.0 192.168.168.10 1 CONNECT static
outside 111.111.111.111 255.255.255.224 HECFirewallExt 1 CONNECT static
Here is what I get with those commands...changed all public IP's to 1's.
HI.
Please post your "global" commands, or the output of "show global".
Try to use PAT only, instead of NAT/PAT.
Please also post your "logging" commands - are you using syslog via TCP or UDP?
What is the exact error message that you get?
Bye
Yizhar Hurwitz
Please post your "global" commands, or the output of "show global".
Try to use PAT only, instead of NAT/PAT.
Please also post your "logging" commands - are you using syslog via TCP or UDP?
What is the exact error message that you get?
Bye
Yizhar Hurwitz
- Thread starter
- #10
when I do a show global I get
global (outside) 1 interface
I have to use NAT because my ISP only gives me 20 or so IP's and I need way more then that. Besides is it not more secure to use both? When the PIX stops allowing traffic in or out I get error logs that look like this
"date" "time" "Message ID" deny inbound or outbound (no xlate) "protocol" src inside or outside "IP and port" dst inside or outside "IP and port"
hope that makes sense. I just setup my machine as a syslog server and I am logging just errors at the moment. Can you tell me what the hell the facility does? I read on Cisco's website but didn't get it.
global (outside) 1 interface
I have to use NAT because my ISP only gives me 20 or so IP's and I need way more then that. Besides is it not more secure to use both? When the PIX stops allowing traffic in or out I get error logs that look like this
"date" "time" "Message ID" deny inbound or outbound (no xlate) "protocol" src inside or outside "IP and port" dst inside or outside "IP and port"
hope that makes sense. I just setup my machine as a syslog server and I am logging just errors at the moment. Can you tell me what the hell the facility does? I read on Cisco's website but didn't get it.
HI.
Use level 4 (warnings).
Some "no xlate" messages for inbound traffic are normal behavior that indicate port scans from external hosts (every ip in the Internet is scanned every few minuttes by possible attackers).
You should also expect such error messages after issuing "clear xlate" or reloading the pix.
If you get "no xlate" for outbound traffic or other legitimic traffic, then this is a problem that should be further inspected.
If you get a message about "translation slote", this could also indicate a problem.
A more complete post of your current configuration is needed here - take a look at the FAQ of this forum for info about how to post it.
Please also post the exact error messages that you get for legitimic connection attempts.
Yizhar Hurwitz
Use level 4 (warnings).
Some "no xlate" messages for inbound traffic are normal behavior that indicate port scans from external hosts (every ip in the Internet is scanned every few minuttes by possible attackers).
You should also expect such error messages after issuing "clear xlate" or reloading the pix.
If you get "no xlate" for outbound traffic or other legitimic traffic, then this is a problem that should be further inspected.
If you get a message about "translation slote", this could also indicate a problem.
A more complete post of your current configuration is needed here - take a look at the FAQ of this forum for info about how to post it.
Please also post the exact error messages that you get for legitimic connection attempts.
Yizhar Hurwitz
- Thread starter
- #12
I can tell by looking at the denials if it is denying good traffic...it seems out of the blue it just starts denying all traffic and the only way I can get the thing to stop it is to reload it and let it boot back up. When it does that it just disallows all traffic period with the no xlate like it was disallowing traffic it shouldn't even though it is good traffic. I am thinking about updating to 6.31 PIX software and PDM 3.01 is there anything I should look out for? I have vpn connections with 3 other locations that have 515's at lower level software will they have to be upgraded at the same time? It could take a while for it to shutdown all connections again...if it happens again I will put syslog into debug mode and pull in everything that is going on at that time and see what kind of errors it is throwing out there. If you still want me to post my config let me know and I will.
HI.
> If you still want me to post my config let me know and I will...
Yes, it can help.
> I am thinking about updating to 6.31 PIX software and PDM 3.01
The upgrade should go with no problems, but I doubt if it will solve your specific problem.
Anyway it is a good idea to upgrade for additional features, fixes, and better PDM.
> have vpn connections with 3 other locations that have 515's at lower level software will they have to be upgraded at the same time?
No.
> if it happens again I will put syslog into debug
I suggest that you start logging at higher level now, so you can have more info.
You can also use PDM graphs to track "xlate" usage over time.
Yizhar Hurwitz
> If you still want me to post my config let me know and I will...
Yes, it can help.
> I am thinking about updating to 6.31 PIX software and PDM 3.01
The upgrade should go with no problems, but I doubt if it will solve your specific problem.
Anyway it is a good idea to upgrade for additional features, fixes, and better PDM.
> have vpn connections with 3 other locations that have 515's at lower level software will they have to be upgraded at the same time?
No.
> if it happens again I will put syslog into debug
I suggest that you start logging at higher level now, so you can have more info.
You can also use PDM graphs to track "xlate" usage over time.
Yizhar Hurwitz
- Thread starter
- #14
Here is a copy of my config I changed internal IP's to Internal or internal replacing the first three octets. My public address space is changed to My_Public and public space not owned by me was changed to Public. Connections were renamed to Other_Office.
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname my.host
domain-name my.domain
clock timezone
clock
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 8000
no fixup protocol smtp 25
names
object-group service NetMeeting tcp
port-object eq 522
port-object eq ldap
port-object eq h323
port-object eq 1503
port-object eq 1731
object-group service NetBIOS-tcp tcp
port-object eq netbios-ssn
object-group service NetBIOS-udp udp
port-object eq netbios-ns
port-object eq netbios-dgm
access-list inside_access_in permit udp Internal.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_access_in permit tcp host Internal host My_Public eq sqlnet
access-list inside_access_in permit tcp host Internal host Public eq 4004
access-list inside_access_in permit tcp host Internal host Public eq 4000
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq sqlnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq 1526
access-list inside_access_in permit tcp host Internal any eq smtp
access-list inside_access_in permit tcp host Internal host My_Public eq 1723
access-list inside_access_in permit gre host Internal host My_Public
access-list inside_access_in permit gre host Internal host My_Public
access-list inside_access_in permit tcp host Internal host My_Public eq 1723
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit tcp host Internal host Public eq 3500
access-list inside_access_in permit tcp host Internal host Public eq 8000
access-list inside_access_in permit tcp host Internal host Public eq 1477
access-list inside_access_in permit tcp host Internal host Public eq telnet
access-list inside_access_in permit tcp host Internal host Public eq 7070
access-list inside_access_in permit tcp host Internal host Public eq 554
access-list inside_access_in permit tcp host Internal host Public eq 9090
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq 9000
access-list inside_access_in deny ip Internal.0 255.255.255.0 any
access-list outside_access_in permit tcp host Internal host My_Public eq 1526
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq sqlnet
access-list outside_access_in permit tcp any host My_Public eq 9000
access-list outside_access_in permit tcp any host My_Public eq 1950
access-list outside_access_in permit tcp any host My_Public eq smtp
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq https
access-list outside_access_in permit tcp any host My_Public eq imap4
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq 9000
access-list outside_access_in permit tcp any host My_Public eq 1949
access-list outside_access_in permit gre host ATTCPPTP host My_Public
access-list outside_access_in permit tcp host ATTCPPTP host My_Public eq 1723
access-list outside_access_in permit gre host ATTCPPTP host My_Public
access-list outside_access_in permit tcp host ATTCPPTP host My_Public eq 1723
access-list outside_access_in deny ip any My_Public 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 1Internal.0 255.255.255.0 Internal.96 255.255.255.240
access-list outside_cryptomap_20 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list outside_cryptomap_40 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip Internal.0 255.255.255.0 Internal.96 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any Internal.96 255.255.255.240
access-list outside_cryptomap_30 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside Wes
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside My_Public 255.255.255.224
ip address inside Internal 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool1 Internal.100-Internal.111
pdm location My_Public 255.255.255.224 outside
pdm location Public 255.255.255.240 outside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.0 inside
pdm location Public 255.255.255.0 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal.96 255.255.255.240 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Wes 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.0 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.128 outside
pdm location Public 255.255.255.0 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm logging errors 50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 Internal 255.255.255.0 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 My_Public 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Wes /TFTP
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Firewall_Other_Office
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer Firewall_Other_Office
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer Firewall_Other_Office
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup My_Group address-pool pool1
vpngroup My_Group dns-server Internal_DNS
vpngroup My_Group wins-server Internal_Wins
vpngroup My_Group default-domain My_Domain
vpngroup My_Group split-tunnel outside_cryptomap_dyn_20
vpngroup My_Group idle-time 1800
vpngroup My_Group password
telnet Wes 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
vpdn enable outside
vpdn enable inside
terminal width 80
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname my.host
domain-name my.domain
clock timezone
clock
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 8000
no fixup protocol smtp 25
names
object-group service NetMeeting tcp
port-object eq 522
port-object eq ldap
port-object eq h323
port-object eq 1503
port-object eq 1731
object-group service NetBIOS-tcp tcp
port-object eq netbios-ssn
object-group service NetBIOS-udp udp
port-object eq netbios-ns
port-object eq netbios-dgm
access-list inside_access_in permit udp Internal.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp Internal.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list inside_access_in permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_access_in permit tcp host Internal host My_Public eq sqlnet
access-list inside_access_in permit tcp host Internal host Public eq 4004
access-list inside_access_in permit tcp host Internal host Public eq 4000
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq sqlnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq 1526
access-list inside_access_in permit tcp host Internal any eq smtp
access-list inside_access_in permit tcp host Internal host My_Public eq 1723
access-list inside_access_in permit gre host Internal host My_Public
access-list inside_access_in permit gre host Internal host My_Public
access-list inside_access_in permit tcp host Internal host My_Public eq 1723
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq telnet
access-list inside_access_in permit tcp host Internal host Public eq pop3
access-list inside_access_in permit tcp host Internal host Public eq smtp
access-list inside_access_in permit tcp host Internal host Public eq 3500
access-list inside_access_in permit tcp host Internal host Public eq 8000
access-list inside_access_in permit tcp host Internal host Public eq 1477
access-list inside_access_in permit tcp host Internal host Public eq telnet
access-list inside_access_in permit tcp host Internal host Public eq 7070
access-list inside_access_in permit tcp host Internal host Public eq 554
access-list inside_access_in permit tcp host Internal host Public eq 9090
access-list inside_access_in permit tcp Internal.0 255.255.255.0 host Public eq 9000
access-list inside_access_in deny ip Internal.0 255.255.255.0 any
access-list outside_access_in permit tcp host Internal host My_Public eq 1526
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq sqlnet
access-list outside_access_in permit tcp any host My_Public eq 9000
access-list outside_access_in permit tcp any host My_Public eq 1950
access-list outside_access_in permit tcp any host My_Public eq smtp
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq https
access-list outside_access_in permit tcp any host My_Public eq imap4
access-list outside_access_in permit tcp any host My_Public eq www
access-list outside_access_in permit tcp any host My_Public eq 9000
access-list outside_access_in permit tcp any host My_Public eq 1949
access-list outside_access_in permit gre host ATTCPPTP host My_Public
access-list outside_access_in permit tcp host ATTCPPTP host My_Public eq 1723
access-list outside_access_in permit gre host ATTCPPTP host My_Public
access-list outside_access_in permit tcp host ATTCPPTP host My_Public eq 1723
access-list outside_access_in deny ip any My_Public 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list inside_outbound_nat0_acl permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 1Internal.0 255.255.255.0 Internal.96 255.255.255.240
access-list outside_cryptomap_20 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
access-list outside_cryptomap_40 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip Internal.0 255.255.255.0 Internal.96 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any Internal.96 255.255.255.240
access-list outside_cryptomap_30 permit ip Internal.0 255.255.255.0 Other_Office_Internal 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside Wes
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside My_Public 255.255.255.224
ip address inside Internal 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool1 Internal.100-Internal.111
pdm location My_Public 255.255.255.224 outside
pdm location Public 255.255.255.240 outside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.0 inside
pdm location Public 255.255.255.0 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal.96 255.255.255.240 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Wes 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.0 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.128 outside
pdm location Public 255.255.255.0 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location My_Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm location Internal 255.255.255.255 inside
pdm location My_Public 255.255.255.255 outside
pdm location Public 255.255.255.255 outside
pdm logging errors 50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 Internal 255.255.255.0 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
static (inside,outside) My_Public Internal netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 My_Public 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Wes /TFTP
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Firewall_Other_Office
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer Firewall_Other_Office
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer Firewall_Other_Office
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Firewall_Other_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup My_Group address-pool pool1
vpngroup My_Group dns-server Internal_DNS
vpngroup My_Group wins-server Internal_Wins
vpngroup My_Group default-domain My_Domain
vpngroup My_Group split-tunnel outside_cryptomap_dyn_20
vpngroup My_Group idle-time 1800
vpngroup My_Group password
telnet Wes 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
vpdn enable outside
vpdn enable inside
terminal width 80
- Thread starter
- #15
HI.
> ip address inside Internal 255.255.255.0
> ip local pool pool1 Internal.100-Internal.111
> access-list outside_cryptomap_dyn_20 permit ip Internal.0 255.255.255.0 Internal.96 255.255.255.240
Are you using overlapping addresses above?
If so - try to use different address range for roaming VPN clients, and change configuration as needed.
Yizhar Hurwitz
> ip address inside Internal 255.255.255.0
> ip local pool pool1 Internal.100-Internal.111
> access-list outside_cryptomap_dyn_20 permit ip Internal.0 255.255.255.0 Internal.96 255.255.255.240
Are you using overlapping addresses above?
If so - try to use different address range for roaming VPN clients, and change configuration as needed.
Yizhar Hurwitz
- Thread starter
- #17
They are overlapping but that range isn't in DHCP and is exclusively set aside for the pool. I have some new info it happened today again so when it happened I set the syslog to debug. So far I haven't seen anything unusual, but I did notice that when this happens that everyone loses their connection with our exchange box which happens to also be our DNS so if you can't access it you can't get to the internet either. I have also noticed that the firewall is blocking a large amount of net bios (port 137) from the exchange box. I don't see anything in my configuration of the exchange that should cause this except maybe reverse lookups on all incoming hosts, but wouldn't that be port 53? DNS is setup with forwarders to our ISP's public DNS so there are no zone transfers. Any ideas?
HI.
> They are overlapping but that range isn't in DHCP and is exclusively set aside for the pool
You should not use overlapping subnets.
> ip local pool pool1 Internal.100-Internal.111
The above should be changed to non-existing subnet, like 192.168.55.X (and all related access-list statements).
Your pix might be causing ARP problems in your network (check the ARP cache of the hosts on your network), you can disable it with "sysopt noproxyarp inside", but reconfiguring the pix with non-overlapping addresses seems to me like the best solution, and anyway you should change it before other steps (to eliminate the potential problems of overlapping subnets).
Yizhar Hurwitz
> They are overlapping but that range isn't in DHCP and is exclusively set aside for the pool
You should not use overlapping subnets.
> ip local pool pool1 Internal.100-Internal.111
The above should be changed to non-existing subnet, like 192.168.55.X (and all related access-list statements).
Your pix might be causing ARP problems in your network (check the ARP cache of the hosts on your network), you can disable it with "sysopt noproxyarp inside", but reconfiguring the pix with non-overlapping addresses seems to me like the best solution, and anyway you should change it before other steps (to eliminate the potential problems of overlapping subnets).
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question