PIX 7.0(2) and Subnet-Zero

Unanswered Question
Feb 4th, 2010
User Badges:

Hello all. I've got person with an IP address (auto-assigned from her ISP) who is trying to access my website and they get no response. Logs show that a connection was opened,outgoing packets from our webserver denied due to lack of a connection entry, and then the connection's torn down.


My configuration has no "ip subnet-zero". Is this feature not available in PIX 7.0(2), and is this this even a factor? I have two PIX 515's in failover mode, and the hosts behind are connected to two trunked Catalyst 3650's.


Below are entries from the firewall log. Any help you can render would be greatly appreciated.


Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609001: Built local-host outside:X.X.X.0
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-106015: Deny TCP (no connection) from 192.168.0.2/80 to X.X.X.0/17743 flags SYN ACK  on interface inside
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609002: Teardown local-host outside:X.X.X.0 duration 0:00:00

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/04/2010 - 22:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

remitprosupport wrote:


Hello all. I've got customer with an IP address (auto-assigned from her ISP) who is trying to access our website and gets no response. Our logs show that a connection was opened,outgoing packets from our webserver denied due to lack of a connection entry, and then the connection's torn down.


Our configuration has no "ip subnet-zero". Is this feature not available in PIX 7.0(2), and is this this even a factor? We have two PIX 515's in failover mode, and the hosts behind are connected to two trunked Catalyst 3650's.


Below are entries from our firewall log. Any help you can render would be greatly appreciated.


Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609001: Built local-host outside:X.X.X.0
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-106015: Deny TCP (no connection) from 192.168.0.2/80 to X.X.X.0/17743 flags SYN ACK  on interface inside
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609002: Teardown local-host outside:X.X.X.0 duration 0:00:00


Daniel


Could you post the firewall config ?


Jon

remitprosupport Fri, 02/05/2010 - 06:43
User Badges:

jon.marshall wrote:


remitprosupport wrote:


Hello all. I've got customer with an IP address (auto-assigned from her ISP) who is trying to access our website and gets no response. Our logs show that a connection was opened,outgoing packets from our webserver denied due to lack of a connection entry, and then the connection's torn down.


Our configuration has no "ip subnet-zero". Is this feature not available in PIX 7.0(2), and is this this even a factor? We have two PIX 515's in failover mode, and the hosts behind are connected to two trunked Catalyst 3650's.


Below are entries from our firewall log. Any help you can render would be greatly appreciated.


Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609001: Built local-host outside:X.X.X.0
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-106015: Deny TCP (no connection) from 192.168.0.2/80 to X.X.X.0/17743 flags SYN ACK  on interface inside
Feb  4 14:13:25 192.168.0.1 Feb 04 2010 14:13:35: %PIX-6-609002: Teardown local-host outside:X.X.X.0 duration 0:00:00


Daniel


Could you post the firewall config ?


Jon


Thanks for the reply Jon. Here's the config:


: Saved
:
PIX Version 7.0(2)
names

!
interface Ethernet0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0 standby X.X.X.X
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.4
!
enable password X encrypted
passwd X encrypted
hostname pixfirewall
domain-name default.domain.invalid
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group network Blacklist

object-group network ping_allowed

object-group network ftpwhitelist

object-group network sshwhitelist

access-list acl_out remark Blacklist rule.
access-list acl_out extended deny ip object-group Blacklist any log
access-list acl_out extended permit tcp any interface outside eq www log
access-list acl_out extended permit tcp any interface outside eq https log
access-list acl_out extended permit tcp object-group ftpwhitelist interface outside eq ftp log
access-list acl_out extended permit tcp object-group ftpwhitelist interface outside eq ftp-data log
access-list acl_out extended permit tcp object-group sshwhitelist interface outside eq 22222 log
access-list acl_out extended permit icmp any any inactive
access-list acl_out remark test
access-list acl_out remark test
access-list acl_out remark test
access-list acl_out remark test
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.224
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.1.0 255.255.255.224
access-list 10 standard permit 192.168.0.0 255.255.255.0
access-list 10 standard permit 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.9.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging monitor warnings
logging buffered notifications
logging trap informational
logging asdm informational
logging facility 19
logging host inside 192.168.10.170
logging host inside 192.168.10.41 6/1470
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip local pool vpn_pool 192.168.1.10-192.168.1.20 mask 255.255.255.255
failover
monitor-interface outside
monitor-interface inside
icmp permit host office_ip outside
icmp deny any outside
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.0.101 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.0.101 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 22222 192.168.0.101 22222 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 192.168.10.0 255.255.255.0 192.168.0.254 1
route inside 192.168.9.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 600
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy AdminPolicy internal
group-policy AdminPolicy attributes
password-storage disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 10
user-authentication enable
user-authentication-idle-timeout none

http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer office_ip
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
telnet 192.168.0.2 255.255.255.255 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 5
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 5
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
address-pool vpn_pool
default-group-policy AdminPolicy
tunnel-group Admin ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool vpn_pool
tunnel-group test ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp error
  inspect icmp
!
service-policy global_policy global
ntp server 198.123.30.132 source outside prefer
tftp-server inside 192.168.0.110 \05242007_outside_fw
ssl encryption des-sha1 rc4-md5
management-access inside
Cryptochecksum:
: end

Jon Marshall Thu, 02/11/2010 - 12:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Daniel


Apologies for not replying. The forum you have posted into is not one of the main forums in terms of number of posts and i must have missed your e-mail reply.


Anyway, i can't see anything immediately wrong with your firewall config. It looks more like an issue with the web server.


Is this web server accessed by other outside users ?


Jon

remitprosupport Thu, 02/11/2010 - 12:16
User Badges:

Thanks Jon for the reply. Yes, other people access this webserver and the vast majority have no problems. This is not the first person who has had this problem who has had an IP address ending in 0, and it seems only those who do have such addresses ever have this kind of problem. We've had 3 instances that I can recall, and all of them ended up getting different IP's from their ISP and it resolved the issue.


We're running Apache webserver, so I'll begin research on that. If you have any suggestions though I'd appreciate hearing them. Could there be something in the config of the catalyst switches we use that's causing this not to work? As they operate at a different layer in the stack I can't see that being the case, but I figure it can't hurt to ask.


Thanks again!

Actions

This Discussion