Weird Pix Problem

[ic2muchtv]

Hi All,

I am a semi-noob to the PIX firewall and I have a problem I cannot resolve.

I have Four interfaces on my Pix 515. Its broken up like this:


INT Ethernet0 Outside security0 xxx.xxx.xxx.xxx
INT Ethernet1 WEB security98 10.16.99.1
INT Ethernet2 Inside Security100 10.1.99.1
INT Ethernet FFF Security20 10.19.99.1

Here is my problem:
I have a Mailhost(10.1.3.52)on the INSIDE subnet that has a static translation to the Outside(xxx.xxx.xxx.xxx) and conduits for opening SMTP and POP ports. This all works fine.

Now what I am trying to do is create another static translation for this same MAilhost(10.1.3.52) to INT subnet FFF(10.19.99.101 is the translated address for the Mailhost to FFF). For now I created a conduit to have everything wide open to this MailHost(translated 10.19.99.101) from the 10.19.x.x subnet. Now from this mailHost I can do a Traceroute to the network I need to goto through the 10.19.99.1 FFF interface, but nobody can access the translated mailhost(10.19.99.101)for some reason. To make things even stranger I have taken two more Hosts(FTP), one on the INSIDE subnet and one on the WEB subnet and gave them static translations to the FFF subnet and the people on that subnet can get to the FTP hosts just fine. They can also ping the FTP Hosts but not the MailHost. I have ICMP on right now to troubleshoot.


Here is what I see in my PIX log when I try to connect to another mailhost on the FFF subnet from my Mailhost(10.1.3.52 translated to 10.19.99.101)

May 07 2003 07:11:24: %PIX-6-305002: Translation built for gaddr 10.19.99.101 to laddr 10.1.3.52
May 07 2003 07:11:52: %PIX-6-302001: Built outbound TCP connection 199601 for faddr 206.201.57.223/1352 gaddr 10.19.99.101/2366 laddr 10.1.3.52/2366
May 07 2003 07:14:14: %PIX-6-302002: Teardown TCP connection 199601 faddr 206.201.57.223/1352 gaddr 10.19.99.101/2366 laddr 10.1.3.52/2366 duration 0:02:21 bytes 0 (SYN Timeout)

So from this I can tell that it looks like the Pix is building the translation just fine and I can get out to where I need to go but people cannot get to this Host for some reason.

Is the PIX just not capable of of two statics to one Host?

Any help would be appreciated.

Here is a copy of my config with the outside addresses omitted for obvious reasons.

PIX Version 5.2(3)
nameif ethernet0 outside security0
nameif ethernet1 WEB security98
nameif ethernet2 inside security100
nameif ethernet3 FFF security20
enable password
passwd
hostname PIX
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol smtp 25
names
pager lines 24
logging on
logging timestamp
logging standby
logging console informational
no logging monitor
logging buffered warnings
logging trap informational
no logging history
logging facility 20
logging queue 1000
logging host inside 10.1.10.41
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto
mtu outside 1500
mtu WEB 1500
mtu inside 1500
mtu fdc 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address WEB 10.16.99.1 255.255.0.0
ip address inside 10.1.99.1 255.255.0.0
ip address FFF 10.19.99.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.xxx
global (WEB) 1 10.16.2.190
global (FFF) 1 10.19.4.20
nat (WEB) 1 10.16.1.102 255.255.255.255 0 0
nat (WEB) 1 10.2.3.0 255.255.255.0 0 0
nat (WEB) 1 10.0.0.0 255.0.0.0 0 0
nat (inside) 1 10.7.103.65 255.255.255.255 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (FFF) 0 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.3.52 xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) 10.1.3.50 xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) 10.1.3.54 xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) 10.2.4.1 xxx.xxx.xxx.xxx 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx 10.1.3.52 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.1.3.51 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.1.20.199 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.1.3.198 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.1.4.1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.1.4.60 netmask 255.255.255.255 0 0
static (WEB,outside) 216.54.248.139 10.16.4.91 netmask 255.255.255.255 0 0
static (inside,FFF) 10.19.99.101 10.1.3.52 netmask 255.255.255.255 0 0
static (WEB,FFF) 10.19.4.10 10.16.4.80 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any
conduit permit tcp host xxx.xxx.xxx.xxx eq pop3 any
conduit permit udp host xxx.xxx.xxx.xxx eq syslog host xxx.xxx.xxx.xxx
conduit permit udp host xxx.xxx.xxx.xxx eq syslog host xxx.xxx.xxx.xxx
conduit permit tcp host xxx.xxx.xxx.xxx eq 1723 any
conduit permit gre host xxx.xxx.xxx.xxx any
conduit permit udp host xxx.xxx.xxx.xxx eq tftp host xxx.xxx.xxx.xxx
conduit permit tcp 10.19.0.0 255.255.0.0 any
route outside 0.0.0.0 0.0.0.0 216.54.248.129 1
route FFF 10.2.119.46 255.255.255.255 10.19.1.101 1
route inside 10.3.0.20 255.255.255.255 10.1.8.3 1
route inside 10.7.0.0 255.255.0.0 10.1.1.3 1
route inside 10.8.0.0 255.248.0.0 10.1.1.1 1
route FFF 170.186.41.207 255.255.255.255 10.19.1.101 1
route FFF 204.124.249.0 255.255.255.0 10.19.1.101 1
route FFF 204.124.249.55 255.255.255.255 10.19.1.101 1
route FFF 206.201.57.0 255.255.255.0 10.19.1.101 1
route FFF 206.201.57.59 255.255.255.255 10.19.1.101 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol tacacs+
aaa authentication telnet console AuthInbound
aaa authentication enable console AuthInbound
aaa authentication ssh console AuthInbound
snmp-server host inside 10.1.20.199
snmp-server host inside 10.1.4.10
snmp-server location Mopac
no snmp-server contact
snmp-server community show2me
snmp-server enable traps
tftp-server inside 10.1.20.199 .
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-md5-hmac
isakmp enable outside
isakmp identity hostname
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 9600
telnet 10.1.3.195 255.255.255.255 inside
telnet timeout 15
ssh 10.1.20.199 255.255.255.255 inside
ssh 10.1.4.10 255.255.255.255 inside
ssh timeout 5
terminal width 80


Any help is greatly appreciated.

Thanks,

Ic2muchtv

 

[yizhar]

HI.

You should issue the command:
clear xlate
After changing static or other translation related commands.
Have you done that?

> Built outbound TCP connection 199601 for faddr
> 206.201.57.223/1352 gaddr 10.19.99.101/2366 laddr
> 10.1.3.52/2366
You are trying to access a remote host using a private ip address 10.19.99.101 . The remote host and all other routers in the path should have a route back to your pix for address 10.19.99.101 .

So it seems like either a routing issue or another filterring/nat device in the path between the pix and the other host.

Ask the network administrator of the other mail server to add static routes as needed.
You should also verify that subnet masks at your side and partner networks routers are correct.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ic2muchtv]

I always clear xlate after making a static or adding a conduit. And my mailhost can get out to their network but they cannot connect to my Mailhost.

I have created a box for testing that sits right at the FFF interface(10.19.99.1) and the bordering router(10.19.1.101)
and I can ping two other hosts(FTP) I have created statics for to the 10.19.x.x network and those hosts(FTP) can be pinged(their translated 10.19.x.x addresses can be pinged) and accessed but this Mailhost cannot be pinged or accessed.
But it can go out just fine.

I did not an Alias for this Mailhost could that be a problem?

 

[ic2muchtv]

I always clear xlate after making a static or adding a conduit. And my mailhost can get out to their network but they cannot connect to my Mailhost.

I have created a box for testing that sits right at the FFF interface(10.19.99.1) and the bordering router(10.19.1.101)
and I can ping two other hosts(FTP) I have created statics for to the 10.19.x.x network and those hosts(FTP) can be pinged(their translated 10.19.x.x addresses can be pinged) and accessed but this Mailhost cannot be pinged or accessed.
But it can go out just fine(according to a traceroute and PIX logs)

I did notice an Alias for this Mailhost could that be a problem?

 

[yizhar]

HI.

> I did notice an Alias for this Mailhost could that be a problem?
Yes - the alias command can produce strange problems.
You can try either to remove it, or to use the command:

sysopt noproxyarp inside

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ic2muchtv]

I removed the alias but it still will not work. Any other ideas?

 

[yizhar]

> Any other ideas?
Reload?

Try again to place a host in FFF (with the pix as default gateway), try to connect, and check again the syslog messages. What do you get now?

Try to use a simple service like telnet or http (but using the mailhost, not another host for this test).

From your previous post:
> Built outbound TCP connection 199601 for faddr 206.201.57.223/1352 ...
What are you trying to do here? What is port 1352 used for?
Is the server listening on that port?

It can be a misconfiguration of the hosts. Check the application(S) level and host OS configuration.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar