Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

PIX AND IOS FIREWALL TROUBLESHOOT

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Pix and IOS Firewall Troubleshoot with Cisco expert Tony Huang. Tony is a Lead Customer Support Engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. Tony supports Security applications. Remember to use the rating system to let Tony know if you have received an adequate response.

Tony might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 19. Visit this forum often to view responses to your questions and the questions of other community members.

41 REPLIES
New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

We are an ISP that has two public networks ans well and private addressing that sit behind pur Pix. All outbound from the private networks works as expected. However, any server on the public networks can not be reached, and any DSL customer with a public IP can't get out to the internet. A.B.C and X.Y are the two public nets. There is a 7200 series that sits inside of the Pix.

I have posted the config to see if you can find any errors.

Thanks!

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

hostname xxxxxxxxxx

domain-name xxxxxxxxxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list public_net permit ip x.y.41.0 255.255.255.0 any

access-list public_net permit ip a.b.c.0 255.255.255.0 any

access-list acl_out permit udp any host a.b.c.2 eq domain

access-list acl_out permit tcp any host a.b.c.3 eq smtp

access-list acl_out permit udp any host a.b.c.4 eq domain

access-list acl_out permit icmp any host a.b.c.72 echo-reply

access-list acl_out permit icmp any host x.y.41.254 echo-reply

access-list acl_out permit icmp any host x.y.41.182 echo-reply

access-list acl_out permit icmp any host x.y.41.195 echo-reply

access-list acl_out permit tcp any host x.y.41.3 eq www

access-list acl_out permit icmp host x.y.41.182 any echo

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.230 255.255.255.0

ip address inside 10.100.0.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside x.x.x.231

failover ip address inside 10.100.0.3

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list public_net

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) a.b.c.2 a.b.c.2 netmask 255.255.255.255 0 0

static (inside,outside) a.b.c.4 a.b.c.4 netmask 255.255.255.255 0 0

static (inside,outside) a.b.c.72 a.b.c.72 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.254 x.y.41.254 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.182 x.y.41.182 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.195 x.y.41.195 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.3 x.y.41.3 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 255.255.255.255 x.x.x.1 1

route inside 10.0.0.0 255.0.0.0 10.100.0.1 1

route inside x.y.41.0 255.255.255.0 x.y.41.1 1

route inside a.b.c.0 255.255.255.0 a.b.c.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

The static translations look fine to me. However, There is a problem with your route inside statements.

route inside x.y.41.0 255.255.255.0 x.y.41.1

route inside a.b.c.0 255.255.255.0 a.b.c.1

(In this case, I am assuming 10.100.0.1, x.y.41.1 and a.b.c.1 are the ip addresses for 3 interfaces of c7200 router.)

For pix, you want to route the packet to the interface (next hop) connected to the same network as interface of the pix if the packets' destination are different than 10.100.0.0/24 network.

Then the c7200 router should do the routing job and forward the packet to the interfaces with ip x.y.41.1 or a.b.c.1.

Another words, you want to change those route isnide statements to:

route inside x.y.41.0 255.255.255.0 10.100.0.1

route inside a.b.c.0 255.255.255.0 10.100.0.1

This should solve your problem.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

I have a couple of general questions to make:

a) Can you configure a PIX firewall to make IP redirection for traffic coming and leaving the same interface? I know is a security risk, but is there a way to bypass it for specific routes?

b) Can you "load balance" routed traffic from a PIX interface to the same destination but trhrough 2 diferent paths (different neighbor routers)? Is there a way to have an alternative path programed into the PIX firewall in case the first fails, to try the seconf path?

c) Are there any plans for the GPRS Tunneling Protocol (GTP)" to be implemented in the near future?

Regards.

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

Pix will not redirect the traffic coming and leaving the same interface and I don't think there is any other workaround.

For both load balance and GPRS Tunneling Protocol will be supported in 7.0 code.

Hope this will help.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony,

since you've mentioned the version 7.0, do you know when it will be available? I know that you cannot promise anything so something like quarter/year will do. Any plans for the next version after 6.3(3) where SSL Vulnerabilities will be fixed? I know that I can ask TAC for software release 6.3(3.109) but is there version 6.3(4) or something like that coming soon? Thanks.

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi ,

What SSL vulnerabilities are you referring to? We will have a maintenance release sometime in the near future that shall address key vulnerabilities.

Version 7.0 should be available in H2CY04.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

I have several questions regarding PIX firewall:

1. It seems that PIX only provides normal ping for troubleshooting. Is there anything like extended ping or traceroute available?

2. When use the "capture" command, is there anyway that I can capture by Number instead of access-list name/ID? (want to be more specific)

3. For PDM software 3.0 or above, what does the "current Kbps" mean in "Interface Status" on home page? Is this a sum of inbound and outbound traffic?

Thanks!

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi ,

For your questions :

1, That is correct. On the pix, you can also use the command "debug icmp trace" to get more information for troubleshoot.

2, I don't really understand what you meant by " number instead of access-list".

You can be very specific by using access-list such as source, destination , protocol and port depends on how you define the access-list.

Please check the link for more detail about this command.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#1053548

3, Actually, it's not the sum of inbound and outbound traffic. The "current Kbps" displays the current number of kilobits per second that cross the interface.

I hope this will help.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Tony,

Regarding question 2, from PIX version 6.2, every access-list entry has a "line number". You may define an access list with multiple entries and when you use "show access-list", it will show you the same access list name/id with multiple line numbers. My question is whether we can do the capture based on the line number instead of access list name/id. I may define hundreds of entries in one access list but I just want to capture based on one entry.

Hope it can clarify my question. Thanks!

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi ,

I don't think you can use a particular line # out of an access-list to use with it. The

complete access-list is required.

Besides it's not that difficult to use a new access-list for packet capture, agree ?

I hope this answer your question.

Thanks

Tony

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony, my question is more about design. We have a class B public address range and have always used some type of web proxy for outbound connections. Formerly MS Proxy Servers and currently Cisco Cache Engines for past 3 years. We have had several headaches with the Cache Engines and therefore are considering eliminating them completely because we don't feel the caching value is worth (a) the problems or (b) the money to upgrade to another solution. My question is: should we bother to NAT all our clients' IP addresses on our PIX? Is NAT considered a "security" feature? Thank you.

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Michael,

Yes, you can say that NAT is one of the security feature for the pix firewall.

For your information, you can either overload all the internal hosts' ip address to interface or one external ip address (PAT translation) or do one to one nat translation (static translation).

Either method will hide the real ip address of the hosts behind firewall which is the security feature that we are looking for.

Another thing you might want to know is not only pix will hide the real internal ip address but also randomize the sequence number of every single packet before pix send out to the internet which is also a good way to protect your internal hosts.

For your internal network security, NAT is recommended.

I hope this will help.

Thank you

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony,

A general question. Is PIX going to support H323 Proxy in the nearby future ?

Kind regards

Sijbren Beukenkamp

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Sijbren,

What functionality do you plan to achieve using a H.323 proxy ?

Currently the PIX software provides

comprehensive support for VoIP which includes NAT/PAT support for H.323.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony,

We just done a upgrade for our PIX FW 535 last saturday(13 Dec). Yesterday and today, we experience high cpu after upgrade from PIX ver 6.2(2) to 6.3(3).

From the show processes command, we observed that the intf1 counter incrementing regularly. Within 20sec, the runtime value increases from 6454810 to 6473990. We also observe that the interface,intf1 buffer is increasing too.

Other info:

STUDENT-PIX-PRI# sh mem

Free memory: 934876624 bytes

Used memory: 138865200 bytes

------------- ----------------

Total memory: 1073741824 bytes

STUDENT-PIX-PRI# sh mem

Free memory: 934876624 bytes

Used memory: 138865200 bytes

------------- ----------------

Total memory: 1073741824 bytes

STUDENT-PIX-PRI#

------------------------------------------------------

STUDENT-PIX-PRI# sh xlate count

1583 in use, 33723 most used

STUDENT-PIX-PRI# sh xlate count

1583 in use, 33723 most used

STUDENT-PIX-PRI#

------------------------------------------------------

STUDENT-PIX-PRI# sh conn count

61856 in use, 69008 most used

STUDENT-PIX-PRI# sh conn count

62686 in use, 69008 most used

STUDENT-PIX-PRI#

Pls advice?

Thanks.

Best rgds,

Hock Meng

ncs

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Hock Meng,

The 577poll process will most likely have the largest Runtime of all your processes. This is normal

because the 577poll process polls the Ethernet interfaces to see if they have any data that requires

action. Examples of common polling processes include the following:

577poll Polls the Ethernet interfaces

Thread which polls the Ethernet interfaces to see if they have received traffic that can be removed. Since this is a polling process, it is normal for the runtime value of this process to be very large. The above output normal operation.

i82543_timer Polls the 66-MHz Gigabit Ethernet interfaces

i82542_timer Polls the 33-MHz Gigabit Ethernet interfaces

Since the above are polling processes, they can be used as a reference when comparing their Runtimes

to other running processes.

I was wondering if you can reload the pix and see if the problem goes away.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

I've some questions about static comand:

Suppose that I've a PIX with 4 interface: inside, outside, dmz(security 50) end backend (security 30).

If you configure overlapping static (overlapping IP or Ports...), rightly, the pix tell you about an error or warning.

But, if you configure two static command, like these:

static (inside,outside) 151.12.56.10 10.10.10.1

static (inside,dmz) 172.16.31.10 10.10.10.1

or, like these:

static (inside,outside) 151.12.56.10 10.10.10.1

static (inside,outside) 151.12.56.0 10.20.20.0

there aren't warning or errors, but... only one static could works at time...usually the first if traffic comes from outside or depends of the xlate already created by the outbound traffic.

What do you think about?

thnx,

Graziano

Re: PIX AND IOS FIREWALL TROUBLESHOOT

I'll take a stab at this one...hope you do not mind Tony ;)

The first example you provided is perfectly valid. Remember, routing takes place first and then the PIX looks for an xlate. Traffic destined for the outside will be translated to 151.12.56.10 and traffic destined to the dmz will be translated to 172.16.31.10. The reverse flow would to the lower security interface addresses would send the traffic to the inside host at 10.10.10.1. Make sense?

The second scenerio is also valid (sort of). You are correct that the more specific one in this case would match but this is because it is higher in the config. One thing to remember is that statics are matched from top to bottom in the config rather than a best match. So, this would be a way to translate one specific address to another host while translating the rest of the range to another subnet on the inside. Hope this helps explain somewhat.

Scott

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Scott,

Thanks for stabbing in. ^_^

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

thank you for the quickly answer!

About the second question I've understand, a bad configuration.

For the first question, instead, the example wasn't correct, sorry!!!

I'll try again to explane what I want mean, what do you think about this:

static (inside, outside) 156.54.12.10 10.10.10.1

static (dmz, outside) 156.54.12.10 172.16.31.10

there aren't configuration warning or problem.

When traffic comes from outside to the public address 156.54.12.10, who responds? the first... but not always, depend if 172.16.31.10 was already speaking...

I think is not a deterministic behaviour? Isn't better don't permit this configuration like an overlapping nat?

thanks a lot,

Graziano

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi,

We have two 535's in a fail over setup. The Pix with the unrestricted license is has stopped booting. Is it possible to swap its license to the failover only Pix?

Thanks,

Brian

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi ,

The license is generated based on the serial number of the pix. Therefore, you can not swap the license from one pix to another.

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi ,

I'd say if the traffic comes from outside, the 10.10.10.1 will response since pix check the translation table by order, just like ACL. It may never go to 172.16.31.10 if 10.10.10.1 is available.

Pix will take the command but I do agree with you. We should have some kind of warning when you try to config nat overlapping like this.

Thanks

Tony

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Graziano,

I see your point. Yes, the first one would be the one used assuming that there was not already and xlate generated for another internal host (the second one for example). Existing xlate's are checked before looking for statics. I am not 100% sure why we do not error on this but you are correct, this is a mis-config.

Scott

rj
New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony,

I have the following setup. We have a company that connects via a private frame to our DMZ port. They are trying to connect via FTP. Here is the flow.

Source IP 10.10.10.1 - The user connects to 10.205.10.1 on port 21 on their network. Then the FTP flow is translated to our NAT of 172.17.5.1 which is translated from our DMZ into the actual IP address of the FTP server of 192.168.1.1 on the inside. So there is a double translation occuring. I can see the connection attempt from 10.10.10.1 to 172.17.5.1 via the DMZ ACL. Although on the FTP server, there is never a connection attempt. It never makes the final translation so it stops with a SYN timeout on the PIX. Is this because of a dual translation for FTP traffic?

Thanks,

RJ

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi RJ,

I don't think that dual NAT has anything to do with it. We need to check the syslog on the PIX, whether it is blocking this traffic.

Thanks

Tony

rj
New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi Tony,

The syslog debug shows %PIX-6-302014: Teardown TCP connection 13570579 for dmz:10.10.10.1/2450 to inside:192.168.1.1/21 duration 0:02:01 bytes 0 SYN Timeout. The inbound dmz access-list does not block it. The FTP server (192.168.1.1) never returns the originating SYN with a SYN/ACK.

Thanks,

RJ

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Hi RJ,

Do you mind send me the config of the pix ?

Thanks

Tony

New Member

Re: PIX AND IOS FIREWALL TROUBLESHOOT

Good Day,

I have a pix525 running 6.2(2). I have recently receive the act key that would enable 3DES and I also plan to upgrade the OS to 6.3.

Should I activate the key under 6.2(2) first then upgrade to 6.3 or the other way around? What's your recommendation? Thanks.

108
Views
0
Helpful
41
Replies
CreatePlease to create content