PIX 6.3 configuration

Answered Question
Dec 21st, 2009

I'm not really a firewall guy, and I'm certainly not familiar with the older PIX OS, but I'm trying a new lab setup and would like to make this work.

I have a PIX 501. I'd like to use it to NAT a few hosts to a single T1. I want the PIX internal IP to be 10.1.100.10. I'd like it to NAT dynamically anything in the 10.1.100.0/24 pool. Here is my current config with actual IPs, etc removed. What am I doing wrong? I can set an XP machine in the same VLAN, assign it one of my ISP allocated static IPs, and it works perfectly. With the PIX, I get nothing... I'm sure its something really obvious, but like I said this isn't really my cup of tea. Any help would absolutely be appreciated.

chq-mdf-fw-02# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname chq-mdf-fw-02
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit icmp any any
access-list ping_acl permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.XX 255.255.255.248
ip address inside 10.1.100.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.XX
nat (inside) 1 10.1.100.1 255.255.255.0 0 0
access-group ping_acl in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 ISP.GATEWAY.IP.XX 1
route inside 10.0.0.0 255.0.0.0 10.1.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
console timeout 0
dhcpd address 10.1.100.220-10.1.100.225 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 4 weeks ago

The router upstream is not forwarding any packets to the PIX's outside address. That is my guess.

You can quickly do a capture on the outside interface and verify this.

cap capout int outside

Ping from the pix to the router and issue "sh cap capout" you will see requests leaving but no replies coming back to the PIX.

Keep the XP behind the PIX but, give the PIX the IP that your XP had when it was on the outside. See if the PIX can now ping the router on the outside and receive traffic.

Make sure to clear arp on the PIX as well as the Router.

-KS

Correct Answer by Panos Kampanakis about 7 years 4 weeks ago

I would suggest to do one more change.

global (outside) 1 XX.XX.XX.XX
nat (inside) 1 10.1.100.1 255.255.255.0 0 0

Is XX.XX.XX.XX the ip off your outisde interface?

If yes it will not work.

Please change the global to "global (outside) 1 interface" instead.

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ivan Martinon Mon, 12/21/2009 - 15:15

Go ahead and change your nat lines to be:

nat (inside) 1 10.1.100.0 255.255.255.0 0 0

rather than

nat (inside) 1 10.1.100.1 255.255.255.0 0 0

an issue the command "clear xlate"

Try again after it

Correct Answer
Panos Kampanakis Mon, 12/21/2009 - 16:03

I would suggest to do one more change.

global (outside) 1 XX.XX.XX.XX
nat (inside) 1 10.1.100.1 255.255.255.0 0 0

Is XX.XX.XX.XX the ip off your outisde interface?

If yes it will not work.

Please change the global to "global (outside) 1 interface" instead.

I hope it helps.

PK

jasonfaraone Tue, 12/22/2009 - 06:52

Thanks guys! I made the suggested changes, but I still can't access anything beyond the firewall. I don't think its a NAT issue, because when I ping from my XP test machine and run a "show xlate", this is the output:

chq-mdf-fw-02(config)# show xlate

1 in use, 98 most used

PAT Global 209.248.XXX.XXX(1) Local 10.1.100.230 ICMP id 512

It looks like my XP host is appropriately being PAT'd. Could it be something with my routing?

I've been  trying anything. My current routing setup looks like this:

route outside 0.0.0.0 0.0.0.0 209.248.XXX.XXX 1
route inside 10.0.0.0 255.0.0.0 10.1.100.1 1

Panos Kampanakis Tue, 12/22/2009 - 07:19

Routing looks ok. Who is 209.248.XXX.XXX in "route outside 0.0.0.0 0.0.0.0 209.248.XXX.XXX 1"?

Is it the next hop router? Can you ping it from the PC? Can you also ping from the PIX to the outside like 4.2.2.2?

If yes then try tracerouting from the pc and see what happens.

PK

jasonfaraone Tue, 12/22/2009 - 07:45

209.248.XXX.XXX is my ISP. When I set that IP as my default gateway on my test machine, the XP box has no connectivity problems.

From the PIX, I cannot ping anything, and when my XP box has the PIX set as a gateway, it cannot ping anything either. When the XP box is in my WAN vlan, and has a 209.248.XXX.XXX ip set on its NIC, it can ping anything.

I guess the frustration here is that I'm not doing anything complicated, and my XP box has no problem here. Its only when I try to put the PIX in between that everything falls apart. I'd be more than happy to paste any debug output if it would help.

Panos Kampanakis Tue, 12/22/2009 - 08:25

When behind the PIx the pc should have the PIX inside as the gateway.

The PIX should be able to reach its gateway and the outside. And I think this is the problem.

Please try to ping the outside, do a "sh arp" and check the arp entries on the PIX for the gateway. If need be reapply the outside ip address for the PIX to Grat-ARP. Use the icmp permit any outside command also to allow pings to and from the PIX on the outside.

PK

Kureli Sankar Tue, 12/22/2009 - 08:35

change logging buffere to debug

conf t

loggin buffered 7

then issue "sh logg | i x.x.x.x" for the IP address of the XP host and see what the logs say. Paste them here.

PIX/ASA by default reply to ICMP unless it is specifically denied by "deny icmp any outside" line.

They to ping the default GW address from the PIX and make sure it replies.

-KS

jasonfaraone Tue, 12/22/2009 - 10:06

I verified that arp is working as it should. All network devices between my firewall and the T1 display proper arp entries.

sh arp | in 209.248
Internet  209.248.XXX.28         79   000f.8f20.63d1  ARPA   FastEthernet0/0.2
Internet  209.248.XXX.25          7   0014.6ab1.8640  ARPA   FastEthernet0/0.2
Internet  209.248.XXX.26          -   000f.8f4e.5f80  ARPA   FastEthernet0/0.2

.28 is my PIX. .25 is my ISP. .26 is the first IP in our ISP IP range, located on a different router.

As I said earlier, I can configure my XP box (which has the same VLAN assignment as my PIX) with 209.248.XXX.29 and it works like a charm, so I don't think the problem lies outside of the PIX.

I cannot ping my gateway from the PIX, but I can ping it from the XP box when it is configured with a 209.248 address.

Regarding the log, everything appears to be pretty functional.

302015: Built outbound UDP connection 166 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.1.100.220/65278 (209.248.XXX.28/1107)
302015: Built outbound UDP connection 167 for outside:8.8.4.4/53 (8.8.4.4/53) to inside:10.1.100.220/65278 (209.248.XXX.28/1107)

Looks like it builds and tears down connections as needed. When my XP box is behind the PIX, I get "Destination net unreachable" when trying to ping my gateway.

You guys are totally dead on about the PIX not being able to communicate with my gateway. I don't understand why the XP box has no problem when not behind the firewall, but my PIX is unable to communicate at all. Especially since we've established ARP is working.

My access-lists also seem wide open...

chq-mdf-fw-02(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list ping_acl; 2 elements
access-list ping_acl line 1 permit icmp any any (hitcnt=2599)
access-list ping_acl line 2 permit ip any any (hitcnt=0)
access-list inside_access_in; 2 elements
access-list inside_access_in line 1 permit icmp any any (hitcnt=2835)
access-list inside_access_in line 2 permit ip any any (hitcnt=190)
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit ip any any (hitcnt=0)

This is driving me nuts...

Correct Answer
Kureli Sankar Tue, 12/22/2009 - 10:35

The router upstream is not forwarding any packets to the PIX's outside address. That is my guess.

You can quickly do a capture on the outside interface and verify this.

cap capout int outside

Ping from the pix to the router and issue "sh cap capout" you will see requests leaving but no replies coming back to the PIX.

Keep the XP behind the PIX but, give the PIX the IP that your XP had when it was on the outside. See if the PIX can now ping the router on the outside and receive traffic.

Make sure to clear arp on the PIX as well as the Router.

-KS

jasonfaraone Tue, 12/22/2009 - 11:24

I saw the ICMP packets leave my PIX, but the upstream router didn't respond. I tried your suggestion of swapping the PIX ip address (.28)with what I had previously used on my XP box (.29) and its working now. I have absolutely no idea why this would make a difference, but it seems to be doing well enough right now.

Panos Kampanakis Tue, 12/22/2009 - 11:55

There is a cached arp entry on the upstream router.

Re-applying the ip address that I suggested for the outside interface of the pix would grat-arp and have fixed the issue also.

PK

jasonfaraone Tue, 12/22/2009 - 11:58

I did a clear arp on both routers that this PIX passes traffic through and it didn't seem to make a difference, but I have missed something somewhere along the way.

sachinraja Tue, 12/22/2009 - 12:46

Hi Jason

Is it only not working with .28 IP address ? there are some more Ip addresses free on the /29 outside segment right ? Did you try using one of them ? .30 ?

Does the upstream router have any ACLs on the lan interface ? or is the ISP blocking any of the traffic ? were you able to ping .28 from the router ? Is the XP box online when you tried redirecting the traffic to PIX ? are the PCs having pix inside as the default gateway? Did you try http through a proxy or is it direct internet?

Raj

Kureli Sankar Tue, 12/22/2009 - 13:38

If you have access to the outside router take a look at it. My guess is that it has a static arp configured for the broken IP address pointing to some other MAC besides the firewall's outside MAC.

-KS

Actions

This Discussion