Start and End addresses overlap with broadcast address 1

[maalobs]

Hi,

I bought a used PIX 515 with 6.2(2)UR and a 4FE really cheap a couple of weeks ago.
I used to administer PIXes with 4.2 once, so I'm not so familiar with the new syntax.
I do have a few questions I hope someone of you can help me with:
1. When I boot the PIX, I get the following line right above the one saying "outside interface address added to PAT pool":
Warning: Start and End addresses overlap with broadcast address.
What is that warning about?
I can't figure it out, and searching for it at cisco.com gave nothing.

2. The user guide's config for starting all interfaces, results in all higher security interfaces being able to reach all lower security interfaces.
That wasn't what I wanted.
I want inside to reach all interfaces, but I want all the DMZ-interfaces to ONLY reach outside.
How would I configure that?

3. I have never before used a PIX with only one public IP available.
How do I configure address translation, so that port 80 outside goes to inside host1, port 21 outside to inside host2, etc?
I used to do this with a lot of statics before, on installations where there was enough public IPs available for each host that needed to be accessed from the Internet.

I hope I was clear enough.
Here is my config:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
nameif ethernet3 dmz2 security40
nameif ethernet4 dmz3 security60
nameif ethernet5 dmz4 security80
hostname fw
domain-name domain.com
clock summer-time
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging queue 1000
interface ethernet0 10baset
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside 10.211.1.1 255.255.255.0
ip address dmz1 10.211.2.1 255.255.255.0
ip address dmz2 10.211.3.1 255.255.255.0
ip address dmz3 10.211.4.1 255.255.255.0
ip address dmz4 10.211.5.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
global (dmz3) 1 interface
global (dmz4) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any echo-reply
conduit permit icmp any any time-exceeded
conduit permit icmp any any unreachable
route outside 0.0.0.0 0.0.0.0 x.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 62.119.40.98 source outside
ntp server 62.119.40.99 source outside
no snmp-server enable traps
tftp-server inside 10.211.1.101 pix.txt
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.211.1.101 255.255.255.255 inside
telnet timeout 30
ssh 10.211.1.101 255.255.255.255 inside
ssh timeout 5
dhcpd address 10.211.1.150-10.211.1.201 inside
dhcpd dns z.x.x.x z.x.x.y
dhcpd lease 524160
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd enable inside
terminal width 80
Cryptochecksum:c92d4562ea0f15d7a147e447767282e4
: end

Thanks in advance!

 

[baddos]

I would have to guess that your "outside" ip address is the same as your broadcast address of the network it's own.

 

[maalobs]

Well, it's not.

The outside network is a /24, and my static IP is .174.

I have full network connectivity, no problems there, I just wonder what the warning is about.
Since it pops up, something must be wrong, but I might not come in contact with the effect until further down the road.
Probably after wasting hours trying to track down some wierd behaviour somewhere...

 

[yizhar]

HI.

> Warning: Start and End addresses overlap with broadcast address
I don't know either.
But it seems that your config has leftovers from a previos config, so you can try starting from scratch:
write erase
reload

> I want inside to reach all interfaces, but I want all the DMZ-interfaces to ONLY reach outside
You can use the same security level for all DMZ interfaces:
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security50
nameif ethernet4 dmz3 security50
nameif ethernet5 dmz4 security50

> How do I configure address translation, so that port 80 outside goes to inside host1
The command is "static ... tcp ...".
Here are some links to help you fill the gap with new commands:

http://www.cisco.com/warp/public/707/28.html

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[maalobs]

>> Warning: Start and End addresses overlap with broadcast address
> I don't know either.
> But it seems that your config has leftovers from a previos config, so you can try starting from scratch:
> write erase
> reload

I see.
Maybe you're right, there was quite an advanced configuration in the box when I bought it (from a bankrupt dotcom's estate).
I have my config backed up by tftp.
Do I just send the config back to the PIX afterwards, through the console while in config-mode?

>> I want inside to reach all interfaces, but I want all the DMZ-interfaces to ONLY reach outside
> You can use the same security level for all DMZ interfaces:
> nameif ethernet2 dmz1 security50
> nameif ethernet3 dmz2 security50
> nameif ethernet4 dmz3 security50
> nameif ethernet5 dmz4 security50

Of course, so simple...
Thanks.

>> How do I configure address translation, so that port 80 outside goes to inside host1
> The command is "static ... tcp ...".

Doh!
Static didn't have that kind of tricks back in 4.x.

Thanks for your kind help!

 

[maalobs]

I did the wr erase/reload, did the short interactive config, and afterwards pasted the old config into the terminal software, while the pix was in config-mode.

When I pasted the config, I first removed these lines:
passwd
enable
isakmp

The isakmp-lines were leftovers form the previous owners' config.

It swallowed the whole config without complaints, with one exception:
---8<---
pix(config)# global (outside) 1 interface
Warning: Start and End addresses overlap with broadcast address.
outside interface address added to PAT pool
pix(config)#
---8<---

The error message remains.
It does so after reboots too.

What is it complaining about?

 

[yizhar]

HI.

It is a bug in version 6.2.2
You'll find it here:

http://www.google.com/groups

http://groups.google.com/groups?hl=...ewwindow=1&selm=3dcf659e$1@d2o313.teliauk.com

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[maalobs]

> It is a bug in version 6.2.2
> You'll find it here:
>

http://groups.google.com/groups?hl=...ewwindow=1&selm=3dcf659e$1@d2o313.teliauk.com

Groan, I searched for the error message at cisco.com and found nothing, so I concluded that it shouldn't be a bug.
Oh well.
As they said in comp.dcom.sys.cisco, there are no side effects, so I'll just learn to live with that message.

Or maybe find a way to upgrade, nat-traversal would be really nice to have too, and I was surprised to find that it wasn't implemented in 6.2(2).
As it is, an upgrade would cost a lot more than I gave for the whole machine at the auction.

Thanks again for your help!

 

[baddos]

You can download 6.3.1 off their website if you have a CCO account. Any CCO account can get it.

-Bad Dos

 

[maalobs]

> You can download 6.3.1 off their website if you have a CCO account. Any CCO account can get it.

If this is true, then can you please specify the URL to the page where it is so?

It certainly doesn't work from here:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Everything in that table greets me with:
---8<---
Download not permitted

Our apologies, but your user profile indicates that you are not entitled to download software of this type.
---8<---

The same happens with both types of VPN clients too:

http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-crypto-strong

http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des

What DID work was applying for the 3DES activation key, which leads me to believe that the problem isn't an exporting restriction from the US.
(I live in Sweden)
Licensing seems to be the issue.

I have the simplest (free) form of CCO account.
Are you absolutely certain that any CCO account can download free upgrades?
Isn't that what you pay for when you get SMARTnet?
Besides the support...

My day jobs' distributor has the following product in their webshop:
PIX Software one-time upgrade for nonsupport customers
Art.#: PIX-SW-UPGRADE=
Price tag: $701 (Not gonna happen...)

If you know of any other download page in the depths of Cisco's web site, please share it with us.