Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX515, UDP connection deleted

Hi,

Sending UDP pings with source port 501 from host 10.30.19.1, source port 501 (inside) to an outside host (e.g. 10.30.32.6, dest. port 500) are blocked from by the PIX. I just see the following logging entries:

302015: Built outbound UDP connection 44476 for out_RTRC1:10.30.32.6/500 (10.30.32.6/500) to in_SGRC1:10.30.19.1/501 (10.30.19.1/501)

302015: Built outbound UDP connection 44483 for out_RTRC1:10.30.32.10/500 (10.30.32.10/500)

to in_SGRC1:10.30.19.1/501 (10.30.19.1/501)

302016: Teardown UDP connection 44374 for out_RTRC1:10.30.32.26/500

to in_SGRC1:10.30.19.1/500 duration 0:33:58 bytes 28996

302015: Built inbound UDP connection 44457 for out_RTRC1:10.30.32.26/500 (10.30.32.26/500)

to in_SGRC1:10.30.19.1/500 (10.30.19.1/500)

The traffic is not blocked by an access-rule (think so), but I can't see any reason for this behaviour. Also a debugging on the router connected to the outside interface of the PIX didn't show this udp packets coming in.

Normally upd port 500 is ued for IKE protocol. Could it be that the PIX has problems when udp pings are sent on the same dest. port?

Please find bellow the config of my PIX, any help is very welcome.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full shutdown

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 in_SGRC1 security99

nameif ethernet1 in_SGRC2 security99

nameif ethernet2 out_RTRC1 security20

nameif ethernet3 out_RTRC2 security20

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxx encrypted

passwd xxx encrypted

hostname FWLC1

clock timezone GMT 1

clock summer-time GMT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit esp 10.30.32.0 255.255.224.0 10.30.19.0 255.255.255.248

access-list 100 permit esp 10.30.64.0 255.255.192.0 10.30.19.0 255.255.255.248

access-list 100 permit udp 10.30.32.0 255.255.224.0 10.30.19.0 255.255.255.248 eq isakmp

access-list 100 permit udp 10.30.64.0 255.255.192.0 10.30.19.0 255.255.255.248 eq isakmp

access-list 100 permit icmp host 10.30.22.10 host 10.30.7.50

access-list 100 permit icmp host 10.30.22.10 host 10.30.7.52

access-list 100 permit udp host 10.30.22.10 host 10.30.7.70 eq snmptrap

access-list 100 permit udp host 10.30.22.10 host 10.30.7.50 eq syslog

access-list 100 permit udp host 10.30.22.10 host 10.30.7.52 eq syslog

access-list 100 permit udp host 10.30.22.10 host 10.30.7.70 eq syslog

access-list 100 permit tcp host 10.30.22.10 host 10.30.1.210 eq 123

access-list 100 permit udp host 10.30.22.10 host 10.30.1.210 eq ntp

access-list 100 deny ip any any log

access-list all-ip-packet permit ip any any

access-list 110 permit esp 10.30.128.0 255.255.192.0 10.30.19.0 255.255.255.248

access-list 110 permit esp 10.30.192.0 255.255.240.0 10.30.19.0 255.255.255.248

access-list 110 permit udp 10.30.128.0 255.255.192.0 10.30.19.0 255.255.255.248 eq isakmp

access-list 110 permit udp 10.30.192.0 255.255.240.0 10.30.19.0 255.255.255.248 eq isakmp

access-list 110 permit icmp host 10.30.23.10 host 10.30.7.50

access-list 110 permit icmp host 10.30.23.10 host 10.30.7.52

access-list 110 permit udp host 10.30.23.10 host 10.30.7.70 eq snmptrap

access-list 110 permit udp host 10.30.23.10 host 10.30.7.50 eq syslog

access-list 110 permit udp host 10.30.23.10 host 10.30.7.52 eq syslog

access-list 110 permit udp host 10.30.23.10 host 10.30.7.70 eq syslog

access-list 110 permit tcp host 10.30.23.10 host 10.30.1.210 eq 123

access-list 110 permit udp host 10.30.23.10 host 10.30.1.210 eq ntp

access-list 110 deny ip any any log

access-list 120 permit esp 10.30.19.0 255.255.255.248 10.30.32.0 255.255.224.0

access-list 120 permit esp 10.30.19.0 255.255.255.248 10.30.64.0 255.255.192.0

access-list 120 permit esp 10.30.19.0 255.255.255.248 10.30.128.0 255.255.192.0

access-list 120 permit esp 10.30.19.0 255.255.255.248 10.30.192.0 255.255.240.0

access-list 120 permit udp 10.30.19.0 255.255.255.248 10.30.32.0 255.255.224.0 eq isakmp

access-list 120 permit udp 10.30.19.0 255.255.255.248 10.30.64.0 255.255.192.0 eq isakmp

access-list 120 permit udp 10.30.19.0 255.255.255.248 10.30.128.0 255.255.192.0 eq isakmp

access-list 120 permit udp 10.30.19.0 255.255.255.248 10.30.192.0 255.255.240.0 eq isakmp

access-list 120 permit udp host 10.30.19.1 10.30.32.0 255.255.224.0 eq isakmp

access-list 120 permit udp host 10.30.19.1 10.30.64.0 255.255.192.0 eq isakmp

access-list 120 permit udp host 10.30.19.1 10.30.128.0 255.255.192.0 eq isakmp

access-list 120 permit udp host 10.30.19.1 10.30.192.0 255.255.240.0 eq isakmp

access-list 120 permit icmp host 10.30.7.50 host 10.30.20.10

access-list 120 permit icmp host 10.30.7.52 host 10.30.20.10

access-list 120 permit icmp host 10.30.7.50 host 10.30.22.10

access-list 120 permit icmp host 10.30.7.52 host 10.30.22.10

access-list 120 permit icmp host 10.30.7.50 host 10.30.23.10

access-list 120 permit icmp host 10.30.7.52 host 10.30.23.10

access-list 120 permit udp host 10.30.7.50 host 10.30.22.10 eq snmp

access-list 120 permit udp host 10.30.7.52 host 10.30.22.10 eq snmp

access-list 120 permit udp host 10.30.7.70 host 10.30.22.10 eq snmp

access-list 120 permit udp host 10.30.7.50 host 10.30.23.10 eq snmp

access-list 120 permit udp host 10.30.7.52 host 10.30.23.10 eq snmp

access-list 120 permit udp host 10.30.7.70 host 10.30.23.10 eq snmp

access-list 120 permit tcp host 10.30.7.60 host 10.30.22.10 eq cmd

access-list 120 permit tcp host 10.30.7.62 host 10.30.22.10 eq cmd

access-list 120 permit tcp host 10.30.7.70 host 10.30.22.10 eq cmd

access-list 120 permit tcp host 10.30.7.60 host 10.30.23.10 eq cmd

access-list 120 permit tcp host 10.30.7.62 host 10.30.23.10 eq cmd

access-list 120 permit tcp host 10.30.7.70 host 10.30.23.10 eq cmd

access-list 120 permit udp host 10.30.1.210 host 10.30.22.10 eq ntp

access-list 120 permit udp host 10.30.1.210 host 10.30.23.10 eq ntp

access-list 120 deny ip any any log

pager lines 24

logging on

logging timestamp

logging buffered informational

logging trap critical

logging host in_SGRC2 10.30.7.70

mtu in_SGRC1 1500

mtu in_SGRC2 1500

mtu out_RTRC1 1500

mtu out_RTRC2 1500

mtu intf4 1500

mtu intf5 1500

ip address in_SGRC1 10.30.20.10 255.255.255.0

ip address in_SGRC2 10.30.21.10 255.255.255.0

ip address out_RTRC1 10.30.22.1 255.255.255.0

ip address out_RTRC2 10.30.23.1 255.255.255.0

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address in_SGRC1 10.30.20.11

failover ip address in_SGRC2 10.30.21.11

failover ip address out_RTRC1 10.30.22.2

failover ip address out_RTRC2 10.30.23.2

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (in_SGRC1) 0 access-list all-ip-packet

nat (in_SGRC2) 0 access-list all-ip-packet

static (in_SGRC1,out_RTRC1) 10.30.7.60 10.30.7.60 netmask 255.255.255.255 0 0

:

static (in_SGRC1,out_RTRC1) 10.30.19.1 10.30.19.1 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC2) 10.30.19.1 10.30.19.1 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC1) 10.30.19.2 10.30.19.2 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC2) 10.30.19.2 10.30.19.2 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC1) 10.30.19.3 10.30.19.3 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC2) 10.30.19.3 10.30.19.3 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC1) 10.30.19.4 10.30.19.4 netmask 255.255.255.255 0 0

static (in_SGRC1,out_RTRC2) 10.30.19.4 10.30.19.4 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC1) 10.30.19.1 10.30.19.1 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC2) 10.30.19.1 10.30.19.1 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC1) 10.30.19.2 10.30.19.2 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC2) 10.30.19.2 10.30.19.2 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC1) 10.30.19.3 10.30.19.3 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC2) 10.30.19.3 10.30.19.3 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC1) 10.30.19.4 10.30.19.4 netmask 255.255.255.255 0 0

static (in_SGRC2,out_RTRC2) 10.30.19.4 10.30.19.4 netmask 255.255.255.255 0 0

access-group 120 in interface in_SGRC1

access-group 120 in interface in_SGRC2

access-group 100 in interface out_RTRC1

access-group 110 in interface out_RTRC2

route in_SGRC1 0.0.0.0 0.0.0.0 10.30.20.2 1

route out_RTRC1 10.30.32.0 255.255.224.0 10.30.22.10 1

route out_RTRC1 10.30.64.0 255.255.224.0 10.30.22.10 1

route out_RTRC2 10.30.128.0 255.255.224.0 10.30.23.10 1

route out_RTRC2 10.30.160.0 255.255.224.0 10.30.23.10 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 10.30.1.210 source in_SGRC1

snmp-server host in_SGRC1 10.10.7.70

snmp-server host in_SGRC2 10.10.7.70

snmp-server host in_SGRC1 10.20.7.70

snmp-server host in_SGRC2 10.20.7.70

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps

floodguard enable

telnet 10.30.0.0 255.255.0.0 in_SGRC1

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

1 REPLY
New Member

Re: PIX515, UDP connection deleted

Starting from your basic config, I can see int e1, e4 and e5 are shutdown so I wont comment about those. but why have u chosen to give your int e2 and e3 the same security level of 20?? Defeats the whole principle behind ASA and to my knowlege not a supported config.

100
Views
0
Helpful
1
Replies
CreatePlease to create content