PIX 506E PROBLEM

Answered Question
Jul 15th, 2008

I'm at job configuring a Cisco PIX 506E, and I have a problem.

The outside interface can't reach the router wich bring the local net to the internet. I don't want anything by now but to reach the internet and do some port forwarding for some local servers. I don't care about any other aspect of the PIX as a firewall because it's a spare and we want it only to replace an old router. Then we want to do IPSEC tunneling but that's another history. By now I only want the PIX to do the same function as the old router. It could be interesting to erase everything and start from scratch . . . this is my configuration data on the old router:

ROUTER IP ADDRESS: 192.169.7.100 netmask 255.255.255.0 ( 192.169.7.0 is the local subnet )

INTERNET IP ADDRESS: 213.x.x.202 netmask 255.0.0.0

GATEWAY: 213.x.178.29

Ok. This is my actual PIX configuration:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name work.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 80-88

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping-acl remark allow pings on the outside

access-list ping-acl permit icmp any any

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

access-list permit_icmp permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.202 255.0.0.0

ip address inside 192.169.7.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.169.7.0 255.255.255.0 0 0

access-group permit_icmp in interface outside

conduit permit tcp host 0.0.0.0 eq 81 host 192.169.7.2

route outside 0.0.0.0 0.0.0.0 213.229.178.29 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.169.1.0 255.255.255.0 inside

ssh 192.169.7.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

So I can reach the PIX but I can't get out of it to the inet. I don't know why, If you can answer this one, then it would be interesting to know how to make 1 port forwarding from the inet to an specific server of the local subnet on port, for example 8080. Thank you so much.

Correct Answer by Collin Clark about 8 years 7 months ago

Are you using the interface IP or a separate public IP? Also do you have the port open in your ACL?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.2 (12 ratings)
Loading.
Collin Clark Tue, 07/15/2008 - 05:29

You need a NAT translation,

static (inside,outside) tcp [public IP] 8080 [private IP] 8080

don't forget to add the port & protocol in your outside ACL too.

Hope that helps.

godzilla0 Tue, 07/15/2008 - 05:35

Thank you for the NAT translation hint, but I need to know why I can't access the internet with this configuration. Thanks.

Collin Clark Tue, 07/15/2008 - 05:36

Can you ping the ISP router? If yes, can you ping an internet address (4.2.2.2)?

godzilla0 Tue, 07/15/2008 - 05:43

Hello, no . . I can't ping the ISP router. That's the main problem. I think I must connect the inside iface with the external iface ???

OUTPUT:

pixfirewall# ping 213.229.178.29

213.229.178.29 NO response received -- 1000ms

213.229.178.29 NO response received -- 1000ms

213.229.178.29 NO response received -- 1000ms

pixfirewall# ping 4.2.2.2

4.2.2.2 NO response received -- 1000ms

4.2.2.2 NO response received -- 1000ms

4.2.2.2 NO response received -- 1000ms

Thanks !

EDIT: ( BOTH INTERFACES ARE UP )

dhananjoy chowdhury Tue, 07/15/2008 - 05:37

Hi,

Try to access some website on the Internet and then, issue this command on the PIX, to see whether NAT is happening or not.

"show xlate"

Then do " clear xlate" and again try to access.

-------------------------------

Now suppose you want to forward connections on the Outside IP of PIX on port 8080 to the server inside(suppose 192.169.7.100) on 8080 from Internet :

static(inside,outside) tcp interface 8080 192.169.7.100 8080 netmask 255.255.255.255

access-list out-in permit tcp any interface outside eq 8080

godzilla0 Tue, 07/15/2008 - 05:43

Hi thank you for your help ! No, this is the output for the show xlate:

pixfirewall# show xlate

55 in use, 177 most used

PAT Global 213.27.252.202(1576) Local 192.169.7.240(36315)

PAT Global 213.27.252.202(1577) Local 192.169.7.240(47101)

PAT Global 213.27.252.202(1578) Local 192.169.7.240(56852)

PAT Global 213.27.252.202(1579) Local 192.169.7.4(49151)

PAT Global 213.27.252.202(1580) Local 192.169.7.240(45379)

PAT Global 213.27.252.202(1581) Local 192.169.7.240(53988)

PAT Global 213.27.252.202(1582) Local 192.169.7.1(34708)

PAT Global 213.27.252.202(1583) Local 192.169.7.240(55006)

PAT Global 213.27.252.202(1568) Local 192.169.7.240(53147)

PAT Global 213.27.252.202(1569) Local 192.169.7.4(49147)

PAT Global 213.27.252.202(1570) Local 192.169.7.240(54975)

PAT Global 213.27.252.202(1571) Local 192.169.7.4(49149)

PAT Global 213.27.252.202(1572) Local 192.169.7.240(35676)

PAT Global 213.27.252.202(1573) Local 192.169.7.240(33532)

PAT Global 213.27.252.202(1574) Local 192.169.7.4(49150)

PAT Global 213.27.252.202(1575) Local 192.169.7.240(34880)

PAT Global 213.27.252.202(1592) Local 192.169.7.240(49059)

PAT Global 213.27.252.202(1593) Local 192.169.7.4(49155)

PAT Global 213.27.252.202(1594) Local 192.169.7.240(46846)

PAT Global 213.27.252.202(1595) Local 192.169.7.4(49156)

PAT Global 213.27.252.202(1584) Local 192.169.7.4(49152)

PAT Global 213.27.252.202(1585) Local 192.169.7.240(42149)

PAT Global 213.27.252.202(1586) Local 192.169.7.1(34709)

PAT Global 213.27.252.202(1587) Local 192.169.7.4(49153)

PAT Global 213.27.252.202(1588) Local 192.169.7.240(53754)

PAT Global 213.27.252.202(1589) Local 192.169.7.4(49154)

PAT Global 213.27.252.202(1590) Local 192.169.7.1(34710)

PAT Global 213.27.252.202(1591) Local 192.169.7.240(38344)

PAT Global 213.27.252.202(1544) Local 192.169.7.4(49140)

PAT Global 213.27.252.202(1545) Local 192.169.7.4(49141)

PAT Global 213.27.252.202(1546) Local 192.169.7.240(38441)

PAT Global 213.27.252.202(1547) Local 192.169.7.240(43015)

PAT Global 213.27.252.202(1548) Local 192.169.7.240(46285)

PAT Global 213.27.252.202(1549) Local 192.169.7.240(53807)

PAT Global 213.27.252.202(1550) Local 192.169.7.240(50523)

PAT Global 213.27.252.202(1551) Local 192.169.7.240(59858)

PAT Global 213.27.252.202(1543) Local 192.169.7.1(34707)

PAT Global 213.27.252.202(1560) Local 192.169.7.240(60751)

PAT Global 213.27.252.202(1561) Local 192.169.7.240(39161)

PAT Global 213.27.252.202(1562) Local 192.169.7.4(49144)

PAT Global 213.27.252.202(1563) Local 192.169.7.240(33474)

PAT Global 213.27.252.202(1564) Local 192.169.7.240(56606)

PAT Global 213.27.252.202(1565) Local 192.169.7.240(37736)

PAT Global 213.27.252.202(1566) Local 192.169.7.4(49146)

PAT Global 213.27.252.202(1567) Local 192.169.7.240(43717)

PAT Global 213.27.252.202(1552) Local 192.169.7.4(49142)

PAT Global 213.27.252.202(1553) Local 192.169.7.240(46145)

PAT Global 213.27.252.202(1554) Local 192.169.7.240(46275)

PAT Global 213.27.252.202(1555) Local 192.169.7.240(44372)

PAT Global 213.27.252.202(1556) Local 192.169.7.240(35713)

PAT Global 213.27.252.202(1557) Local 192.169.7.240(49242)

PAT Global 213.27.252.202(1558) Local 192.169.7.240(42007)

PAT Global 213.27.252.202(1559) Local 192.169.7.4(49143)

PAT Global 213.27.252.202(1085) Local 192.169.7.2(45939)

PAT Global 213.27.252.202(1086) Local 192.169.7.240(38588)

jmia@ohgroup.co.uk Tue, 07/15/2008 - 05:54

what type of cable do you have connected from the port of the PIX to the ISP router? is it cross-over or straight through??

Also, I would clear up your PIX configuration, to be honest I would start from scratch - you can set the PIX to its factory default configuration - if your box is running version 6.2 or above.

Let us know...

dhananjoy chowdhury Tue, 07/15/2008 - 06:07

is your setup like this ?

((ISP))---z---(Internet-Router)----<>--LAN

If , yes then what Jay has said could be a point... check the connectivity between the PIX and the Internet Router.

godzilla0 Tue, 07/15/2008 - 06:13

From my side the setup is like this:

LAN-------PIX-----ISP ( a router probably )

so: Inside-> 192.169.7.100

Outside-> 213.27.252.202

Default route (ispgateway)->213.229.178.29

godzilla0 Tue, 07/15/2008 - 06:10

The cable it's crossover, but I changed it to a plain one nad the results are the same.

Can you tell me how to wipe out the config ?

Thanks.

jmia@ohgroup.co.uk Tue, 07/15/2008 - 06:20

Ok... keep the cross-over cable and ask your ISP to clear the router ARP cache for you. You can reset the PIX to factory default configuration by issuing (in config mode)..

configure factory-default

After the reset - rebuild your configuration but this time with no ACLs just the basics i.e. outside IP address with correct mask address and inside ip address and correct mask plus corret default gateway to the ISP router.

We can then troubleshoot the problem further and build your PIX configuration up further.

But I am little confused as you mention 'router probably on your post' is it a router or modem??

Speak soon...

godzilla0 Tue, 07/15/2008 - 06:23

Thanks for your help ! I'm sure the ISP device it's a router. I'm at a datacenter and I'm sure there are no modem connections for the costumers. Ok right now I'm wiping the config. I'll post again some minutes later.

Thanks.

godzilla0 Tue, 07/15/2008 - 06:46

Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?

EDIT: Ok I'm sorry I only needed to do write mem to visualize the changes made. Now it's clear.

godzilla0 Tue, 07/15/2008 - 06:55

Yes, it's done now. I edited last post to include that. Ok. Now, can I erase all the DHCP stuff that comes by default ? I don't need it. As all the servers on this subnet are using static ip addressing.

jmia@ohgroup.co.uk Tue, 07/15/2008 - 07:00

Good... yes you can erase the DHCP, do (in config mode)

clear dhcpd

save with - wr m

And then we can carry on....

godzilla0 Tue, 07/15/2008 - 07:05

Ok now that's done. First warning.

I did: ip address inside 192.169.7.100 255.255.255.0, no problem.

But then I did ip address outside 213.27.252.202 255.0.0.0

And the following warning appear:

WARNING: unable to add route to OSPF RIB.

jmia@ohgroup.co.uk Tue, 07/15/2008 - 07:10

Is that the correct MASK for that IP? It should be in the form...

213.27.252.202 255.255.255.x

So my next question is.. how many public IP addresses has been assigned to you by your ISP?

godzilla0 Tue, 07/15/2008 - 07:18

Yes that's the correct mask. Now we must get the servers to reach the inet.

godzilla0 Tue, 07/15/2008 - 07:16

Ok now we are going the good way. I can ping the ISP router and the google's IP. But if I ping to the google IP from any of the servers on the local subnet I can't reach anything.

The successful ping are executed from the router's CLI. Thanks !

jmia@ohgroup.co.uk Tue, 07/15/2008 - 07:24

Good to hear it's going the correct way, ok now add the following into your PIX configuration (in config mode)... (I have named this ACL outside-in)

access-list outside-in permit icmp any any echo-reply

access-list outside-in icmp any any unreachable

access-list outside-in icmp any any time-exceeded

access-group outside-in in interface outside

Save with: wr m and try pinging IP 4.2.2.2 from one of the LAN servers, I presume your LAN servers have a default gateway of the PIX?

......

godzilla0 Tue, 07/15/2008 - 07:53

Let's see . . I can input the first line of your acl configuration but none of the rest.

The CLI dump the command syntax after I try to input them.

Thanks !

jmia@ohgroup.co.uk Tue, 07/15/2008 - 07:59

Now that's strange... I have the same setup on my lab PIX with no problem.

If you take out what you have already setup i.e. in config mode issue..

clear access-list outside-in

and save with wr m

After the above, copy the config that I have posted onto notepad and then copy back to the PIX in config mode i.e. all of the config in one go rather than line by line.

godzilla0 Tue, 07/15/2008 - 08:26

Doing it like you said, I was able to put this two lines, pasting on a linux console :

access-list outside-in permit icmp any any echo-reply AND

access-group outside-in in interface outside

Now I can access the inet from only 1 host, the host where I'm working. It's a laptop. The rest of the servers can't ping out yet. But we are close. . . .

godzilla0 Tue, 07/15/2008 - 08:31

Sorry, with those 2 lines now all of they are getting out. Now . . I don't know if the other 2 access-list rules are necessary. I think the only thing I need now is to do the port forwarding. But I'm interested in to know how those 2 access-list rules are working, I want to understand it and if possible, could you point me to a good piece of info about the PIX 506E ? I want to take advantage of all features it can give me.

Waiting for answer, thanks.

jmia@ohgroup.co.uk Tue, 07/15/2008 - 09:17

Hello Xavier,

Are you saying that all your servers are getting to the internet?

I am happy to hear that you want to learn more about the PIX and its configurations etc, of course you can obtain the nesessary information by either purchasing or reading material from (I would recommend a book by David Hucaby) here...

http://www.ciscopress.com/bookstore/product.asp?isbn=158705485X

Or you can look up lots of configuration details from Cisco TechNotes here...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Regards

Jay

godzilla0 Tue, 07/15/2008 - 09:40

Yes, all the servers are getting out. But now I need the final touch. I need to do some port forwarding. I need, for example, that all the port 8080 from outside go to an specific host.

Then I do:

static (inside,outside) tcp [public IP] 8080 [private IP] 8080

But It does not work. Is there something more I must add to get the port forwarding working ?

Correct Answer
Collin Clark Tue, 07/15/2008 - 09:43

Are you using the interface IP or a separate public IP? Also do you have the port open in your ACL?

godzilla0 Tue, 07/15/2008 - 10:12

I'm using the outside interface ip, It's my public IP also. Sorry but I don't know how to include the ports on to the ACL. I give you five stars for your support !

Collin Clark Tue, 07/15/2008 - 10:20

The static will change since you're using the interface IP.

static (inside,outside) tcp interface 8080 [private IP] 8080 netmask 255.255.255.255

I'm not sure what your ACL name is that is applied to your outside interface, but here's what it should look like for port 8080.

access-list outside_access permit tcp any host 213.27.252.202 eq 8080

You might want to change the any to the specific public IP's that will be accessing your services.

Hope that helps and thanks for the points!

godzilla0 Wed, 07/16/2008 - 02:12

Hi, this is my config now:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.202 255.0.0.0

ip address inside 192.169.7.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 213.27.252.202 8080 192.169.7.102 8080 netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 81 192.169.7.2 81 netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 520 192.169.7.30 520 netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 ssh 192.169.7.3 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 659 192.169.7.30 659 netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 ftp 192.169.7.102 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 www 192.169.7.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.27.252.202 88 192.169.7.30 88 netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 213.229.178.29 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.169.7.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.168.7.0 255.255.255.0 inside

ssh 192.169.7.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

terminal width 80

Cryptochecksum:xxx

Can you say what kind of access list should I use and if my port mapping config is ok ?

Thanks !

Collin Clark Wed, 07/16/2008 - 05:24

The statics look OK. Here is what you need to add for the ACL-

access-group outside-in permit tcp any host 213.27.252.202 eq 8080

access-group outside-in permit tcp any host 213.27.252.202 eq 81

access-group outside-in permit tcp any host 213.27.252.202 eq 520

access-group outside-in permit tcp any host 213.27.252.202 eq 22

access-group outside-in permit tcp any host 213.27.252.202 eq 659

access-group outside-in permit tcp any host 213.27.252.202 eq 21

access-group outside-in permit tcp any host 213.27.252.202 eq 80

access-group outside-in permit tcp any host 213.27.252.202 eq 88

Let us know how it goes.

jmia@ohgroup.co.uk Wed, 07/16/2008 - 05:27

Slight typo on Collin Clark's post I think...

It should read:

access-list outside-in permit tcp any host 213.27.252.202 eq 8080

"

"

"

"

access-list outside-in permit tcp any host 213.27.252.202 eq 88

access-group outside-in in interface outside

HTH //Jay

godzilla0 Wed, 07/16/2008 - 08:21

Ok !! Case closed ! Now everything is working and I know more about the PIX !!! Big thanks to everybody who helped and tried to help.

godzilla0 Tue, 07/15/2008 - 09:02

Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?

godzilla0 Tue, 07/15/2008 - 09:03

Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?

Collin Clark Tue, 07/15/2008 - 09:06

You can always do a write erase, then reload. If it prompts that the config has changed, do you want to save?, choose no. This will delete the ENTIRE config though.

Actions

This Discussion