05-27-2003 11:30 AM - edited 03-09-2019 03:25 AM
I am having problems with access to our web server located in a DMZ on a PIX 520. If I try to ping the web server from a remote site, the ping fails. When I run clear xlate at the PIX I can ping successfully. After a period of time(I have not determined how long yet) The ping again fails. This seems like a timeout setting. The only timeout setting I see in the PIX config is timeout xlate 1:00:00. Does this apply to the DMZ or is there a different setting needed for DMZ access? Thanks
05-27-2003 12:50 PM
Hi,
The problem seems to be with your translation rules.. may be overlapping ips.. Do you have static defined for the web server? How about the overlapping translation? Is there any? Please paste the config of your pix changing the real ip to some fake ip so that we can take a look into this.
Thanks,
Mynul
05-28-2003 05:06 AM
A static is defined for the web server. The config is below.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname csamfw01
domain-name tac.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol domain 53
names
access-list acl_in permit icmp any any
access-list acl_in permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.yy.zzz.84 eq smtp
access-list acl_out permit tcp any host xx.yy.zzz.85 eq smtp
access-list acl_out permit tcp any host xx.yy.zzz.83 eq ftp-data
access-list acl_out permit tcp any host xx.yy.zzz.87 eq www
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list acl_dmz permit icmp any any
access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.29 eq domain
access-list acl_dmz permit udp host 172.16.0.21 host 192.168.40.29 eq domain
access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.27 eq sqlnet
access-list acl_dmz permit udp host 172.16.0.21 host 192.168.40.26 eq domain
access-list acl_dmz permit tcp host 172.16.0.21 host 192.168.40.26 eq domain
access-list acl_dmz deny tcp any host 192.168.0.0 eq www
access-list acl_dmz permit tcp host 172.16.0.21 any eq www
access-list acl_dmz permit tcp host 172.16.0.21 any eq ftp
access-list acl_dmz permit tcp host 172.16.0.21 any eq smtp
pager lines 24
logging on
logging buffered notifications
logging trap alerts
logging history alerts
logging facility 2
logging host inside 192.168.40.31
interface ethernet0 10baset
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.yy.zzz.82 255.255.255.240
ip address inside 192.168.40.3 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 xx.yy.zzz.89-xx.yy.zzz.93 netmask 255.255.255.240
global (outside) 1 xx.yy.zzz.94 netmask 255.255.255.240
global (dmz) 1 172.16.0.100-172.16.0.110
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.255.0 0 0
static (inside,outside) xx.yy.zzz.85 192.168.13.59 netmask 255.255.255.255 0 0
static (dmz,outside) xx.yy.zzz.83 172.16.0.20 netmask 255.255.255.255 0 0
static (dmz,outside) xx.yy.zzz.87 172.16.0.21 netmask 255.255.255.255 0 0
static (inside,outside) xx.yy.zzz.88 192.168.40.27 netmask 255.255.255.255 0 0
static (inside,outside) xx.yy.zzz.84 192.168.40.31 netmask 255.255.255.255 0 0
static (dmz,outside) xx.yy.zzz.88 172.16.0.25 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.yy.zzz.81 1
route inside 192.168.0.0 255.255.0.0 192.168.40.1 1
timeout xlate 1:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:00:00 absolute uauth 0:40:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.40.19 secret timeout 15
aaa authentication exclude tcp/0 inside 0.0.0.0 0.0.0.0 172.16.0.0 255.255.255.S
aaa authentication exclude tcp/0 inside 192.168.40.19 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.26 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.29 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.30 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.31 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.13.59 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.21 255.255.255.255 0.0.0.0 0S
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong-des esp-des esp-sha-hmac
crypto ipsec transform-set vstrong-3des esp-3des esp-sha-hmac
crypto dynamic-map cm-dynmap 5 set transform-set vstrong-3des
crypto dynamic-map cm-dynmap 10 set transform-set strong-des
crypto map cm-map 5 ipsec-isakmp
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
telnet 192.168.40.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxx
05-29-2003 11:28 AM
What does the log say when the pings start failing?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: