Hi All,
One of our small offices has a Cisco PIX 506e firewall that sits at the end of a ADSL router that has 5 static IP addresses assigned to it. The network is used purely to house three publicly accessible servers (web, email, dns). The firewall had been configured with static translations for the servers and pat for the odd laptop user who plugged into the network (me mainly)! The firewall had been configured and running smoothly for just about a year, when a few days ago the three servers went down. When I checked I discovered that the servers were unable to connect to the Internet through the firewall. I plugged my laptop into the network and was unable to connect to the Internet.
I tried changing IP addresses and static nats but to no avail. After much head scrathcing and no solution I erased the flash memory, reloaded and recovered the previous configuration. I plugged in my laptop and everything seemed to be fine. All the servers were also able to connect to the Internet without any problem. Upon applying the static nats again, however, I found that the servers were once again unable to connecte to the net.
Here's a copy of my PIX config (the names and IPs have been changed to protect the innocent!!!!!!!!)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX
hostname pix
domain-name XXXXXXXXXXXX.XXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit tcp any host 192.168.1.187 eq domain
access-list 101 permit tcp any host 192.168.1.188 eq domain
access-list 101 permit udp any host 192.168.1.187 eq domain
access-list 101 permit udp any host 192.168.1.188 eq domain
access-list 101 permit tcp any host 192.168.1.187 eq www
access-list 101 permit tcp any host 192.168.1.187 eq smtp
access-list 101 permit tcp any host 192.168.1.187 eq pop3
access-list 101 permit tcp any host 192.168.1.186 eq www
access-list 101 permit tcp any host 192.168.1.186 eq ftp
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.185 255.255.255.248
ip address inside 10.8.11.254 255.255.255.0
ip audit name ATTACKPOLICY attack action alarm reset
ip audit name INFOPOLICY info action alarm reset
ip audit interface outside INFOPOLICY
ip audit interface outside ATTACKPOLICY
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.1
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) 192.168.1.186 10.0.1.1 netmask 255.255.255.255 0 1000
static (inside,outside) 192.168.1.187 10.0.1.2 netmask 255.255.255.255 0 1000
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.190 1
timeout xlate 3:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.1.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt security fragguard
sysopt connection permit-pptp
no sysopt route dnat
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username XXXXXXXX password XXXXXXXX
vpdn enable outside
terminal width 80
One thing that is not included on the config is that a simple IPSec VPN tunnel was established last week with our main office (also running a PIX 506e) using the cisco guide at
The tunnel was used purely by me for remote admin and had been working without any problems. I've not included this in the config as it was not part of the last config backup.
Does anyone have any suggestions!!!!!!!!!!
Thanks,
JT
One of our small offices has a Cisco PIX 506e firewall that sits at the end of a ADSL router that has 5 static IP addresses assigned to it. The network is used purely to house three publicly accessible servers (web, email, dns). The firewall had been configured with static translations for the servers and pat for the odd laptop user who plugged into the network (me mainly)! The firewall had been configured and running smoothly for just about a year, when a few days ago the three servers went down. When I checked I discovered that the servers were unable to connect to the Internet through the firewall. I plugged my laptop into the network and was unable to connect to the Internet.
I tried changing IP addresses and static nats but to no avail. After much head scrathcing and no solution I erased the flash memory, reloaded and recovered the previous configuration. I plugged in my laptop and everything seemed to be fine. All the servers were also able to connect to the Internet without any problem. Upon applying the static nats again, however, I found that the servers were once again unable to connecte to the net.
Here's a copy of my PIX config (the names and IPs have been changed to protect the innocent!!!!!!!!)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX
hostname pix
domain-name XXXXXXXXXXXX.XXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit tcp any host 192.168.1.187 eq domain
access-list 101 permit tcp any host 192.168.1.188 eq domain
access-list 101 permit udp any host 192.168.1.187 eq domain
access-list 101 permit udp any host 192.168.1.188 eq domain
access-list 101 permit tcp any host 192.168.1.187 eq www
access-list 101 permit tcp any host 192.168.1.187 eq smtp
access-list 101 permit tcp any host 192.168.1.187 eq pop3
access-list 101 permit tcp any host 192.168.1.186 eq www
access-list 101 permit tcp any host 192.168.1.186 eq ftp
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.185 255.255.255.248
ip address inside 10.8.11.254 255.255.255.0
ip audit name ATTACKPOLICY attack action alarm reset
ip audit name INFOPOLICY info action alarm reset
ip audit interface outside INFOPOLICY
ip audit interface outside ATTACKPOLICY
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.1
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) 192.168.1.186 10.0.1.1 netmask 255.255.255.255 0 1000
static (inside,outside) 192.168.1.187 10.0.1.2 netmask 255.255.255.255 0 1000
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.190 1
timeout xlate 3:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.1.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt security fragguard
sysopt connection permit-pptp
no sysopt route dnat
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username XXXXXXXX password XXXXXXXX
vpdn enable outside
terminal width 80
One thing that is not included on the config is that a simple IPSec VPN tunnel was established last week with our main office (also running a PIX 506e) using the cisco guide at
The tunnel was used purely by me for remote admin and had been working without any problems. I've not included this in the config as it was not part of the last config backup.
Does anyone have any suggestions!!!!!!!!!!
Thanks,
JT