Pix 506e 1

[Mac2118]

I have been working with a company to establish Port Address Translation between a piece of machinery here to their location. The internal address of the PLC of the machine is 192.168.1.47. Below I have what our current configuration is (minus password and VPN setup for security reasons, and I have replaced our public IP address with X's except for the last octet). I am by no means a Cisco guru when it comes to configuring a Pix. I know the basics on how to establish an internal address to a public address, and beyond that is above my head. I have been working with the tech on the other companies side and I have also included what he came up with. The public IP address we're trying to set this up with is XX.XXX.XXX.232.

With the modifications I made, he can connect to the machine on our end, but the machine will not communicate back to his machine. He is using RSLinx to communicate with this machine (if that helps any)

Current Config:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list IPSEC permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list IPSEC permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq www
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq https
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq 3389
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq 3389
access-list outside_access_in permit udp any any eq isakmp
access-list outside_access_in permit esp any any
access-list outside_access_in permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq smtp
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq www
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq 3389
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq citrix-ica
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq www
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host XX.XXX.XXX.230 eq pcanywhere-data
access-list outside_access_in permit tcp any host XX.XXX.XXX.230 eq 5632
access-list outside_access_in permit tcp any host XX.XXX.XXX.231 eq pcanywhere-data
access-list outside_access_in permit tcp any host XX.XXX.XXX.231 eq 5632

<-- Stud Machine -->
access-list outside_access_in permit tcp any host XX.XXX.XXX.232 eq 5900
access-list outside_access_in permit udp any host XX.XXX.XXX.232 eq 5900
access-list outside_access_in permit udp any host XX.XXX.XXX.232 eq 44818
access-list outside_access_in permit tcp any host XX.XXX.XXX.232 eq 44818
access-list outside_access_in permit udp any host XX.XXX.XXX.232 eq 2222
access-list outside_access_in permit tcp any host XX.XXX.XXX.232 eq 2222
<-- /Stud Machine -->

pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside XX.XXX.XXX.226 255.255.255.240
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.254.1-192.168.254.100
pdm location 0.0.0.0 255.255.255.240 outside
pdm location XX.XXX.XXX.227 255.255.255.255 outside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.81 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.254.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list IPSEC
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX.XXX.XXX.227 192.168.1.81 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.228 192.168.1.106 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.229 192.168.1.117 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.230 192.168.1.39 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.231 192.168.1.40 netmask 255.255.255.255 0 0

<-- Stud Machine -->
static (inside,outside) XX.XXX.XXX.232 192.168.1.47 netmask 255.255.255.255 0 0
<-- /Stud Machine -->

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set STRONG
crypto map VPNMAP 20 ipsec-isakmp dynamic cisco
crypto map VPNMAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5

That is our current setup. I have "Stud Machine" "commented out" in order for it to stand out more while reading. ports 2222, 44818, and 5900 need to be open on TCP and UDP.

Here is what their tech came up with on PAT. TBO, it looks a bit Greek to me and I could use some help with this:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list IPSEC permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list IPSEC permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq www
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq https
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq 3389
access-list outside_access_in permit tcp any host XX.XXX.XXX.227 eq 3389
access-list outside_access_in permit udp any any eq isakmp
access-list outside_access_in permit esp any any
access-list outside_access_in permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq smtp
access-list outside_access_in permit tcp any host XX.XXX.XXX.228 eq www
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq 3389
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq citrix-ica
access-list outside_access_in permit tcp any host XX.XXX.XXX.229 eq www
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host XX.XXX.XXX.230 eq pcanywhere-data
access-list outside_access_in permit tcp any host XX.XXX.XXX.230 eq 5632
access-list outside_access_in permit tcp any host XX.XXX.XXX.231 eq pcanywhere-data
access-list outside_access_in permit tcp any host XX.XXX.XXX.231 eq 5632

<-- Stud Machine -->
global (outside) 2 XX.XXX.XXX.232 netmask 255.255.255.0
nat (inside) 2 192.168.1.47 255.255.255.0
nat (inside) 2 192.168.1.48 255.255.255.0
access-list stud_press_out permit tcp 192.168.1.47 255.255.255.0 any eq 44818
access-list stud_press_out permit udp 192.168.1.47 255.255.255.0 any eq 44818
access-list stud_press_out permit tcp 192.168.1.47 255.255.255.0 any eq 2222
access-list stud_press_out permit udp 192.168.1.47 255.255.255.0 any eq 2222
access-list stud_press_out permit tcp 192.168.1.47 255.255.255.0 any eq 80
access-list stud_press_out permit tcp 192.168.1.48 255.255.255.0 any eq 5900
access-list stud_press permit tcp any host XX.XXX.XXX.232 eq 5900
access-list stud_press permit tcp any host XX.XXX.XXX.232 eq 44818
access-list stud_press permit udp any host XX.XXX.XXX.232 eq 44818
access-list stud_press permit tcp any host XX.XXX.XXX.232 eq 2222
access-list stud_press permit udp any host XX.XXX.XXX.232 eq 2222
access-list stud_press permit tcp any host XX.XXX.XXX.232 eq 8088
static (inside,outside) tcp XX.XXX.XXX.232 44818 192.168.1.47 44818 netmask 255.255.255.255
static (inside,outside) udp XX.XXX.XXX.232 44818 192.168.1.47 44818 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.232 2222 192.168.1.47 2222 netmask 255.255.255.255
static (inside,outside) udp XX.XXX.XXX.232 2222 192.168.1.47 2222 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.232 8088 192.168.1.47 80 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.232 5900 192.168.1.48 5900 netmask 255.255.255.255
access-group stud_press_out in interface inside
access-group stud_press in interface outside
<-- /Stud Machine -->

pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside XX.XXX.XXX.226 255.255.255.240
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.254.1-192.168.254.100
pdm location 0.0.0.0 255.255.255.240 outside
pdm location XX.XXX.XXX.227 255.255.255.255 outside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.81 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.254.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list IPSEC
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX.XXX.XXX.227 192.168.1.81 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.228 192.168.1.106 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.229 192.168.1.117 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.230 192.168.1.39 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XXX.231 192.168.1.40 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set STRONG
crypto map VPNMAP 20 ipsec-isakmp dynamic cisco
crypto map VPNMAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5

Whenever I paste his configuration modifications into the Pix, we lose all Internet access until I remove the lines. I do not believe that the stud_press and stud_press_out are configured properly or if they can even be used.

Can someone please help me with this? I will check this thread every few hours to answer any questions someone might have on what exactly we're trying to do if I haven't explained this far enough in detail.

 

[Mac2118]

there is no return traffic. there is no firewall on this unit, and there is no way for me to test its connection to the internet since it's not windows/linux/unix/etc based.

I spoke to a few Cisco consultants and they all agree with me that the PLC is not configured correctly. we will be closed until Tuesday, and I believe on either Tues or Wed that one of their guys is coming to work on this unit. I'm going to sit down with him and go over the network connections on the hookup. we need RSLogix 5000 to connect to it, and we only have RS Logix 500. I'm hoping that the problem is on their end when I review those settings so I can save a few more hairs on my head.

 

[Supergrrover]

repost your current config so I can take a look but the one you have at the very top looks righteous.

Place a linux/windows box on that IP and test it from there - run a packet sniffer on it and see what's happening.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Mac2118]

I connected a spare laptop to that connection with the same internal IP address. I tried to reach the outside world and nothing. I added in the gateway: nothing. I then added in the default DNS server and everything worked perfectly. I just got a phonecall from the company we purchased this unit from and they will be coming here on Thursday to update some of the equipment and I asked if they had the options for gateway and dns settings; they said yes. I'm going to have them put those in on Thursday and I'll let you konw how this works.

 

[Supergrrover]

You need to have dns resolve if you are going to try to reach things by name and not ip.
Anything going out needs
IP and subnet mask, gateway, DNS


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Mac2118]

The problem was what I thought it was. I also had a few other people agree with me that the reason it wasn't communicating was because there was no gateway address configured. once that was put in communication was possible.

Thank you to everyone that helped along this proces!

 

[Mac2118]

Hello everyone, it's me again.

We could ping the connection, 100% success rate. But we're still having a problem getting the connection established. Below I have copied and pasted the information from the log relating to this issue.

Dec 20 2008 11:37:03 302013: Built inbound TCP connection 2183265 for outside: 60.172.220.10/6000 (60.172.220.10/6000) to inside:192.168.1.47/135 (75.117.159.232/135)
Dec 20 2008 11:37:03 302014: Teardown TCP connection 2183265 for outside:60.172.220.10/6000 to inside:192.168.1.47/135 duration 0:00:00 bytes 0 TCP Reset-I

Dec 20 2008 11:41:16 302013: Built inbound TCP connection 2183790 for outside 75.102.19.30/4951 (75.102.19.30/4951) to inside:192.168.1.47/135 (75.117.159.232/135)
Dec 20 2008 11:41:16 302014: Teaerdown TCP connection 2183790 for outside:75.102.19.30/4951 to inside:192.168.1.47/135 duration 0:00:00 bytes 0 TCP Reset-I

I have looked online to see what the TCP Reset-I means. What I found is that the connection was terminated inside from a low to high security connection. Would I have to configure this to make the pix believe that we're connecting a low to low security device?