Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stubborn Pix or idjet operator?

Status
Not open for further replies.

dbdataplus

Technical User
Aug 19, 2006
7
US
I have an older PIX 501 that came with no documentation that I'm trying to set up on a small network. The default setup brought me OUTBOUND stuff OK (I'm using it now) but I can't get inbound traffic to hit my internal web server.

I can ping the pix from outside and from inside, I can hit the web server from inside ... and because I have a second NIC card in the server that is temporarily exposed to the outside world on a separate IP ... I know for a fact that the server is up and accessible. It's only through the PIX that doesn't work.

The fundamental roadblock is that the PIX instructions read as if they themselves were encrypted.

Anyway .. here is the PIX config. I have XX'd out the external IP address & gateway address ... but they ARE correct. Can anyone spot what I did wrong or what I missed?




PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LZiV3n9oRfYytZ8S encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname router
domain-name private1.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inbound permit tcp any host XX.XX.XX.XX eq www
access-list inbound permit icmp any host XX.XX.XX.XX
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.XX 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.10 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:c95cfdc4818bc911a9fbf6d20ff356a0
 
When you try through the PIX are you disconnecting the other server NIC?

Disconnect it and try again.

This time do a "sh conn" on the PIX while you are trying traffic. you cannot access the external address from the internal network so you will need a external PC to test the connection.

 
The config looks good. Can you ping the server from the pix? Check the logs to see whats going on.

logging on
logging buffered debugging

sho logging

and see what's going on.

My guess is the firewall settings on the second NIC.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I have two nic cards, two ip addresses on the server - always have had this. One card/IPwas internal and the other was external. The reason for this was that the original firewall was a home-type model that didn't have the capabilities to allow sophisticated port redirections (etc.) so the server was exposed to the outside world for purposes of www, smtp, ftp, etc. while the users and their PC's were protected via the firewall. It was dumb, but it worked. Then I came across this PIX, which DOES have the capabilities, so I replaced the existing firewall and am attempting to configure the inbound accesses.

Now to your show conn ---

I try that command from the console port and I get a huge list of packets, but no time stamp or indication of relevence and if there's a way to clear that list, I don't know what it is.

I can telnet out to a client in Hawaii and then, from his console, telnet, ping, traceroute or http back TO the pix IP address. PING responds. When I traceroute, it stops right at the last server BEFORE my IP:

Remember my 'exposed' IP? It's on digit off. If I traceroute to THAT IP from Hawaii, I get all servers until I get MY server. When I traceroute to the PIX's IP, it looks exactly the same EXCEPT no response where the PIX's response would normally be.

The SHOW CONN command lists all packets as outbound (and eminating from my PC) nothing inbound.

When I try to TELNET (23) from Hawaii, it hangs waiting ... doesn't even get a connection refused.

It's like the PIX simply ignores the outside connections.
 
add
logging timestamp

Don't look at the "sho conn" do a "sho log". You should see what is happening to the packets when they hit the pix. The pix (or your server) won't respond to telent(23) because you haven't allowed it. Telnet to port 80 instead.

I wonder if a duplex mismatch would affect this. Try
interface ethernet0 auto
interface ethernet1 auto



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Is it just me -- or is Cisco BREATHTAKINGLY cryptic in their documentation? It's almost like they run a new convention/command by senior management -- and if management understands it ... send it back to engineering.

Anyway ... Craigslist generated a nearby Pix501 which I purchased dirt cheap .... made the swap, added the config ... and everything now works.

I appreciate everyone's help!!!

DB
 
Cisco is actually one of the most configurable and easiest pieces of equipment Ive ever worked with (8 Years + some).


A sh conn is one of the best troubleshooting command you will ever have. You can also use the "show local xxx.xxx.xxx.xxx" command to display connection for a LOCAL IP. Sh conn will show you the state of the connection such as a syn, syn ack, awaiting syn ack etc... This is very important when troubleshooting these type of issues. If you want to learn more about the PIX I would take a look at the PIX/ASA Handbook by David Hucaby.

Hope to see you in the forum in the future!

 
NetworkGhost, I will totally second that but it's easy because we speak cisco. :) (and 8+ years is a lot of experience.)

When I first started out, I was pretty confused also. I spent a lot time scratching my head trying to figure out the nomenclature and procedures.

Use the old one to play with and try to get it working. You will learn lots just playing around with it. Trust me when I say the frustration is worth it. People here are pretty fast and helpful so if you run into things just post.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top