Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco Pix 501 - Please be gentle with me

Hi All,

First time post and I apologise for the appalling lack of knowledge. Quite possibly the answer I seek is already here but I don't know the search terms to find it.

The Scenario:

Existing 2003 R2 domain with one DC. 2008 R2 added to it and it all goes horribly wrong (I haven't even started to think about the Exchange 2010 migration form 2003 yet). Microsoft come on to the system to check out really weird DNS issues. They have me turning somersaults trying to figure it including reset/config'ing said Cisco Pix 501. All now reconfigured but god know's if it's correct. Includes a PPTP VPN and port forwarding of 80, 443 and 25 to the old 2003 R2 server. All forwarding works correctly.

The (final) Problem:

All is now working apart from this: -

When either server is rebooted, both can no longer ping each other. Tracert fails also, nslookup is fine. The problem has be traced to the 2008 R2 server having an entry in it's ARP cache for the 2003R2 with the correct IP (aaa.bbb.ccc.7) but the 501's MAC address!?! Sometimes some fiddling will cure it (disable/enable a nic etc) sometimes it just corrects it's self 20 minutes/2 hours later. Config is below, IP's, names and password changed to protect the innocent: -

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password hLRHyGRXx9ab2U76 encrypted

passwd hLRHyGRXx9ab2U76 encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 207.126.144.0 Postini_Servers

name 192.168.1.7 <2003R2>

name 192.168.1.6 <2008R2>

object-group service WebMail tcp

  port-object eq https

  port-object eq www

access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.240

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp Postini_Servers 255.255.240.0 host xxx.yyy.zzz.186 eq smtp

access-list outside_access_in permit tcp any host xxx.yyy.zzz.186 object-group WebMail

access-list <vpngroup>_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside xxx.yyy.zzz.186 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 192.168.1.240-192.168.1.250

pdm location 192.168.1.240 255.255.255.240 outside

pdm location Postini_Servers 255.255.240.0 outside

pdm location 0.0.0.0 0.0.0.0 outside

pdm location <2003R2> 255.255.255.255 inside

pdm location <2008R2> 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 <2003R2>

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.yyy.zzz.186 smtp <2003R2> smtp dns netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www <2003R2> www dns netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https <2003R2> https dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.185 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host <2003R2> ******** timeout 5

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp keepalive 60 10

isakmp nat-traversal 60

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup <vpngroup> address-pool VPNPool

vpngroup <vpngroup> dns-server <2003R2> 192.168.1.1

vpngroup <vpngroup> default-domain <domain>.local

vpngroup <vpngroup> split-tunnel <vpngroup>_splitTunnelAcl

vpngroup <vpngroup> split-dns <domain>.local

vpngroup <vpngroup> idle-time 3600

vpngroup <vpngroup> password ********

telnet 0.0.0.0 0.0.0.0 outside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group VPN_PPTP accept dialin pptp

vpdn group VPN_PPTP ppp authentication pap

vpdn group VPN_PPTP ppp authentication chap

vpdn group VPN_PPTP ppp authentication mschap

vpdn group VPN_PPTP client configuration address local VPNPool

vpdn group VPN_PPTP client configuration dns <2003R2>

vpdn group VPN_PPTP client authentication aaa RADIUS

vpdn group VPN_PPTP client accounting RADIUS

vpdn group VPN_PPTP pptp echo 60

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username Administrator password rWP5K.p.gFb0izJZ encrypted privilege 15

terminal width 80

Cryptochecksum:48b0cc66fbd519eab05a26c5d73ba8e7

: end

Any help would be appreciated. As an extra can someone explain how I can configure the device to use other external IP's which are part of our block from our ISP. This was working before Microsoft came along. xxx.yyy.zzz.187 was our exteranal address through which all traffic passed (i.e. www.whatismyip.com would report this address). The xxx.yyy.zzz.186 was used for OWA, VPN and SMTP but I have had to change the external if to xxx.yyy.zzz.186 else all port forwarding just stopped.

Best regards,

Chris

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco Pix 501 - Please be gentle with me

Hello Chris,

I hope you are doing great! No worries, we are here to help . Seems like the issue is a proxy arp problem. The only Cisco way that the one of the servers get the MAC address of the Pix firewall is that the Pix is running Porxy ARP.

I saw a global (Inside) R2server, I think that is the line that is playing with you here. That would make the firewall to proxy arp for that IP address, that I think is the reason why you are able to see the incorrect mac address.

I dont see that global doing anything there so the best thing to do would be taking that out

Regarding your second question, I dont quite understand... would you like to assign like a secondary IP to the outside interface? Or is it that you are going to assign it to something else?

Helpful document

https://supportforums.cisco.com/docs/DOC-3155

Hope it helps

Mike

Mike
4 REPLIES
Cisco Employee

Re: Cisco Pix 501 - Please be gentle with me

Hello Chris,

I hope you are doing great! No worries, we are here to help . Seems like the issue is a proxy arp problem. The only Cisco way that the one of the servers get the MAC address of the Pix firewall is that the Pix is running Porxy ARP.

I saw a global (Inside) R2server, I think that is the line that is playing with you here. That would make the firewall to proxy arp for that IP address, that I think is the reason why you are able to see the incorrect mac address.

I dont see that global doing anything there so the best thing to do would be taking that out

Regarding your second question, I dont quite understand... would you like to assign like a secondary IP to the outside interface? Or is it that you are going to assign it to something else?

Helpful document

https://supportforums.cisco.com/docs/DOC-3155

Hope it helps

Mike

Mike
New Member

Re: Cisco Pix 501 - Please be gentle with me

Hi Mike,

Fantastic all solved :-)

The second question I will try and explain.

Before this all went horribly wrong the set up was thus: -

Outside interface = xxx.yyy.zzz.187

but ports 25, 80 and 443 were all forwarded (by translation rules?, I'm learning ;-)  ) to aaa.bbb.ccc.7 from xxx.yyy.zzz.186.

Now as I understand it the Cisco Pix 501 has the ability to "listen" to any external address but strictly speaking you are not adding a second external address as such. After this re-config of the firewall no matter what I did the firewall would not forward packets to the relevant internal address. This is why I had to change to the external address to xxx.yyy.zzz.186 as it was easier than changing out hosting DNS and waiting for it to propagate around the world etc.

Best regards,

Chris

Cisco Employee

Re: Cisco Pix 501 - Please be gentle with me

Hello Chris!

Glad to hear that it is solved. Regarding your second question, yes it can be done. You can configure it like this

static (inside,outside) tcp xxx.yyy.zzz.186 25 aaa.bbb.ccc.7 25

That will forward port 25 to aaa.bbb.ccc.7. Here is a doc that you can follow as a guide

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10

Also you will need the acl permitting the traffic,

hope it helps.

Mike

Mike
New Member

Re: Cisco Pix 501 - Please be gentle with me

Hi Mike,

Thanks for the quick responses. As you describe it was how I had it configured but it just wouldn't work. I think I shall work through the command line from now on as well as the PDM seem limiting if you get my drift. The problem is resolved now as all traffic uses xxx.yyy.zzz.186 and the .187 lays unused with its brothers .188, .189 and  .190 ;-) .

Best regards,

Chris

1954
Views
0
Helpful
4
Replies