Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
4
Replies

Why is PIX blocking 1 IP

robert.cheek
Level 1
Level 1

‎04-01-2003 09:29 AM - edited ‎02-20-2020 10:39 PM

I have a PIX 515 running version 6.1(1) with 32 MB of RAM and a P200.

I have it configured for PAT and NAT. My configuration follows below. My problem is that one of the IPs I have will not work at all. If I make a static entry for x.x.x.245 and map it to an inside address, say 192.168.1.60, I can ping from that machine to the outside. Once I open a web browser and it translates (I can see it get translated in xslate) everything stops working. I can still access anything on the inside network (192.168.1.0) but nothing goes out. I am not limiting anything by access list and it was working 2 days ago. If I remove the static map and clear the xslate, everything starts to work again from that IP.

I have tried changing the inside IP and it still fails. If I change it to an different outside IP, it works. For example, if I change the static map from x.x.x.245 to x.x.x.251, it works like a charm.

I attached a laptop to my hub outside the firewall and gave it the x.x.x.245 address and it works fine. I can ping, surf, ftp, do anything. It only fails from inside the pix and when it’s mapped statically.

Everyone else on the inside network can get out without any problems.

I am completely stumped. Please help!!!

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********* encrypted

passwd ********* encrypted

hostname ********

domain-name *******.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list 101 permit icmp any any

access-list 101 permit gre any any

access-list 101 permit tcp any any eq 1723

access-list 101 permit tcp any host x.x.x.243 eq www

access-list 101 permit tcp any host x.x.x.243 eq smtp

access-list 101 permit tcp any host x.x.x.243 eq pop3

access-list 101 permit tcp any host x.x.x.243 eq 3389

access-list 101 permit tcp any host x.x.x.243 eq 143

access-list 101 permit tcp any host x.x.x.244 eq www

access-list 101 permit tcp any host x.x.x.243 eq domain

access-list 101 permit tcp any host x.x.x.244 eq domain

access-list 101 permit udp any host x.x.x.244 eq domain

access-list 101 permit udp any host x.x.x.243 eq domain

access-list 101 permit tcp any host x.x.x.244 eq 3389

access-list 101 permit tcp any host x.x.x.243 eq ftp

access-list 101 permit tcp any host x.x.x.243 eq 4000

access-list 101 permit tcp any host x.x.x.245 eq 444

access-list 101 permit tcp any host x.x.x.245 eq 3389

access-list 101 permit tcp any host x.x.x.245 eq ftp

access-list 101 permit tcp any host x.x.x.245 eq www

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.242 255.255.255.240

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.2.50-192.168.2.100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.252

nat (inside) 0 access-list 102

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.243 192.168.1.11 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.244 192.168.1.49 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.245 192.168.1.20 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server authinbound protocol radius

aaa-server authinbound (inside) host 192.168.1.10 ****** timeout 10

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set **** esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ensg

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ****vpn address-pool ippool

vpngroup ****vpn wins-server 192.168.1.11 192.168.1.10

vpngroup ****vpn default-domain ******.com

vpngroup ****vpn idle-time 1800

vpngroup ****vpn password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local ippool

vpdn group 1 client configuration wins 192.168.1.11 192.168.1.10

vpdn group 1 client authentication aaa authinbound

vpdn group 1 pptp echo 60

vpdn enable outside

terminal width 80

Cryptochecksum:dcbf51e2032440e86aaccee97f1b2b64

0 Helpful
4 Replies 4

mhussein
Level 4
Level 4

‎04-01-2003 10:11 AM

Can you reproduce the problem and post the output of :

show connection local 192.168.1.x net 255.255.255.255

sho xlat loca 192.168.1.x net 255.255.255.255

Also, can you afford to disable proxy-arp on the outside interface for testing?

0 Helpful

robert.cheek
Level 1
Level 1
In response to mhussein

‎04-01-2003 11:36 AM

I just tried to recreate the failure and it's working again. If I can recreate it again, I'll post the results. I am now thinking gremlins. :)

0 Helpful

shannong
Level 4
Level 4

‎04-01-2003 11:29 AM

What do the Pix logs (logging buffered 7) say when you're trying to make connections going out? Do you see failed translations? Denies?

What does the external router show as the MAC address for .245? Is it the Pix's outside interface or something else?

Is there a switch connecting the firewall and router that may be doing broadcasat supression or ARP replies on its own?

0 Helpful

robert.cheek
Level 1
Level 1
In response to shannong

‎04-01-2003 11:42 AM

The router, unfortunately, is not managed by us (ISP), so I can't check the MAC address for that IP on the router. I assume since I could connect outside the firewall with that IP that it was not the router.

The connection between the PIX and the router is a small hub which I rebooted and it did not effect the original problem.

Unfortunately I can not recreate the error again, though I could recreate it a dozen times this morning and yesterday.

If it comes back, I'll post those logs too.

Thanks for the input.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card