Re: Pix 520 will not pass X-windows traffic on version 6.22 or 6

ahegler · ‎05-16-2003

I have upgraded from version 6.0(2) to 6.22 and then to 6.31 only to find that the Pix stop passing my X-windows traffic in the later versions of software. My configuration remain unchanged and the upgrade process went fine. I have opened a couple of cases and had no luck , other that to downgrade back to 6.0(2) which is unacceptable. Has anyone else ran across anything similiar?

dro · ‎05-16-2003

Hi. Can you give us a few more details about the setup?

Are you trying to connect inbound or outbound with the X-windows data? Do you have any ACL's or static maps in place? Do any errors get generated when the traffic is stopped? Etc.

Regards,

-Joshua

ahegler · ‎05-16-2003

The traffic is inbound and the appropriate ACLs are applied. I do not receive any errors. In my syslogs it appears the PIX denies the traffic and I see a TCP reset. My config is the same as it was while I was running 6.0(2) and X-windows was working fine. Thanks

dro · ‎05-20-2003

Hi. Can you post your ACL configurations as well as your static maps and any errors that get logged to syslog?

Thanks.

ahegler · ‎05-20-2003

access-list 100 permit tcp host 165.166.240.2 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.3 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.4 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.7 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.8 host 165.166.242.35

There are no statics since we are routing this class C internally for now.

Syslog:

May 16 2003 14:35:34: %PIX-6-302013: Built inbound TCP connection 5788701 for outside:165.166.240.3/40641 (165.166.240.3/40641) to inside:165.166.242.35/6000 (165.166.242.35/6000)

May 16 2003 14:35:40: %PIX-6-302014: Teardown TCP connection 5788784 for outside:165.166.240.2/0 to inside:165.166.242.35/6000 duration 0:00:00 bytes 0 Deny

May 16 2003 14:35:54: %PIX-6-302014: Teardown TCP connection 5788701 for outside:165.166.240.3/40641 to inside:165.166.242.35/6000 duration 0:00:20 bytes 22220 TCP Reset-I

dro · ‎05-20-2003

Maybe I'm missing something here, but you say your not using any static maps? How are you passing the traffic from the outside interface to your internal server?

If you can post your entire configuration, I can attempt to reproduce what your doing and find out where the problem is.

Regards,

-Joshua

ahegler · ‎05-20-2003

inside client is 165.166.242.35 running Humminbird Exceed

Outside servers are 165.166.240.2,3,4,7, and 8. I have allowed all TCP traffic from 165.166.240.2-8 to 165.166.242.35 so statics are not required. Keep in mind this config works great on 6.0(2).

:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet4 100full

interface ethernet5 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 FAILOVER security10

nameif ethernet3 DMZ-3 security15

nameif ethernet4 DMZ-2 security20

nameif ethernet5 DMZ-1 security25

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 100 permit ip host 207.144.131.35 host 165.166.242.15

access-list 100 permit ip host 207.144.131.35 host 165.166.242.16

access-list 100 permit ip any host 165.166.200.2

access-list 100 permit tcp host 165.166.240.2 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.3 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.4 host 165.166.242.35

access-list 100 permit tcp any host 165.166.200.5 eq ftp

access-list 100 permit esp any host 165.166.200.6

access-list 100 permit udp any host 165.166.200.6

access-list 100 permit ip any host 165.166.242.51

access-list 100 permit tcp any host 165.166.242.51 eq 5900

access-list 100 permit tcp any host 165.166.200.6 eq 6000

access-list 100 permit tcp any host 165.166.200.6 eq 6001

access-list 100 permit tcp any host 165.166.200.6 eq 6002

access-list 100 permit tcp any host 165.166.200.6 eq 6003

access-list 100 permit tcp any host 165.166.200.6 eq 6004

access-list 100 permit udp any host 165.166.200.6 eq 10001

access-list 100 permit tcp any host 165.166.200.6 eq login

access-list 100 permit tcp host 165.166.240.7 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.8 host 165.166.242.35

access-list 100 permit tcp any host 165.166.200.7 eq ftp

access-list 100 permit tcp any host 165.166.200.7 eq www

access-list 100 permit udp any host 165.166.200.7 eq snmp

access-list 100 permit udp any host 165.166.200.7 eq snmptrap

access-list 100 permit udp any host 165.166.200.5 eq 21

access-list 100 permit tcp any host 165.166.200.7 eq 8081

access-list 100 permit udp any host 10.100.26.33 eq 2076

access-list 100 permit udp any host 10.100.26.33 eq 2077

access-list 100 permit udp any host 10.100.26.33 eq 2078

access-list 100 permit udp any host 165.166.175.250 eq 2076

access-list 100 permit udp any host 165.166.175.250 eq 2077

access-list 100 permit tcp any host 165.166.242.51 eq 5800

access-list 100 permit tcp any host 165.166.200.7 eq pop3

access-list 100 permit udp any host 165.166.200.7 eq tftp

access-list 100 permit udp any host 10.100.26.34 eq 59156

access-list 100 permit tcp any host 165.166.175.250 eq 2078

access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq snmp

access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq snmptrap

access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 24

access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 27

access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 1301

access-list 100 permit tcp any host 165.166.175.250 eq smtp

access-list 100 permit tcp any host 165.166.200.7 eq smtp

access-list 100 permit icmp any any echo-reply

access-list 100 permit tcp any host 165.166.175.250 eq www

access-list 100 permit ip host 165.166.240.6 host 165.166.242.35

access-list 100 permit tcp host 165.166.240.6 host 165.166.242.35

access-list 100 permit udp host 165.166.240.6 host 165.166.242.35

access-list 100 permit icmp host 165.166.240.6 host 165.166.242.35

access-list 100 permit tcp any host 165.166.200.7 eq ssh

access-list 100 permit tcp any host 10.100.13.32 eq https

access-list 100 permit tcp any host 10.100.13.32 eq www

access-list 100 permit tcp any host 165.166.175.250 eq https

access-list 100 permit tcp any host 165.166.200.6 eq https

access-list 100 permit tcp any host 165.166.200.7 eq domain

access-list 100 permit udp any host 165.166.200.7 eq domain

access-list 100 permit tcp any host 165.166.200.17 eq ssh

access-list 100 permit udp any host 165.166.200.17 eq snmp

access-list 100 permit udp any host 165.166.200.17 eq snmptrap

access-list 100 permit udp any host 165.166.200.17 eq 22

access-list 100 permit udp any host 165.166.200.7

access-list 100 permit tcp any host 165.166.200.13 eq 10032

access-list 100 permit tcp any host 165.166.200.13 eq h323

access-list 100 permit tcp any host 165.166.200.13 eq 49152

access-list 100 permit tcp any host 165.166.200.13 eq 49153

access-list 100 permit tcp any host 165.166.200.13 eq 49154

access-list 100 permit tcp any host 165.166.200.13 eq 49155

access-list 100 permit tcp any host 165.166.200.13 eq 49156

access-list 100 permit tcp any host 165.166.200.13 eq 49157

access-list 100 permit tcp any host 165.166.200.13 eq 49158

access-list 100 permit tcp any host 165.166.200.13 eq 49159

access-list 100 permit udp any host 165.166.200.13 eq 49153

access-list 100 permit udp any host 165.166.200.13 eq 49154

access-list 100 permit udp any host 165.166.200.13 eq 49156

access-list 100 permit udp any host 165.166.200.13 eq 49157

access-list 100 permit udp any host 165.166.200.13 eq 49158

access-list 100 permit udp any host 165.166.200.13 eq 49159

access-list 100 permit tcp any host 165.166.200.12 eq smtp

access-list 100 permit tcp host 204.116.80.28 host 165.166.242.18 eq 397

access-list 100 permit tcp host 204.116.80.28 host 165.166.242.15 eq 397

access-list 100 permit udp host 204.116.80.28 host 165.166.242.15 eq 397

access-list 100 permit udp host 204.116.80.28 host 165.166.242.18 eq 397

access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq radius

access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq radius-acct

access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq 1812

access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq 1813

access-list 100 permit tcp any host 165.166.200.13 eq 10025

access-list 100 permit tcp any host 165.166.200.13 eq 10026

access-list 100 permit tcp any host 165.166.200.13 eq 10027

access-list 100 permit tcp any host 165.166.200.12 eq 10028

access-list 101 permit icmp 165.166.200.0 255.255.255.224 host 165.166.200.1 echo-reply

access-list 101 permit tcp host 165.166.200.12 host 165.166.200.1 eq smtp

access-list 101 permit tcp host 165.166.200.12 host 165.166.200.1 eq 3389

access-list 101 permit icmp host 165.166.200.6 any

access-list 101 permit icmp host 165.166.200.6 any echo-reply

access-list 101 permit tcp host 165.166.200.7 any eq 8081

access-list 101 permit tcp host 165.166.200.7 any eq telnet

access-list 101 permit udp host 165.166.200.7 any eq snmp

access-list 101 permit udp host 165.166.200.7 any eq snmptrap

access-list 101 permit icmp host 165.166.200.7 any

access-list 101 permit icmp host 165.166.200.7 any echo-reply

access-list 101 permit tcp host 165.166.200.6 any

access-list 101 permit ip host 165.166.200.6 any

access-list 101 permit udp host 165.166.200.6 any

access-list 101 permit tcp host 165.166.200.5 any eq ftp

access-list 101 permit esp host 165.166.200.6 any

access-list 101 permit tcp host 165.166.200.12 any eq smtp

ip address outside 165.166.175.250 255.255.255.0

ip address inside 10.100.10.4 255.255.255.0

ip address FAILOVER 192.168.1.1 255.255.255.0

ip address DMZ-3 127.0.0.1 255.255.255.255

ip address DMZ-2 165.166.200.33 255.255.255.224

ip address DMZ-1 165.166.200.1 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

global (DMZ-2) 1 interface

global (DMZ-1) 1 interface

nat (inside) 0 access-list 200

nat (inside) 0 165.166.0.0 255.255.0.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) udp 165.166.175.250 2076 10.100.26.33 2076 netmask 255.255.255.255 0 0

static (inside,outside) udp 165.166.175.250 2077 10.100.26.33 2077 netmask 255.255.255.255 0 0

static (inside,outside) tcp 165.166.175.250 2078 10.100.26.33 2078 netmask 255.255.255.255 0 0

static (inside,outside) tcp 165.166.175.250 www 10.100.13.32 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 165.166.175.250 pptp 10.104.10.37 pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp 165.166.175.250 https 10.100.13.32 https netmask 255.255.255.255 0 0

static (inside,DMZ-1) tcp 165.166.200.1 smtp 10.100.13.32 smtp netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.5 165.166.200.5 netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.6 165.166.200.6 netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.7 165.166.200.7 netmask 255.255.255.255 0 0

static (inside,outside) 165.166.200.10 10.100.26.34 netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.14 165.166.200.14 netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.17 165.166.200.17 netmask 255.255.255.255 0 0

static (inside,outside) 165.166.200.13 10.100.26.40 netmask 255.255.255.255 0 0

static (inside,outside) 165.166.200.44 10.101.10.44 netmask 255.255.255.255 0 0

static (DMZ-1,outside) 165.166.200.12 165.166.200.12 netmask 255.255.255.255 0 0

access-group 100 in interface outside

access-group 101 in interface DMZ-1

conduit permit icmp any any echo-reply

route outside 0.0.0.0 0.0.0.0 165.166.175.1 1

route inside 10.0.0.0 255.0.0.0 10.100.10.1 1

route DMZ-2 64.53.30.0 255.255.255.0 165.166.200.40 1

ahegler · ‎05-20-2003

established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535 command solved my problem.

Pix 520 will not pass X-windows traffic on version 6.22 or 6.31