Re: IP forwarding???

jdepies · ‎02-17-2004

Ok, really weird situation. Running a 515 w/ 6.3.1 and I just removed a static and access-list command because the web server changed hence a new internal IP.

was:

static (inside,outside) XX.XX.XX.78 192.168.XX.18 netmask 255.255.255.255 0 0

access-list outside_acl permit tcp host any xx.xx.xx.78 eq www

I removed those entries and added the new ones

static (inside,outside) XX.XX.XX.78 192.168.XX.23 netmask 255.255.255.255 0 0

access-list outside_acl permit tcp host any xx.xx.xx.78 eq www

I could not get into the website at all from outside of the firewall. I could get in from inside the pix using its internal IP.

Because I needed to test some configurations from the old server, I temporarily added it back in under a new external IP with the commands below:

static (inside,outside) XX.XX.XX.80 192.168.XX.18 netmask 255.255.255.255 0 0

access-list outside_acl permit tcp host any xx.xx.xx.80 eq www

This worked fine and I could actually get into the old website with the new ext IP.

So after testing, I removed the above commands and began testing the new server again. What I noticed will testing from a PC on the internet was this:

When I would ping the ext IP of the new server XX.XX.XX.78 I would get replies from the new Ext IP of the old server XX.XX.XX.80:

c:\>ping XX.XX.XX.78

Pinging XX.XX.XX.78 with 32 bytes of data:

Reply from XX.XX.XX.80: bytes=32 time=58ms TTL=105

Reply from XX.XX.XX.80: bytes=32 time=57ms TTL=105

Reply from XX.XX.XX.80: bytes=32 time=58ms TTL=105

Ping statistics for XX.XX.XX.78:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 57ms, Maximum = 58ms, Average = 57ms

c:\>

Why is the PIX forwarding the 78 IP to the 80 server, even though there is no reference to the xx.xx.xx.80 IP anywhere in the config? Here is a copy of the running config's static and access-list commands at the time I tried the ping from my internet PC. This happens from all clients on the internet, coming from different providers. Some behind firewalls, some not.

PIX1# sh stat

static (inside,outside) XX.XX.XX.72 192.168.XX.3 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.73 192.168.XX.10 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.74 192.168.XX.16 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.75 192.168.XX.41 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.70 192.168.XX.4 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.71 192.168.XX.24 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.76 192.168.XX.126 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.77 192.168.XX.22 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.79 192.168.XX.144 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.78 192.168.XX.23 netmask 255.255.255.255 0 0

PIX1# sh access-lis

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list nonat; 1 elements

access-list nonat line 1 permit ip 192.168.X.0 255.255.0.0 192.168.X.0 255.255.255.0 (hitcnt=25866797)

access-list outside_acl; 20 elements

access-list outside_acl line 1 permit icmp any any (hitcnt=444713)

access-list outside_acl line 2 permit icmp any any echo-reply (hitcnt=0)

access-list outside_acl line 3 deny ip host XX.XX.XX.XX any (hitcnt=0)

access-list outside_acl line 4 permit tcp any host XX.XX.XX.70 eq smtp (hitcnt=386700)

access-list outside_acl line 5 permit tcp any host XX.XX.XX.70 eq www (hitcnt=4054)

access-list outside_acl line 6 permit tcp any host XX.XX.XX.70 eq domain (hitcnt=9508)

access-list outside_acl line 7 permit udp any host XX.XX.XX.70 eq domain (hitcnt=1460661)

access-list outside_acl line 8 permit tcp any host XX.XX.XX.70 eq https (hitcnt=119)

access-list outside_acl line 9 permit tcp any host XX.XX.XX.71 eq www (hitcnt=1674)

access-list outside_acl line 10 permit tcp any host XX.XX.XX.72 eq www (hitcnt=21184)

access-list outside_acl line 11 permit tcp any host XX.XX.XX.72 eq https (hitcnt=161002)

access-list outside_acl line 12 permit tcp any host XX.XX.XX.73 eq www (hitcnt=33743)

access-list outside_acl line 13 permit tcp any host XX.XX.XX.74 eq domain (hitcnt=2)

access-list outside_acl line 14 permit udp any host XX.XX.XX.74 eq domain (hitcnt=1780)

access-list outside_acl line 15 permit tcp any host XX.XX.XX.75 eq ftp (hitcnt=148)

access-list outside_acl line 16 permit tcp any host XX.XX.XX.76 eq www (hitcnt=2616)

access-list outside_acl line 17 permit tcp any host XX.XX.XX.76 eq smtp (hitcnt=278)

access-list outside_acl line 18 permit tcp host xx.xx.xx.xx host XX.XX.XX.77 eq 8098 (hitcnt=21)

access-list outside_acl line 19 permit tcp any host XX.XX.XX.76 eq ftp (hitcnt=117)

access-list outside_acl line 20 permit udp any host XX.XX.XX.79 eq tftp (hitcnt=1)

access-list outside_acl line 21 permit tcp any host XX.XX.XX.78 eq www (hitcnt=15)

I tried to clear the xlate, but that did not help, I tried to clear ARP, but that did not help. The reason I know the 78 IP was being forwarded to the 80 IP and then ultimately to the old web server’s internal ip of 192.168.XX.18, is I shut that old server down, and the ping replies turned to Time-outs immediately. I turned the server on, and the pings would start replying.

I have never seen this before, and I'm at a loss. I have never had this problem before.

Thanks for any help in this matter.

Jeff

jdepies · ‎02-18-2004

Just an update, I woke up this morning to find that my PC was not being redirected to IP 80 even though I was pinging 78. Thats good. However I still could not access port 80 for IP 78 from the outside. I reloaded the pix and that fixed the problem.

I should not have to cycle the PIX to get access-list entries to work. I have all of the syslogs, but they only claim that the port 80 requests were denied by the outside_acl even though I know that is not the case. The ACL line item was formated properly or else the reboot of the pix would not have solved the problem. Any ideas?

Thanks

Jeff

mostiguy · ‎02-18-2004

if you were not doing a clear xlate to wipe out the translation slot table, weird things can happen when you manipulate static commands

jdepies · ‎02-19-2004

I did do the clear xlate, several times.

Anybody have any ideas?

Thanks

scoclayton · ‎02-19-2004

Sorry, I meant to respond yesterday. This is a known issue in the 6.3(1) code. The bug that fixes this issue is CSCea84806. The fix is integrated into the 6.3(3) release. If you look at this DDTS on CCO, you will see symptoms different than what you experienced but the root cause of the problem is the same. Can you upgrade your PIX and re-test?

Scott

jdepies · ‎02-20-2004

Thanks, I will give that a try.

Is there any ETA on 6.4,1 or the 6.3.4 release?

Thanks

Jeff

scoclayton · ‎02-20-2004

We do not have a definitive date for a 6.3(4) release at this time but I would suspect something in the next 3-4 months. In the meantime, you are always welcome to leverage interim releases of the PIX 6.3 code.

As for 6.4 code, we have no plans at this time to produce a 6.4 release. The next major release of code will be 7.0 and it is due out sometime towards the end of the year. This will be a *big* release. Hope this helps.

Scott

jdepies · ‎02-20-2004

sounds good. Do you guys have any info pages about the new features planned for 7.0?

Thanks

Jeff

scoclayton · ‎02-20-2004

Nothing public at this time on the features in the PIX 7.0 release. If you are interested in getting this info, I would suggest contacting your local Cisco sales office. Someone there should be able to get you this information.

Scott