WORKSTATION CANNOT CONNECT TO SERVER THROUGH PIX FIREWALL

[drbk563]

I have a PIX firewall which has three interfaces. Of the DMZ interface there is a workstation with an IP address of 143.104.182.37 which is trying to access a server located on the inside interface with an IP address of 143.104.183.198. I checked the firewall log and I get the follow output. What can I do to correct this?

Thank You

302013: Built inbound TCP connection 84142102 for DMZ1:143.104.182.37/1689 (143.104.182.37/1689) to inside:143.104.183.198/5060 (143.104.183.198/5060)
305005: No translation group found for tcp src inside:143.104.182.37/1689 dst DMZ1:143.104.183.198/5060
305005: No translation group found for tcp src inside:143.104.182.37/1689 dst DMZ1:143.104.183.198/5060
305005: No translation group found for tcp src inside:143.104.182.37/1689 dst DMZ1:143.104.183.198/5060
305005: No translation group found for tcp src inside:143.104.183.198/5060 dst DMZ1:143.104.182.37/1689

 

[GM2005]

Going to need to see the config

 

[drbk563]

I removed a lot of things from the PIX config, which I believed were not necessary to fix this issue. Also, the PIX firewall is not setup to NAT. It does not have any global pools defined. All the ip address that you see in PIX config are the real ip address of the devices. Even though I am using ip address which are used for public ip address. I am using them for private use.


Thank You

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security25
nameif ethernet3 Failover security20
nameif ethernet4 Unused1 security15
nameif ethernet5 DMZ3 security10
enable password xxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname PIX
domain-name xxx
clock timezone est -5
clock summer-time est recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip 5061
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

object-group network Internal_Nets
description Internal Nets
network-object 10.178.176.0 255.255.240.0
network-object 192.168.0.0 255.255.0.0
network-object 143.104.176.0 255.255.240.0
object-group network Remote_Nets
description Remote Sites Internal Nets
network-object 10.178.176.0 255.255.240.0
network-object 143.104.176.0 255.255.240.0

object-group network All_WC_Nets
description Internal & Remote Network Group
group-object Internal_Nets
group-object Remote_Nets



object-group network All_STJMIHSTM_Nets
description StJ&MIH&StM Internal Network Group
network-object 172.22.0.0 255.255.0.0
network-object host 64.46.195.95
network-object 64.46.195.96 255.255.255.248
network-object 10.136.20.0 255.255.252.0
network-object 10.136.16.0 255.255.252.0
network-object 10.136.0.0 255.255.0.0
network-object 172.25.0.0 255.255.0.0


access-list Internal_Nets_NoNat remark Do Not Nat Internal Networks
access-list Internal_Nets_NoNat permit ip object-group Internal_Nets any
access-list Internal_Nets_NoNat permit ip 10.178.183.0 255.255.255.240 10.178.179.0 255.255.255.0
access-list Remote_Nets_NoNat remark Do Not Nat Remote Internal Networks
access-list Remote_Nets_NoNat permit ip object-group Remote_Nets any
access-list acl_dmz1_in permit ip any any
access-list acl_dmz1_in permit icmp any any object-group icmp_traffic
access-list acl_dmz1_in permit icmp any any

access-list acl_dmz1_in permit icmp object-group Remote_Nets object-group Internal_Nets
access-list acl_dmz1_in permit icmp host 143.104.183.96 host 159.132.1.10 echo
access-list acl_dmz1_in permit icmp host 143.104.178.90 host 159.132.1.68 echo
access-list acl_dmz1_in permit icmp host 143.104.178.45 host 172.30.4.18 echo
access-list acl_dmz1_in permit icmp host 143.104.178.6 host 192.216.27.5 echo

access-list acl_dmz1_in permit ip object-group Remote_Nets any
access-list acl_dmz1_in permit tcp object-group Remote_Nets any eq 5060
access-list acl_dmz1_in permit tcp object-group Remote_Nets any eq 5061
access-list acl_dmz1_in permit tcp any any eq 5060
access-list acl_dmz1_in permit tcp any any eq 5061

access-list acl_outside_in permit tcp host 10.156.11.6 any

access-list acl_outside_in permit tcp any host BlackBerry eq smtp
access-list acl_outside_in permit tcp any host ACS01 object-group ACS-TCP
access-list acl_outside_in permit tcp any host 10.133.129.53
access-list acl_outside_in permit tcp any host 10.133.129.55
access-list acl_outside_in permit ip any host 10.133.129.53
access-list acl_outside_in permit ip any host 10.133.129.55
access-list acl_outside_in permit ip host 10.133.129.53 any
access-list acl_outside_in permit ip host 10.133.129.55 any
access-list acl_outside_in permit tcp host 10.133.129.53 any
access-list acl_outside_in permit tcp host 10.133.129.55 any
access-list acl_outside_in permit tcp host egate any
access-list acl_outside_in permit udp any host ACS01 object-group ACS-UDP
access-list acl_outside_in permit icmp any any
access-list acl_outside_in permit tcp any any eq 5060
access-list acl_outside_in permit tcp any any eq 5061
access-list vpn2 permit ip object-group All_WC_Nets 10.178.182.192 255.255.255.192
access-list acl_inside_in permit ip any any
access-list acl_inside_in permit tcp any host 143.104.183.198 eq 5060
access-list acl_inside_in deny ip host 10.178.185.15 any
access-list acl_inside_in deny udp host 143.104.179.146 any eq 1150
access-list acl_inside_in permit icmp any any object-group icmp_traffic
access-list acl_inside_in remark allow Ms Ports from Internal Nets to Remotes
access-list acl_inside_in permit ip 192.168.160.0 255.255.224.0 143.104.176.0 255.255.240.0
access-list acl_inside_in permit object-group TCP-UDP any object-group Remote_Nets object-group Remote-Site_srvs-TCP-UDP
access-list acl_inside_in permit ip any 172.22.0.0 255.255.0.0
access-list acl_inside_in permit object-group TCP-UDP any object-group All_STJMIHSTM_Nets object-group Remote-Site_srvs-TCP-UDP
access-list acl_inside_in permit tcp any object-group Remote_Nets object-group Remote-Site_srvs-TCP
access-list acl_inside_in deny object-group TCP-UDP any any object-group MS.Blaster_TCP-UDP
access-list acl_inside_in deny tcp any any object-group MS.Blaster_TCP
access-list acl_inside_in deny udp any any object-group MS.Blaster_UDP

access-list acl_inside_in permit icmp object-group Internal_Nets object-group Remote_Nets
access-list acl_inside_in permit icmp object-group Internal_Nets object-group All_STJMIHSTM_Nets
access-list acl_inside_in permit icmp host 143.104.181.88 any echo
access-list acl_inside_in permit icmp host 143.104.177.188 any echo

access-list acl_inside_in permit icmp host 143.104.178.90 any echo
access-list acl_inside_in deny ip any host 206.173.193.10
access-list acl_inside_in permit icmp any any
access-list acl_inside_in permit tcp object-group Remote_Nets any eq 5060
access-list acl_inside_in permit tcp object-group Remote_Nets any eq 5061
access-list acl_inside_in permit tcp any any eq 5060
access-list acl_inside_in permit tcp any any eq 5061


access-list acl_dmz3_in permit ip any any
access-list acl_dmz3_in permit icmp any any object-group icmp_traffic
access-list acl_dmz3_in permit icmp any any
access-list acl_dmz3_in permit icmp object-group All_STJMIHSTM_Nets object-group Internal_Nets
access-list acl_dmz3_in permit ip object-group All_STJMIHSTM_Nets host 143.104.181.15
access-list acl_dmz3_in permit ip host 172.22.25.252 object-group Internal_Nets
access-list acl_dmz3_in permit ip object-group All_STJMIHSTM_Nets object-group Internal_Nets
access-list acl_dmz3_in permit ip object-group Internal_Nets any
access-list acl_dmz3_in permit ip 192.168.160.0 255.255.224.0 143.104.176.0 255.255.240.0
access-list All_STJMIHSTM_Nets_NoNat permit ip object-group All_STJMIHSTM_Nets any
access-list All_STJMIHSTM_Nets_NoNat remark Do Not Nat Remote Internal Networks
access-list cap permit icmp host 143.104.181.88 any
access-list cap permit icmp any host 143.104.181.88
access-list cap permit icmp host 10.178.183.49 host 172.22.24.1
access-list cap permit icmp host 172.22.24.1 host 10.178.183.49
access-list cap permit icmp host 172.22.24.1 any
pager lines 12
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap warnings
logging facility 23
logging queue 1024
no logging message 106011
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any echo outside
icmp deny any echo DMZ1
icmp permit any unreachable DMZ1
icmp permit any echo-reply DMZ1
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Failover 1500
mtu Unused1 1500
mtu DMZ3 1500
ip address outside 143.104.183.4 255.255.255.240
ip address inside 10.178.183.4 255.255.255.240
ip address DMZ1 10.178.183.18 255.255.255.240
ip address Failover 10.178.183.41 255.255.255.252
ip address Unused1 10.178.183.45 255.255.255.252
ip address DMZ3 10.178.183.49 255.255.255.240
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ1
ip verify reverse-path interface DMZ3
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 5
failover ip address outside 143.104.183.5
failover ip address inside 10.178.183.5
failover ip address DMZ1 10.178.183.19
failover ip address Failover 10.178.183.42
failover ip address Unused1 10.178.183.46
failover ip address DMZ3 10.178.183.50
failover link Failover
pdm history enable
arp timeout 14400
nat (inside) 0 access-list Internal_Nets_NoNat
nat (DMZ1) 0 access-list Remote_Nets_NoNat
nat (DMZ3) 0 access-list All_STJMIHSTM_Nets_NoNat
static (inside,outside) 172.20.205.1 10.178.181.189 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.2 10.178.181.188 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.3 10.178.181.190 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.4 10.178.181.45 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.5 10.178.181.181 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.6 10.178.181.221 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.7 10.178.181.222 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.8 10.178.185.141 netmask 255.255.255.255 0 0
static (inside,outside) 172.20.205.9 143.104.176.120 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group acl_inside_in in interface inside
access-group acl_dmz1_in in interface DMZ1
access-group acl_dmz3_in in interface DMZ3
route outside 0.0.0.0 0.0.0.0 143.104.183.1 1
route DMZ3 10.136.0.0 255.255.0.0 10.178.183.52 1
route inside 10.178.191.0 255.255.255.0 10.178.183.7 1
route DMZ3 64.46.195.95 255.255.255.255 10.178.183.52 1
route DMZ3 64.46.195.96 255.255.255.248 10.178.183.52 1
route inside 143.104.183.98 255.255.255.255 10.178.183.1 1
route DMZ3 166.168.160.0 255.255.224.0 10.178.183.52 1
route inside 172.20.205.0 255.255.255.128 10.178.183.1 1
route DMZ3 172.22.0.0 255.255.0.0 10.178.183.52 1
route DMZ3 172.25.0.0 255.255.0.0 10.178.183.52 1
route inside 192.168.0.0 255.255.0.0 10.178.183.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 143.104.177.188 255.255.255.255 inside
http 143.104.181.160 255.255.255.255 inside
http 10.178.176.114 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
ssh timeout 60
console timeout 30
terminal width 80
banner login *************************************************************************
banner login * AUTHORIZED USE ONLY *
banner login * Any use of this system is logged and monitored. Trespassers and *
banner login * unauthorized users will be prosecuted to the fullest extent of *
banner login * the law. If you are not supposed to be here: Leave Now! *
banner login *************************************************************************
Cryptochecksum:9fca0e0649aef84012f481552545655c
: end

 

[brianinms]

Your ip address scheme is quite confusing as you should never use public ip's unless they belong to you.

You need to exempt that workstation from nat and have the acl on the dmz interface to permit the traffic.

 

[drbk563]

Alright, I understand what you mean I have to do. However, can you help me out with the configuration to accomplish this?

Thank You

 

[brianinms]

So the internal workstation has a public ip address? I am failing to see how a machine with an ip address of 143.204.182.37 is working on DMZ1 that has an ip of 10.178.183.18. You can try to following command to exempt that machine from NAT. I would need a good network diagram to understand the network if this doesnt work. Make sure you issue the "clear xlate" command after changing his item.

object-group network Remote_Nets
network-object 143.104.182.37 255.255.255.255