Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Another "Tough" Pix 501 firewall issue

Hello,

the other day I posted a message requesting assistance for allowing access to inside servers from the outside. I had recreated the actual customer's setup in a test lab - including a simulated gateway - and everything worked perfectly fine.

Now that I attempted to install the firewall on site, I have a BIG issue - no clients on the inside can connect to anything on the Internet.

Here is the relevant part of the config:

interface ethernet0 auto

interface ethernet1 100full

access-list outside-in permit tcp any host xxx.115.216.50 eq 3389

access-list outside-in permit tcp any host xxx.115.216.50 eq 25

ip address outside xxx.115.216.50 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.115.216.49

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside, outside) tcp interface 3389 192.168.1.155 3389 netmask 255.255.255.0 0 0

static (inside, outside) tcp interface 25 192.168.1.199 25 netmask 255.255.255.0 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.115.216.125 1

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns 192.168.1.199 xxx.185.225.10

dhcpd wins 192.168.1.199

dhcpd lease 921600

dhcpd ping_timeout 750

dhcpd domain xxx.local

dhcpd enable inside

I can ping the PIX's inside interface from inside clients.. and I can ping anything on the Internet from within the PIX firewall.

Also, the servers on the inside are accessible from the outside (tested it to make sure).

The problem is obviously - no inside clients can access the Internet.

When I do show xlate I can see that the translations are actually happening, yet there is no connectivity.

According to the TAC knowledge base article, this config should work... by default connections from the inside to the outside are not blocked in any way unless there is an access list configured. I also tried disabling the access-list associated with the outside interface. As a last step, I tried using an IP in a different range for the PATed address (xxx.185.225.151, and I addedd a route to the appropriate gateway with a metric of 2). I guess nothing worked...

Any suggestions greatly apprechiated!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Another "Tough" Pix 501 firewall issue

Cisco Routers default arp-cache timeout is 4 hours. I am not sure of other vendors timeouts. Try installing at the premise with .51 to check operation, if it works, try the .50 address again. If you don't have an issue with the mail not being accessible for 4 hours or so, maybe let it run long enough to test the arp theory....

10 REPLIES
New Member

Re: Another "Tough" Pix 501 firewall issue

Hi !

May be there is a DNS issue ... you can ping anything on the internet but you can not access (navigate?) the internet.

dhcpd dns 192.168.1.199 xxx.185.225.10

Can you change your DNS servers ? Can you use your ISP DNS servers ?

Have you checked your logs

conf term

logg mon 6

logg console 6

logg buff 6

term mon

logg on

Hope this helps...

New Member

Re: Another "Tough" Pix 501 firewall issue

Hi, the thing is - I can ping anything on the Net from WITHIN the pix firewall only - not from any client machines.

The local machines behind the PIX cannot do ANY activity on the internet - I tried various good known sites, tried Telnet access, anything..

checking show xlate, local 192.168.1.100 is translated to global xxx.115.216.49 as it should be..

Also, I tried using .50 as the address to which clients are PATed, to no avail. Tried a different global IP on a different subnet (and added gateway, of course). Nothing worked.

I guess I will try collecting debug info when I go on site next..

the question is - does anything seem wrong with the config ? The only thing that I changed from default was "no fixup protocol smtp 25".

The above commands are the only things I entered into the pix...

Thank you,

Sean

New Member

Re: Another "Tough" Pix 501 firewall issue

Hi,

Remove all the config, apply step by step, configure the inside host with manual ip config instead of DHCP, make sure you point to PIX, apply NAT, make sure your PR is pointed to PIX outside. try to clear the xlate. if this is working then use with DHCP then apply static.

Regards

Matheen Farook

New Member

Re: Another "Tough" Pix 501 firewall issue

Hello, just an update on this.. I believe it will take a REAL expert to solve this!

I took the firewall back... and tested it again in my testlab. The only thing I changed is the outside IP - changed it to .51 and adjusted the access-lists accordingly. (I was able to do this live, because the customer is only using .50 right now, so I was able to keep the PAT global address (.49) on the firewall in my test environment. We are this customer's ISP by the way so this is all happening on the same live network.

Of course, in my test lab everything works as it should!!! I can access the test server from the outside... I can access the Internet from the test server.. I can plug in a laptop into the PIX, get an IP and browse the Internet!

So what is different than on the actual customer's location ? Nothing really, I just used a different IP for the outside interface (.51 instead of .50).

So there's nothing obviously wrong.. I know this config works..

Any suggestions ? because this all makes zero sense (to me at least.. )

Thanks in advance everyone!

Bronze

Re: Another "Tough" Pix 501 firewall issue

Did you clear the ARP cache on your ISP (outside) router? If your .50 address was changed from the client MAC to your PIX MAC, the next hop router will not know where to forward replies (layer 2). Otherwise, everything looks correct.

(Can you keep the .51 address on the PIX when you install on the customer site?)

New Member

Re: Another "Tough" Pix 501 firewall issue

Hello,

The outside router actually belongs to our upstream provider (it's located at our premises, but we're not supposed to touch it). How long would it cache the ARP entries for ? because I spent a couple of hours on site trying to get it going. If ARP was the issue, maybe I can try cloning the MAC of the old router (I am assuming PIX supports this?).

I guess I can't keep .51, because the MX records point to .50 ...

Thank you for your reply, I will let you know what happens when I go on site next!

New Member

Re: Another "Tough" Pix 501 firewall issue

Hey,

if you remove the ACL on the outside and check that the sec. levels are right, the PIX could auto. let traffic go from inside to outside.

What version of pixos are you running 6.3.5 ?

Martin

DK

Bronze

Re: Another "Tough" Pix 501 firewall issue

Cisco Routers default arp-cache timeout is 4 hours. I am not sure of other vendors timeouts. Try installing at the premise with .51 to check operation, if it works, try the .50 address again. If you don't have an issue with the mail not being accessible for 4 hours or so, maybe let it run long enough to test the arp theory....

New Member

Re: Another "Tough" Pix 501 firewall issue

Hi,

I guess I need to make myself more clear here:

it was the PAT address (.49) that did not work.

The .50 address worked right away (I replaced the old router with the PIX, and then phoned my office to have someone remote-desktop into the server behind the PIX, also telnet into the port 25 of the server - that all worked immediately).

I just could not establish any connection to the Internet from the inside machines.

The thing is, the .49 IP had been tied to a NIC (that's what we do with unused IPs) and I removed it from there just before I'd go to customer's site. So it's possible that ARP would have been cached.

If that was the problem, then it should just work when I try it next..

Thank you

Sean

New Member

Re: Another "Tough" Pix 501 firewall issue

I guess it just worked this time - without me changing a line of the original config - so I will have to conclude it was ARP caching issue the first time around.

Thanks everyone!!!

Sean

172
Views
5
Helpful
10
Replies