I have a pix 501 that we use as an internet router with occasional VPN access. We recently changed our IP addresses, and while in the process of changing the addresses on the pix I think I broke something. Before, we were on a 252 subnet with a outside IP for the router and the pix. We went to a 248 subnet so that we will eventually be able to upgrade to a 515 and run a mail & web server in house. After changing the IP and the NAT (using PAT) scope, we are able to get everyone out to all of the web, POP, IMAP, & SMTP services. The problem is that I am no longer able to get out into a VPN at another company, and I can not SSH into the servers there. I have also tried to access servers on special administrative ports and they seem to time out as well.
I bypassed the firewall and put a computer directly behind the router. I was able to get to all of the services then. So... I have it narrowed down to something in the pix. I am working on learning more about a pix, but am not sure about how this configuration was derived. Here is a copy of the config...
PIX Version 6.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname pix501
domain-name X.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip X.X.X.X 255.255.255.0 X.X.X.X 255.255.255.0
pager lines 24
logging on
logging trap warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside X.X.X.X 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool X.X.X.X-Y.Y.Y.Y
pdm location X.X.X.X 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.0 inside
pdm location X.X.X.X 255.255.255.255 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.99.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet X.X.X.X 255.255.255.255 inside
telnet timeout 5
ssh X.X.X.X 255.255.255.0 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username SSSS password XXXX
vpdn username SSSS password XXXX
vpdn username SSSS password XXXX
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Anyone see anything that would cause this problem? Thanks in Advance!!!
I bypassed the firewall and put a computer directly behind the router. I was able to get to all of the services then. So... I have it narrowed down to something in the pix. I am working on learning more about a pix, but am not sure about how this configuration was derived. Here is a copy of the config...
PIX Version 6.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname pix501
domain-name X.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip X.X.X.X 255.255.255.0 X.X.X.X 255.255.255.0
pager lines 24
logging on
logging trap warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside X.X.X.X 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool X.X.X.X-Y.Y.Y.Y
pdm location X.X.X.X 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.0 inside
pdm location X.X.X.X 255.255.255.255 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.99.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet X.X.X.X 255.255.255.255 inside
telnet timeout 5
ssh X.X.X.X 255.255.255.0 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username SSSS password XXXX
vpdn username SSSS password XXXX
vpdn username SSSS password XXXX
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Anyone see anything that would cause this problem? Thanks in Advance!!!
![[2thumbsup]](/data/assets/smilies/2thumbsup.gif "[2thumbsup] [2thumbsup]")