Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1689
Views
0
Helpful
4
Replies

Pix 525 and Kronos Timekeeper

jjones
Level 1
Level 1

‎08-19-2002 04:48 PM - edited ‎02-20-2020 10:12 PM

We recently threw up a 525 w/failover. The problem is that our Kronos Timeclocks are not talking to the outside (the County). My guess is that these devices, for some reason, do not handle translation very well (or at all?). The correct UDP ports are opened in the pix as well as the arp entries and a translated IP address. Has anyone here any Experience with Kronos Timekeeper or similar time clock systems? We can't wait for the company to sort it out and are at a loss on what to do. Thoughts? Questions?

Thanks for the help.

--Josh--

josh.jones@co.sisqjustice.ca.us

0 Helpful
4 Replies 4

johnbroadway
Level 1
Level 1

‎08-20-2002 01:02 AM

Could you paste the config (minus passwords of course) so I can take a look ?

0 Helpful

jjones
Level 1
Level 1
In response to johnbroadway

‎08-20-2002 12:02 PM

Which part of the config?

0 Helpful

jjones
Level 1
Level 1
In response to jjones

‎08-23-2002 04:09 PM

here is what we have to date. It WILL be locked down :)

My guess is that the arp traffic won't translate between the inside network and net1? Thanks for the help. So IP's changed.

--Josh--

-----------------------------------------------------------

Building configuration...

: Saved

:

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 net1 security40

nameif ethernet4 net2s security45

nameif ethernet5 open security95

nameif ethernet6 intf6 security30

hostname hostname

domain-name domain-name.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol sqlnet 66

no fixup protocol smtp 25

names

access-list acl_in permit tcp any any

access-list acl_in permit icmp any any

access-list acl_in deny udp any host 192.168.128.211

access-list acl_in deny udp any host 192.168.128.212

access-list acl_in deny udp any host 192.168.128.17

access-list acl_in deny udp any host 192.168.128.210

access-list acl_in deny udp any host 192.168.156.48

access-list acl_in permit udp any any

access-list acl_out permit tcp any host 192.168.131.115 eq 22

access-list acl_out permit tcp any host 192.168.131.116 eq 22

access-list acl_out permit tcp any host 192.168.131.114 eq www

access-list acl_out permit tcp any host 192.168.131.114 eq 443

access-list acl_out permit tcp any host 192.168.131.114 eq 22

access-list acl_out permit udp any host 192.168.131.116 eq domain

access-list acl_out permit udp any host 192.168.131.115 eq domain

access-list acl_out permit tcp any host 192.168.131.114 eq smtp

access-list acl_out permit udp any host 192.168.131.116 eq nameserver

access-list acl_out permit udp any host 192.168.131.115 eq nameserver

access-list acl_dmz permit udp any any

access-list acl_dmz permit tcp any any

access-list acl_dmz permit icmp any any

access-list acl_net2 permit icmp any any

access-list acl_net2 permit tcp any any

access-list acl_net2 deny udp any host 192.168.156.48

access-list acl_net2 permit udp any any

access-list acl_net1 permit icmp any any

access-list acl_net1 permit tcp any host 192.168.122.6

access-list acl_net1 deny udp any host 192.168.156.48

access-list acl_net1 permit udp any any

pager lines 24

interface ethernet0 10full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 100full

interface ethernet5 100full

interface ethernet6 100full

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu net1 1500

mtu net2s 1500

mtu open 1500

mtu intf6 1500

ip address outside 192.168.131.125 255.255.255.240

ip address inside 10.63.32.22 255.255.254.0

ip address dmz 10.143.57.2 255.255.255.224

ip address net1 192.168.122.101 255.255.255.0

ip address net2 192.168.103.101 255.255.255.0

ip address open 10.198.226.1 255.255.255.224

ip address intf6 10.198.226.33 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 192.168.131.126

failover ip address inside 10.63.32.23

failover ip address dmz 10.143.57.5

failover ip address net1 192.168.122.102

failover ip address net2s 192.168.103.102

failover ip address open 10.198.226.2

failover ip address intf6 10.198.226.34

failover link intf6

pdm history enable

arp inside 10.63.38.13 0040.5801.dc20 alias

arp inside 10.63.38.12 0040.5801.dc01 alias

arp net1 192.168.122.53 0040.5801.dc20 alias

arp net1 192.168.122.52 0040.5801.dc01 alias

arp timeout 14400

global (outside) 1 192.168.131.124 netmask 255.255.255.240

global (dmz) 1 10.143.57.15 netmask 255.255.255.224

global (net1) 1 192.168.122.1 netmask 255.255.255.0

global (net2s) 1 192.168.103.5 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

nat (net1) 1 0.0.0.0 0.0.0.0 0 0

nat (net2s) 1 0.0.0.0 0.0.0.0 0 0

nat (open) 1 0.0.0.0 0.0.0.0 0 0

nat (intf6) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 192.168.131.116 10.143.57.4 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.131.115 10.143.57.3 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.131.114 10.143.57.1 netmask 255.255.255.255 0 0

static (inside,dmz) 10.143.57.6 10.63.32.2 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.131.117 10.143.57.6 netmask 255.255.255.255 0 0

static (inside,net2s) 192.168.103.6 10.63.32.1 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.6 10.63.32.1 netmask 255.255.255.255 0 0

static (inside,dmz) 10.143.57.10 10.63.32.7 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.52 10.63.38.12 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.53 10.63.38.13 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.51 10.63.32.10 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.150 10.63.32.150 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.151 10.63.32.151 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.152 10.63.32.152 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.154 10.63.32.154 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.155 10.63.32.155 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.153 10.63.38.20 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.156 10.63.38.21 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.157 10.63.38.22 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.158 10.63.38.23 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.159 10.63.40.68 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.160 10.63.32.153 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.161 10.63.32.156 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.162 10.63.32.157 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.163 10.63.32.158 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.164 10.63.32.159 netmask 255.255.255.255 0 0

static (inside,net1) 192.168.122.165 10.63.32.160 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_dmz in interface dmz

access-group acl_net1 in interface net1

access-group acl_net2 in interface net2s

route outside 0.0.0.0 0.0.0.0 192.168.131.113 1

route inside 10.63.38.0 255.255.255.128 10.63.32.22 2

route inside 10.63.38.0 255.255.254.0 10.63.32.22 3

route inside 10.63.40.64 255.255.255.224 10.63.32.50 2

route net1 192.168.101.0 255.255.255.0 192.168.122.3 1

route net2s 192.168.104.0 255.255.255.0 192.168.103.12 1

route net1 192.168.150.0 255.255.255.0 192.168.122.3 3

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.63.32.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp inside

no sysopt route dnat

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 7200

telnet timeout 5

ssh 10.63.32.48 255.255.255.255 inside

ssh 10.63.32.49 255.255.255.255 inside

ssh timeout 60

terminal width 80

0 Helpful

srittenberg
Level 1
Level 1
In response to jjones

‎08-26-2002 07:05 AM

Josh

Krono clock is very time sensitive, but the timing is ajustable. Your problem may not be at the config. Your config looks fine to me. to ajust the timeout, the file is under \program files\kronos\wfc\dcm, file name is krdcm. under [data collection manager] and [comm channel name], there are timeout statics you may change. You may need to contact kronos to find out what will be the best timeout timing for you. they would like to see 70ms, but that's very hard to meet for WAN, we have changed to over 2min. hope this will help. we are using the Kronos 400 terminal clock.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card