Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
3
Replies

Clear xlate /DMZ access

thomas.green
Level 1
Level 1

‎05-27-2003 11:30 AM - edited ‎03-09-2019 03:25 AM

I am having problems with access to our web server located in a DMZ on a PIX 520. If I try to ping the web server from a remote site, the ping fails. When I run clear xlate at the PIX I can ping successfully. After a period of time(I have not determined how long yet) The ping again fails. This seems like a timeout setting. The only timeout setting I see in the PIX config is timeout xlate 1:00:00. Does this apply to the DMZ or is there a different setting needed for DMZ access? Thanks

Labels:
0 Helpful
3 Replies 3

mhoda
Level 5
Level 5

‎05-27-2003 12:50 PM

Hi,

The problem seems to be with your translation rules.. may be overlapping ips.. Do you have static defined for the web server? How about the overlapping translation? Is there any? Please paste the config of your pix changing the real ip to some fake ip so that we can take a look into this.

Thanks,

Mynul

0 Helpful

thomas.green
Level 1
Level 1
In response to mhoda

‎05-28-2003 05:06 AM

A static is defined for the web server. The config is below.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password xxxxxx encrypted

passwd xxxxxx encrypted

hostname csamfw01

domain-name tac.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol domain 53

names

access-list acl_in permit icmp any any

access-list acl_in permit ip any any

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host xx.yy.zzz.84 eq smtp

access-list acl_out permit tcp any host xx.yy.zzz.85 eq smtp

access-list acl_out permit tcp any host xx.yy.zzz.83 eq ftp-data

access-list acl_out permit tcp any host xx.yy.zzz.87 eq www

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121

access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz permit icmp any any

access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.29 eq domain

access-list acl_dmz permit udp host 172.16.0.21 host 192.168.40.29 eq domain

access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.27 eq sqlnet

access-list acl_dmz permit udp host 172.16.0.21 host 192.168.40.26 eq domain

access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.26 eq domain

access-list acl_dmz deny tcp any host 192.168.0.0 eq www

access-list acl_dmz permit tcp host 172.16.0.21 any eq www

access-list acl_dmz permit tcp host 172.16.0.21 any eq ftp

access-list acl_dmz permit tcp host 172.16.0.21 any eq smtp

pager lines 24

logging on

logging buffered notifications

logging trap alerts

logging history alerts

logging facility 2

logging host inside 192.168.40.31

interface ethernet0 10baset

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside xx.yy.zzz.82 255.255.255.240

ip address inside 192.168.40.3 255.255.255.0

ip address dmz 172.16.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 xx.yy.zzz.89-xx.yy.zzz.93 netmask 255.255.255.240

global (outside) 1 xx.yy.zzz.94 netmask 255.255.255.240

global (dmz) 1 172.16.0.100-172.16.0.110

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

nat (dmz) 1 172.16.0.0 255.255.255.0 0 0

static (inside,outside) xx.yy.zzz.85 192.168.13.59 netmask 255.255.255.255 0 0

static (dmz,outside) xx.yy.zzz.83 172.16.0.20 netmask 255.255.255.255 0 0

static (dmz,outside) xx.yy.zzz.87 172.16.0.21 netmask 255.255.255.255 0 0

static (inside,outside) xx.yy.zzz.88 192.168.40.27 netmask 255.255.255.255 0 0

static (inside,outside) xx.yy.zzz.84 192.168.40.31 netmask 255.255.255.255 0 0

static (dmz,outside) xx.yy.zzz.88 172.16.0.25 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 xx.yy.zzz.81 1

route inside 192.168.0.0 255.255.0.0 192.168.40.1 1

timeout xlate 1:00:00

timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:00:00 absolute uauth 0:40:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.40.19 secret timeout 15

aaa authentication exclude tcp/0 inside 0.0.0.0 0.0.0.0 172.16.0.0 255.255.255.S

aaa authentication exclude tcp/0 inside 192.168.40.19 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.26 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.29 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.30 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.31 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.13.59 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.21 255.255.255.255 0.0.0.0 0S

aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strong-des esp-des esp-sha-hmac

crypto ipsec transform-set vstrong-3des esp-3des esp-sha-hmac

crypto dynamic-map cm-dynmap 5 set transform-set vstrong-3des

crypto dynamic-map cm-dynmap 10 set transform-set strong-des

crypto map cm-map 5 ipsec-isakmp

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

telnet 192.168.40.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

0 Helpful

chunt
Level 1
Level 1
In response to thomas.green

‎05-29-2003 11:28 AM

What does the log say when the pings start failing?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents