11-24-2006 02:50 AM - edited 03-11-2019 02:00 AM
Dear ALL,
I'm going to replace a PIX 515E running 6.1 with a new Unresticted PIX515E running 6.3, so I can
work offline with the old one to run all update tasks.
Configurations are exactly the same, but when I replace PIX , the new one does not run properly:
natted clients seem browsing internet correctly
clients mapped with static don't run
web server are not browseable from outside
Please, anyone of you could give me any ideas ?
Regards
Alberto Brivio
P.S. Failover is stopped
11-24-2006 02:55 AM
Can you share the configuration, or at least the one with static and access-list (specifically the one applied on Outside interface).
1. natted clients seem browsing internet correctly
- nat/global pair works.
2. clients mapped with static don't run
- could be anything, i.e wrong ip mapping.
3. web server are not browseable from outside
- could be static map problem, or ACL on outside interface.
HTH
AK
11-24-2006 03:18 AM
Hi,
below you can find conf.: I've replaced public class of addresses with
10.10.1.0 and 10.10.2.0
Thanks
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security20
nameif ethernet4 dmz3 security30
nameif ethernet5 failover security40
hostname mypix
domain-name mypix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-inbound permit icmp any any
access-list acl-inbound permit ip any any
access-list acl-outbound permit icmp any any
access-list acl-outbound permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
icmp permit any dmz1
icmp permit any dmz2
icmp permit any dmz3
icmp permit any failover
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu failover 1500
ip address outside 10.10.1.99 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
no ip address dmz1
no ip address dmz2
no ip address dmz3
no ip address failover
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address dmz3
no failover ip address failover
pdm location 192.168.0.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 10.10.2.128-10.10.2.254 netmask 255.255.255.128
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.15 10.10.1.105 255.255.255.255
alias (inside) 192.168.0.230 10.10.1.98 255.255.255.255
alias (inside) 192.168.0.85 10.10.1.115 255.255.255.255
alias (inside) 192.168.0.84 10.10.1.113 255.255.255.255
alias (inside) 192.168.0.244 10.10.1.102 255.255.255.255
static (inside,outside) 10.10.1.103 192.168.0.28 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.105 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.125 192.168.0.97 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.110 192.168.0.24 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.111 192.168.0.56 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.113 192.168.0.84 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.109 192.168.0.18 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.112 192.168.0.57 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.115 192.168.0.85 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.114 192.168.1.53 netmask 255.255.255.255 0
static (inside,outside) 10.10.1.104 192.168.0.86 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.106 192.168.0.26 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.102 192.168.0.251 netmask 255.255.255.255 0 0
access-group acl-inbound in interface outside
access-group acl-outbound in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.1.97 1
route outside 10.10.2.128 255.255.255.128 10.10.1.99 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp dmz1
sysopt noproxyarp dmz2
sysopt noproxyarp dmz3
sysopt noproxyarp failover
console timeout 0
terminal width 80
11-24-2006 06:44 AM
I noticed 2 static route with same admin distance value exist.
route outside 0.0.0.0 0.0.0.0 10.10.1.97 1
route outside 10.10.2.128 255.255.255.128 10.10.1.99 1
When accessing the internet, which gateway is used, and for outsider to access your servers mapped to Public IPs, which incoming gateway is used?
- The alias command+static+noproxyarp looks ok.
- The ACL and interface bind looks ok. But I believed you should put specific destination servers and service ports for "acl-inbound" acl, i.e:
access-list acl-inbound permit tcp any host 10.10.1.103 eq www
access-list acl-inbound permit tcp any host 10.10.1.105 eq 23
11-24-2006 08:00 AM
Hi,
just for information:
outside 10.10.1.96 255.255.255.224 10.10.1.99 1 CONNECT static
this one is network that outside card belong to, this network is used
for server publishing and static statements
outside 10.10.2.128 255.255.255.128 10.10.2.99 1 OTHER static
this one is another network added in order to permit client natting
But thing I can't understand, is that configuration is up and running on
old PIX 515E (6.1)
Thanks anyway
11-24-2006 08:36 AM
The config is fine, it will not working if it is for routing to inside segment.
Can you identify which server(s) you map statically with public IPs but not able to access out or access by users from internet?
11-24-2006 08:53 AM
For example:
(10.10.1.98 in real config ia a public address !)
static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255
The inside server 192.168.0.230 can't access to and it's not reachable
from internet
But any client who is natting by global specified in configuration can access
internet without problems.
11-25-2006 03:46 PM
Outside interface IP is running 10.10.1.99, while route to 10.10.2.128 (see route outside line 2) also pointing to 10.10.1.99.
This should be replaced with outside/internet router Faste interface facing PIX, not PIX own interface.
As for route statement (2 x route outside), it's best to put specific (longest match) first before the general route, as general route will take everything into it (PIX not smart in routing):
route outside 10.10.2.128 255.255.255.128 10.10.1.xx ---> change this to other internet router intf IP
route outside 0.0.0.0 0.0.0.0 10.10.1.97
HTH
AK
11-26-2006 04:57 PM
Test with only "route outside 0.0.0.0 0.0.0.0 10.10.1.97" statement and physical connection works fine, i.e
in/out access for 192.168.0.230 via "static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255" was ok.
2nd test with outside interface IP change to .100 did not go well. The change was to suit 2nd route statement that point to PIX own interface.
It may not related to the routing, but try to remove the "sysopt noproxyarp outside" line t isolate this issue (not tested-limited time).
It'll be good to put in the config one by one, and see/test where the choking point started.
HTH
AK
12-04-2006 12:56 AM
Hi,
I didn't forget this conversation.
Finally, I got solution by two steps:
first one, the most important, was to power down / power up switch where outside zone is attached to: without this action
nothing was running.
Second one, in order to avoid random nat problem, I had to permit proxyarp on outside segment.
Regards
Alberto Brivio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide