Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No inbound traffic on PIX 501

About three weeks ago, after a power outage (storm) my PIX 501 started denying all inbound traffic. My PIX is in-between ADSL modem (PPPoE) and network. All stations can browse internet and send mail without a problem. I verified my current config with the last known good config pre-power outage. The only thing that I can see that is different is the new IP address assigned by ISP DHCP.

Here are partials of my config (left out VPN part to save space).

Any help would be greatly appreciated.

Before resetting PIX - 6.20.2003

IX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxxxx encrypted

hostname Phoenix

domain-name mad4networks.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 100 permit tcp any host x.x.34.248 eq 1020

access-list 100 permit tcp any host x.x.34.248 eq 1060

access-list 100 permit tcp any host x.x.34.248 eq 3389

access-list 100 permit tcp any host x.x.34.248 eq smtp

access-list 101 permit ip x.x.0.0 255.255.0.0 192.168.12.0 255.255.255.0

pager lines 24

logging on

logging trap warnings

logging host inside 10.1.100.10

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.248 255.255.255.255 pppoe

ip address inside 10.1.1.254 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclientpool 192.168.12.1-192.168.12.99

pdm location 10.1.1.4 255.255.255.255 inside

pdm location 10.1.1.254 255.255.255.255 inside

pdm location 10.1.40.1 255.255.255.255 inside

pdm location x.x.x.0 255.255.255.240 outside

pdm location x.x.x.0 255.255.255.0 outside

pdm location 10.1.100.10 255.255.255.255 inside

pdm location 10.1.10.8 255.255.255.255 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 141.158.34.248 1060 10.1.40.1 1060 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.34.248 smtp 10.1.1.4 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.248 3389 10.1.1.4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.248 1020 10.1.1.4 1020 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 141.158.34.248 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.1.254 255.255.255.255 inside

http 10.1.0.0 255.255.0.0 inside

After resetting - 10.7.2003

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxx encrypted

hostname Phoenix

domain-name mad4networks.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 100 permit tcp any host x.x.215.51 eq 1060

access-list 100 permit tcp any host x.x.215.51 eq 3389

access-list 100 permit tcp any host x.x.215.51 eq smtp

access-list 100 permit tcp any host x.x.215.51 eq 1020

access-list 101 permit ip 10.1.0.0 255.255.0.0 192.168.12.0 255.255.255.0

pager lines 24

logging on

logging trap warnings

logging host inside 10.1.100.10

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.51 255.255.255.255 pppoe

ip address inside 10.1.1.254 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclientpool 192.168.12.1-192.168.12.99

pdm location 10.1.1.4 255.255.255.255 inside

pdm location 10.1.1.254 255.255.255.255 inside

pdm location 10.1.40.1 255.255.255.255 inside

pdm location x.x.x.0 255.255.255.240 outside

pdm location x.x.x.0 255.255.255.0 outside

pdm location 10.1.100.10 255.255.255.255 inside

pdm location 10.1.10.8 255.255.255.255 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 151.197.215.51 1060 10.1.40.1 1060 netmask 255.255.255.255 0 0

static (inside,outside) tcp 151.197.215.51 smtp 10.1.1.4 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 151.197.215.51 3389 10.1.1.4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 151.197.215.51 1020 10.1.1.4 1020 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 141.158.37.99 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.1.254 255.255.255.255 inside

http 10.1.0.0 255.255.0.0 inside

2 REPLIES
Cisco Employee

Re: No inbound traffic on PIX 501

Can't see anything obvious, and I did try and connect to port 25 on your server and didn't get through (be careful in future about posting full configs though).

Your best bet is to turn on syslogging and then try an inbound connection and see what the PIX tells you is going on.

logging trap debug

If you're not sure what you're looking for look for anything with your outside PC's IP address in it.

New Member

Re: No inbound traffic on PIX 501

It looks like your default gateway is incorrect (not on the same subnet as your IP Address). Maybe I don't understand the PPPoE, but it doesn't look right.

122
Views
0
Helpful
2
Replies