02-15-2008 10:34 AM - edited 03-11-2019 05:03 AM
Hi,
I have a scenario.
1. We are using Pix515E with Restricted license
2. Currently we have moved 9 servers behing the pix firewall
3. Now we are planning to move additional servers, but somehow pix does not allow it
4. NAT translations are ok
5. Configs has been verified to be ok
6. ACL are allowed
7. Inside servers can ping and reach/ browse the new webserver
8. New webserver is able to ping other inside servers and gateway-pix firewall
9. Outside hosts/ Internet users are not able to reach the new server
10. Pix logs does not shows anythings suspicious
11. Capture shows the ack is just not happening
12. We have tried to reboot / reapply the configs
Can someone please help to advise, what may be wrong
02-15-2008 10:38 AM
Hi Prasanna
Please post your running config and output of sh ver command.
"Now we are planning to move additional servers, but somehow pix does not allow it "
Can you describe this please? What error do you encounter?
Regards
02-15-2008 11:11 AM
Hi,
Thanks for reply.
Heres the running config edited before posting ;)
I could see the NAT translations happening
Required traffic is allowed on the firewall
We are currently moving a server in this setup behind the pix firewall.
Existing servers in this network could access the new server
But Internet users/ from outside interface we are unable to reach this server
Even from router I am unable to ping this server, though I have tried allowing the icmp from the router.
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security80
hostname pix
clock timezone utc+8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit icmp any any
access-list 110 permit tcp 200.x.x.x 255.255.255.192 any
access-list 110 permit tcp 200.x.x.x 255.255.255.192 250.x.x.x 255.255.255.192
access-list 111 permit icmp host 192.168.1.1 any
access-list 111 permit tcp any 200.x.x.x 255.255.255.192
access-list 111 permit tcp any 250.x.x.x 255.255.255.192
access-list 112 permit icmp any any
access-list 112 permit tcp 250.x.x.x 255.255.255.192 any
access-list 112 permit tcp 250.x.x.x 255.255.255.192 200.x.x.x 255.255.255.192
no pager
logging on
logging timestamp
logging standby
logging buffered warnings
logging trap warnings
logging history errors
logging device-id hostname
logging host inside 192.168.150.10
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.2 255.255.255.252
ip address inside 200.x.x.x 255.255.255.192
ip address intf2 250.x.x.x 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
static (intf2,outside) 250.x.x.x 250.x.x.x netmask 255.255.255.192 0 0
static (inside,outside) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0
static (inside,intf2) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0
access-group 111 in interface outside
access-group 110 in interface inside
access-group 112 in interface intf2
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.150.0 255.255.255.0 200.x.x.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
snmp-server location xxx
snmp-server contact xxx
snmp-server community xxx
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:dc9d7ae796879bf7eacbc082387f2db9
: end
02-15-2008 11:11 AM
show version
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
pix up 2 hours 25 mins
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : Crypto5823 (revision 0x1)
0: ethernet0: address is 0011.2164.3c0a, irq 10
1: ethernet1: address is 0011.2164.3c0b, irq 11
2: ethernet2: address is 000d.88ee.8ec0, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 808549223 (0x302c27bb)
Running Activation Key: 0x18eaa253 0x445d4e76 0x4a743bdc 0x2ec5df9c
Heres the capture logs for the new server captured on the outside interface
00:40:48.749549 157.233.234.4.59474 > 250.x.x.207.80: S 2108858885:2108858885(0) win 65535
02-15-2008 04:16 PM
x.x.x es makes it hard to understand. Can you attach as a file (attached files exipre in time) . What is your inside server IP? (with subnetmask) Are 200.x.x.x public IPs?
02-15-2008 05:57 PM
Hi,
Thanks again!
I am attaching the configs, only deleting the object-groups. All other configs are intact.
Deleting object-group is just to shorten the cli, as we have a huge number of ip's under object-groups.
Yes, inside server ip is 203.127.218.207/26 are public ip's
02-16-2008 07:27 AM
Thanks for your time on config posting.
Here is te issue
static (intf2,outside) 203.127.218.192 203.127.218.192 netmask 255.255.255.192 0 0
static (inside,outside) 203.127.218.128 203.127.218.128 netmask 255.255.255.192 0 0
ip address inside 203.127.218.129 255.255.255.192
According to above lines, I understand that this server was previously located at intf2 because as you see 203.127.218.207/26 does not belong to 203.127.218.128/26. You have two options
1) Change the server ip in a range of defined static above (between 203.127.218.128-203.127.218.190) (Recommended)
2) We have to make a huge change in config to be able to keep 207 in inside if it is a must not to change the IP.
Regards
02-16-2008 06:28 PM
Yes, Indeed server 203.127.218.207/26 belongs to intf2 and subnet 203.127.218.192/26 and will remain there. We have tried moving to subnet 203.127.218.128/26 still the same results.
As we are using ver6.3, NAT0 alone is not sufficient, hence we are using static nat and could see the nat translations.
Config:-
ip address intf2 203.127.218.193 255.255.255.192
02-17-2008 09:03 AM
So let me rephrase and correct me if I am wrong.
Server X WAS! located at intf2 with an IP of 203.127.128.207/26 and now you moved it to inside interface. If correct,
1) Assign this server a public IP in 203.127.128.128/26 subnet.
2) Change the gateway of this server from 203.127.218.193 to 203.127.218.129
3) Run clear xlate and clear arp command in PIX
4) Run arp -d in command line of server for 4-5 times
Now here is the issue
"Outside hosts/ Internet users are not able to reach the new server "
You have the following acl
access-list 111 permit tcp any host 203.127.218.207
Now change this acl for the new IP address that you assigned Server X
02-18-2008 01:43 AM
Thanks for your efforts sir!
These has been tried before, and found to be not working.
Rephrasing the problem:-
If I add new servers either in Inside int or intf2, it does not work. Existing servers are working fine.
For testing, I brought down one of the production servers, and used its ip for the new test server. Now the new test server works. But with the new ip, say in .128 or .192 subnet, the new servers does not work.
02-19-2008 07:35 PM
Big THANKS to husycisco !
I have figured out the problem now. Unfortunately all the 3 test servers we had been using to test were faulty in a way or other. either nic card, or image ....
Thanks for your effort and time sir.
Highly appreciate your help.
02-19-2008 08:01 PM
Glad that you sorted it out :)
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: