I have just installed a new PIX515E and some hosts are being denied access outside. When I ping the inside of the pix on host not able to get out, some respond, and some timeout - although the pix shows the request and response on all?
We are using an internal DNS for name resolution which forwards to our ISP's DNS. I have used nslookup and names are being resolved so...? I have checked the DNS configs on host and all seem consistent (Those that can get out and those that can't). I have included inverse arpa in our DNS for the PIX - not sure what else could be wrong.
Any suggestions greatly appreciated.
Here are the config's -
PIX -
PIX515# wr t
Building configuration...
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password NC1KgWaSUzBT8QU2 encrypted
passwd NC1KgWaSUzBT8QU2 encrypted
hostname PIX515
domain-name SVC.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging buffered errors
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx6.158.224.106 255.255.255.248
ip address inside 172.16.10.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.10.251 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xx6.158.224.107-xx6.158.224.110
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xx6.158.224.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.10.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetinbound
telnet 172.16.10.251 255.255.255.255 inside
telnet 172.16.10.251 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d569de9c8dea2e3ba26e9df1ab2d52bb
: end
[OK]
Router -
ICCI_Gateway#sh run
Building configuration...
Current configuration : 1404 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ICCI_Gateway
!
enable password 7 03174D08395D711C1F4D
!
ip subnet-zero
ip name-server xx9.0.191.140
!
!
!
!
interface FastEthernet0
description connected to Deering_Lan
ip address xx6.185.224.105 255.255.255.248
speed auto
!
interface Serial0
description connected to Internet
ip address xx6.158.217.34 255.255.255.252
service-module t1 remote-alarm-enable
!
interface Serial1
no ip address
encapsulation frame-relay
service-module t1 timeslots 1-6
service-module t1 remote-alarm-enable
frame-relay lmi-type cisco
!
interface Serial1.1 point-to-point
description connected to Cisco1601
ip address 172.16.1.5 255.255.255.248
ip helper-address 172.16.10.10
frame-relay interface-dlci 18
!
router eigrp 100
network 172.16.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 172.16.10.0 255.255.255.0 xx6.158.224.106
ip route 172.16.20.0 255.255.255.0 172.16.1.4
no ip http server
!
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 04481D0530731C1E585D
login
line aux 0
line vty 0 4
password 7 08325A4D364B5547434F
login
!
no scheduler allocate
end
We are using an internal DNS for name resolution which forwards to our ISP's DNS. I have used nslookup and names are being resolved so...? I have checked the DNS configs on host and all seem consistent (Those that can get out and those that can't). I have included inverse arpa in our DNS for the PIX - not sure what else could be wrong.
Any suggestions greatly appreciated.
Here are the config's -
PIX -
PIX515# wr t
Building configuration...
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password NC1KgWaSUzBT8QU2 encrypted
passwd NC1KgWaSUzBT8QU2 encrypted
hostname PIX515
domain-name SVC.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging buffered errors
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx6.158.224.106 255.255.255.248
ip address inside 172.16.10.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.10.251 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xx6.158.224.107-xx6.158.224.110
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xx6.158.224.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.10.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetinbound
telnet 172.16.10.251 255.255.255.255 inside
telnet 172.16.10.251 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d569de9c8dea2e3ba26e9df1ab2d52bb
: end
[OK]
Router -
ICCI_Gateway#sh run
Building configuration...
Current configuration : 1404 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ICCI_Gateway
!
enable password 7 03174D08395D711C1F4D
!
ip subnet-zero
ip name-server xx9.0.191.140
!
!
!
!
interface FastEthernet0
description connected to Deering_Lan
ip address xx6.185.224.105 255.255.255.248
speed auto
!
interface Serial0
description connected to Internet
ip address xx6.158.217.34 255.255.255.252
service-module t1 remote-alarm-enable
!
interface Serial1
no ip address
encapsulation frame-relay
service-module t1 timeslots 1-6
service-module t1 remote-alarm-enable
frame-relay lmi-type cisco
!
interface Serial1.1 point-to-point
description connected to Cisco1601
ip address 172.16.1.5 255.255.255.248
ip helper-address 172.16.10.10
frame-relay interface-dlci 18
!
router eigrp 100
network 172.16.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 172.16.10.0 255.255.255.0 xx6.158.224.106
ip route 172.16.20.0 255.255.255.0 172.16.1.4
no ip http server
!
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 04481D0530731C1E585D
login
line aux 0
line vty 0 4
password 7 08325A4D364B5547434F
login
!
no scheduler allocate
end