Pix515E does not allow any additional servers/hosts to be deployed

Unanswered Question

Hi,

I have a scenario.

1. We are using Pix515E with Restricted license

2. Currently we have moved 9 servers behing the pix firewall

3. Now we are planning to move additional servers, but somehow pix does not allow it

4. NAT translations are ok

5. Configs has been verified to be ok

6. ACL are allowed

7. Inside servers can ping and reach/ browse the new webserver

8. New webserver is able to ping other inside servers and gateway-pix firewall

9. Outside hosts/ Internet users are not able to reach the new server

10. Pix logs does not shows anythings suspicious

11. Capture shows the ack is just not happening

12. We have tried to reboot / reapply the configs


Can someone please help to advise, what may be wrong

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 02/15/2008 - 10:38

Hi Prasanna

Please post your running config and output of sh ver command.

"Now we are planning to move additional servers, but somehow pix does not allow it "

Can you describe this please? What error do you encounter?


Regards


Hi,

Thanks for reply.

Heres the running config edited before posting ;)

I could see the NAT translations happening

Required traffic is allowed on the firewall

We are currently moving a server in this setup behind the pix firewall.

Existing servers in this network could access the new server

But Internet users/ from outside interface we are unable to reach this server

Even from router I am unable to ping this server, though I have tried allowing the icmp from the router.


PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security80

hostname pix

clock timezone utc+8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 8080

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 110 permit icmp any any

access-list 110 permit tcp 200.x.x.x 255.255.255.192 any

access-list 110 permit tcp 200.x.x.x 255.255.255.192 250.x.x.x 255.255.255.192

access-list 111 permit icmp host 192.168.1.1 any

access-list 111 permit tcp any 200.x.x.x 255.255.255.192

access-list 111 permit tcp any 250.x.x.x 255.255.255.192

access-list 112 permit icmp any any

access-list 112 permit tcp 250.x.x.x 255.255.255.192 any

access-list 112 permit tcp 250.x.x.x 255.255.255.192 200.x.x.x 255.255.255.192

no pager

logging on

logging timestamp

logging standby

logging buffered warnings

logging trap warnings

logging history errors

logging device-id hostname

logging host inside 192.168.150.10

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.1.2 255.255.255.252

ip address inside 200.x.x.x 255.255.255.192

ip address intf2 250.x.x.x 255.255.255.192

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

static (intf2,outside) 250.x.x.x 250.x.x.x netmask 255.255.255.192 0 0

static (inside,outside) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0

static (inside,intf2) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0

access-group 111 in interface outside

access-group 110 in interface inside

access-group 112 in interface intf2

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.150.0 255.255.255.0 200.x.x.130 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http 192.168.1.0 255.255.255.0 inside

snmp-server location xxx

snmp-server contact xxx

snmp-server community xxx

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:dc9d7ae796879bf7eacbc082387f2db9

: end

show version


Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)


Compiled on Wed 13-Aug-03 13:55 by morlee


pix up 2 hours 25 mins


Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB


Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 0011.2164.3c0a, irq 10

1: ethernet1: address is 0011.2164.3c0b, irq 11

2: ethernet2: address is 000d.88ee.8ec0, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited


This PIX has a Restricted (R) license.


Serial Number: 808549223 (0x302c27bb)

Running Activation Key: 0x18eaa253 0x445d4e76 0x4a743bdc 0x2ec5df9c





Heres the capture logs for the new server captured on the outside interface


00:40:48.749549 157.233.234.4.59474 > 250.x.x.207.80: S 2108858885:2108858885(0) win 65535


husycisco Fri, 02/15/2008 - 16:16

x.x.x es makes it hard to understand. Can you attach as a file (attached files exipre in time) . What is your inside server IP? (with subnetmask) Are 200.x.x.x public IPs?

husycisco Sat, 02/16/2008 - 07:27

Thanks for your time on config posting.


Here is te issue


static (intf2,outside) 203.127.218.192 203.127.218.192 netmask 255.255.255.192 0 0

static (inside,outside) 203.127.218.128 203.127.218.128 netmask 255.255.255.192 0 0

ip address inside 203.127.218.129 255.255.255.192


According to above lines, I understand that this server was previously located at intf2 because as you see 203.127.218.207/26 does not belong to 203.127.218.128/26. You have two options


1) Change the server ip in a range of defined static above (between 203.127.218.128-203.127.218.190) (Recommended)


2) We have to make a huge change in config to be able to keep 207 in inside if it is a must not to change the IP.


Regards

Yes, Indeed server 203.127.218.207/26 belongs to intf2 and subnet 203.127.218.192/26 and will remain there. We have tried moving to subnet 203.127.218.128/26 still the same results.


As we are using ver6.3, NAT0 alone is not sufficient, hence we are using static nat and could see the nat translations.



Config:-

ip address intf2 203.127.218.193 255.255.255.192

husycisco Sun, 02/17/2008 - 09:03

So let me rephrase and correct me if I am wrong.


Server X WAS! located at intf2 with an IP of 203.127.128.207/26 and now you moved it to inside interface. If correct,


1) Assign this server a public IP in 203.127.128.128/26 subnet.


2) Change the gateway of this server from 203.127.218.193 to 203.127.218.129


3) Run clear xlate and clear arp command in PIX


4) Run arp -d in command line of server for 4-5 times


Now here is the issue

"Outside hosts/ Internet users are not able to reach the new server "


You have the following acl

access-list 111 permit tcp any host 203.127.218.207


Now change this acl for the new IP address that you assigned Server X






Thanks for your efforts sir!

These has been tried before, and found to be not working.


Rephrasing the problem:-

If I add new servers either in Inside int or intf2, it does not work. Existing servers are working fine.


For testing, I brought down one of the production servers, and used its ip for the new test server. Now the new test server works. But with the new ip, say in .128 or .192 subnet, the new servers does not work.


Actions

This Discussion