SBNservices
IS-IT--Management
Below is a config that appears almost line per line similar to a working config (I removed SNMP, Telnet etc..). The first PIX runs just perfectly.
The second which was being setting up this week has a few issues. First and foremost is the server at 192.168.111.2 (mapped to 55.xx.xx.202) has no outgoing or incoming traffic. I can ping the PIX and vice versa, but can not access anything on the internet. Now all other devices could pull up remote sites without issue via http.
The second issue, which may be related is just as troublesome. To test out whether I could access the webserver from the outside, I connected to a remote office via VNC web/java interface. Problem was once the java app began to load it would just hang. Several times I swapped out the PIX and used the old firewall and could connect to remote devices without issue. It seemed the PIX just did not like allowing such connections. Although at the office I have no problems with the first PIX accessing remote sites.
Now on the first PIX that we have had running for a long time, none of these issues exist.
Also I should add. In the internal network I have another webserver at 192.168.111.3. In a previous config I had that mapped to external 55.xx.xx.205 with an access to HTTP. From the outside there was no issue connecting to this webserver.
Lastly, this troublesome server at 192.168.111.2, well when I changed the IP address to 192.168.111.5 I had no trouble with connecting out to the internet. What in the PIX could specifically block a said IP address? The only listing was for the static mapping.
Any help or ideas will be greatly appriciated!
Here is the basic config, although the config has changed since I last worked on the device, having just erased the entire config, overall this is pretty much the same as before
_________________________________________
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list outside_access_in permit tcp any host 55.xx.xx.202 eq www
pager lines 24
icmp permit 192.168.111.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 55.xx.xx.204 255.255.255.248
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.111.25 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 55.xx.xx.203
nat (inside) 1 192.168.111.0 255.255.255.0 0 0
static (inside,outside) 55.xx.xx.202 192.168.111.2 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.205 192.168.111.3 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.206 192.168.111.4 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.207 192.168.111.12 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 55.xx.xx.201 1
The second which was being setting up this week has a few issues. First and foremost is the server at 192.168.111.2 (mapped to 55.xx.xx.202) has no outgoing or incoming traffic. I can ping the PIX and vice versa, but can not access anything on the internet. Now all other devices could pull up remote sites without issue via http.
The second issue, which may be related is just as troublesome. To test out whether I could access the webserver from the outside, I connected to a remote office via VNC web/java interface. Problem was once the java app began to load it would just hang. Several times I swapped out the PIX and used the old firewall and could connect to remote devices without issue. It seemed the PIX just did not like allowing such connections. Although at the office I have no problems with the first PIX accessing remote sites.
Now on the first PIX that we have had running for a long time, none of these issues exist.
Also I should add. In the internal network I have another webserver at 192.168.111.3. In a previous config I had that mapped to external 55.xx.xx.205 with an access to HTTP. From the outside there was no issue connecting to this webserver.
Lastly, this troublesome server at 192.168.111.2, well when I changed the IP address to 192.168.111.5 I had no trouble with connecting out to the internet. What in the PIX could specifically block a said IP address? The only listing was for the static mapping.
Any help or ideas will be greatly appriciated!
Here is the basic config, although the config has changed since I last worked on the device, having just erased the entire config, overall this is pretty much the same as before
_________________________________________
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list outside_access_in permit tcp any host 55.xx.xx.202 eq www
pager lines 24
icmp permit 192.168.111.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 55.xx.xx.204 255.255.255.248
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.111.25 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 55.xx.xx.203
nat (inside) 1 192.168.111.0 255.255.255.0 0 0
static (inside,outside) 55.xx.xx.202 192.168.111.2 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.205 192.168.111.3 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.206 192.168.111.4 netmask 255.255.255.255 0 0
static (inside,outside) 55.xx.xx.207 192.168.111.12 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 55.xx.xx.201 1