PIX firewall problem 4

[SecManDA]

I am working with a PIX running 6.2. A server that allows terminal access through the web, and did work about a week ago, has stopped accessing the anything outside its local network (neither name nor IP work). It also can not be accessed through the web for terminal services. If I connect this server on the outside of the PIX (the public side), the computer can be accessed through the web for terminal services and the computer can access the internet by name and IP address.

The local computers can access this computer using the web when the computer is internal or external. No other computer is having problems getting to the internet.

The PIX is performing NAT and translating from a specific external address to the specific internal address using the static command for 3 separate computers. Another of these computers is running web and is accessible from the outside. It can also get to the outside through the IE.
ACL's have been created to let people from the outside in. The ACL's for the computer mentioned permit any to get to the host address (host ip_addr) for ports 3389,

http://www and

https.

Things I have done:
Put it on outside and it was accessed by client on outside and inside.
Put new ACL in that did "permit ip any host ip_address" that replaced the previous 3 statements permitting the three ports. This did not help. Still no access.
Changed cable and ports, still no help.
PIX version 6.2.

I am uncertain what the problem could be or how to fix it. Could anyone be of help or has anyone seen this.

Thanks.

 

[themut]

If you do a sho xlate are you able to see the translation? Is the outside interface up and up? How about syslots? Try to use the debug packet command to track the packets and see if ther are blocked by the PIX.

 

[kmills]

SecManDA,
Is the terminal server on your DMZ? If so, you have to add a translation for it because there is not xlate for it after it expires. A known (to a few) bug.
KMills

 

[netwalker1]

1st solution :
Copy the Configuration , Erase and reconfigure the pix again ,,

2nd Solution :
Permit all from outside to the terminal Server , and check if now u can connect or not , if Yes , so you should check your ACL if No , there is a Problem in the XLAT Table




Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[SecManDA]

To answer a few questions. There is no DMZ and there is an XLATE to the computer that is the Terminal service server.

The sh xlate shows the three translations, including the computer in question. The interfaces are up and up and the other translations work. I don't know what you mean about the syslots. I tried the debug packets but did not see anything about the packets being blocked. I am thinking I might not have the correct level of information included. I think I might change it to level 7 to include everything. At least that is what I think.

I will probably try the rebuild the config and then try the ACL. Right now I tried the allow any to that computer and it didn't work.

I will try this tomorrow and will see how it goes.

Thanks

 

[SecManDA]

The PIX is performing NAT and translating from a specific external address to the specific internal address using the static command for 3 separate computers. Another of these computers is running web and is accessible from the outside.

Things I have done:
Put it on outside and it was accessed by client on outside and inside.
Put new ACL in that did "permit ip any host ip_address" that replaced the previous 3 statements permitting the three ports. This did not help. Still no access.
Changed cable and ports, still no help.
PIX version 6.2

I have now narrowed it down to the following:
When I apply the static command, the computer can no longer access the Internet. If I add in the ACL as stated in the following, it does not help the situation. I discovered this by changing addresses and having access to the internet but when I added on the static for the new address, it killed that access.

computer involved is 65.a.b.3
The computer with 65.a.b.1 has similar restrictions but does not have this problem.

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 65.a.b.1 eq www
access-list 100 permit tcp any host 65.a.b.1 eq https
access-list 100 permit tcp any host 65.a.b.1 eq smtp
access-list 100 permit udp any host 65.a.b.1 eq domain
access-list 100 permit udp any host 65.a.b.4 eq domain
access-list 100 permit tcp any host 65.a.b.1 eq pop3
access-list 100 permit ip any host 65.a.b.3
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.a.b.1 196.x.y.3 netmask 255.255.255.255 0 0
static (inside,outside) 65.a.b.4 196.x.y.2 netmask 255.255.255.255 0 0
static (inside,outside) 65.a.b.3 196.x.y.1 netmask 255.255.255.255 0 0

Any other ideas?

 

[netwalker1]

Try to Use these commands :

access-list 100 permit tcp any host 196.x.y.3 eq www
access-list 100 permit tcp any host 196.x.y.3 eq https
access-list 100 permit tcp any host 196.x.y.3 eq smtp
access-list 100 permit udp any host 196.x.y.3 eq domain
access-list 100 permit udp any host 196.x.y.2 eq domain
access-list 100 permit tcp any host 196.x.y.3 eq pop3
access-list 100 permit ip any host 196.x.y.1

I just changed the Outside IPs by the inside IPs ..
I think this will work ...





Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[SecManDA]

Thanks Mohamed. I will give it a try and let you know what happens.

Bob D.

 

[SecManDA]

Okay, I have narrowed it down one more level.

If I connect a client on the public side of the pix but still within this building and it can connect to the server in question across the PIX. If I try from a remote site across the Internet, it flat out doesn't work. There is something on the outside of this building that is interferring with my PIX firewall doing terminal services.

Qwest has stated that they will not be able to help since they only support connecting people to the Internet and not the other way around. They also don't support any more than 1 computer connected to there DSL line (even though they have given us a group of public addresses to use).

I will try to install a new computer that is running terminal services and make that work. This is indeed weird and frustrating.

 

[bell1996]

How about doing a trace route from a "trace route server" to the 65.x.y.3 address. If all is well, it should hit your outside router/firewall. If it fails (probably somewhere in Qwest's network), you can provide Qwest with the final destination IP address and have them troubleshoot from there.

this will narrow the scope of the problem.

 

[netwalker1]

May be there is a firewall between outside Terminal and your PIX ..
Which may change the ports ?!

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[SecManDA]

Per Qwest, they told me that they only support connecting 1 computer directly to their modem device and they don't support anything like switch or firewall. If these are in place, they will not help. They only provide connection to the Internet, not the other way. If we don't like it, oh well.

The following really puzzles me:
Before Static and ACL to allow access:
I can connect to the Internet using Internet Explorer from Terminal server and other computers.
I can nslookup an IP from the name and then ping the address of Yahoo from both.

After Static and ACL:
Terminal server can no longer access the Internet with IE, the other computers can.
Both can use nslookup to resolve name to IP. However, Terminal server can no longer ping anything outside its network. Other computers can do all this.
If I move the other computer onto the other side of the PIX firewall (the public side), it can connect to the terminal server.

These results puzzle me. Why can I no longer ping from just that computer with the static command in effect. Especially since I have 2 other static commands in effect and those machines can connect to Internet. If it is a port problem, why can I connect if I am within my building and crossing the PIX. Seems to me if it is a port problem, I can't connect from anywhere across PIX. This kind of makes me think that it has something to do the Qwest.

I have the log being dumped to a Kiwi server but have not seen anything there to make it obvious to me as to what is happening.

If you have any insight, please feel free. My next step is to install another computer with Windows 2000 Terminal Services and see if the static command kills that one too. If it does, I am near ideas of what to try.

Thanks for all your help.

 

[SecManDA]

I posted this last week but didn't seem to take. The problem ended up being within the configuration for IE. I installed the new computer and it could not connect to the Internet. I then changed the configuration of IE to match one that worked. I then changed the configuration of the Terminal server in IE and now it works.

Something changed somewhere to make it just stop, although I don't know what.

I want to thank everyone for your help on this.

 

[gman10]

SecMAnDA,

Hello, I've been reading thru your conundrum and would like to know what you found within IE and what changes you made to make this work? Were there security level changes made on the browser that were tweaked to make this now work?? Just curious

thx

gman

 

[SecManDA]

I did not pay attention to the settings since I was in a hurry to try it. In most cases I would take the time to pay attention but not this time.

Sorry.