04-01-2003 09:29 AM - edited 02-20-2020 10:39 PM
I have a PIX 515 running version 6.1(1) with 32 MB of RAM and a P200.
I have it configured for PAT and NAT. My configuration follows below. My problem is that one of the IPs I have will not work at all. If I make a static entry for x.x.x.245 and map it to an inside address, say 192.168.1.60, I can ping from that machine to the outside. Once I open a web browser and it translates (I can see it get translated in xslate) everything stops working. I can still access anything on the inside network (192.168.1.0) but nothing goes out. I am not limiting anything by access list and it was working 2 days ago. If I remove the static map and clear the xslate, everything starts to work again from that IP.
I have tried changing the inside IP and it still fails. If I change it to an different outside IP, it works. For example, if I change the static map from x.x.x.245 to x.x.x.251, it works like a charm.
I attached a laptop to my hub outside the firewall and gave it the x.x.x.245 address and it works fine. I can ping, surf, ftp, do anything. It only fails from inside the pix and when its mapped statically.
Everyone else on the inside network can get out without any problems.
I am completely stumped. Please help!!!
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ********* encrypted
hostname ********
domain-name *******.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 101 permit icmp any any
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any host x.x.x.243 eq www
access-list 101 permit tcp any host x.x.x.243 eq smtp
access-list 101 permit tcp any host x.x.x.243 eq pop3
access-list 101 permit tcp any host x.x.x.243 eq 3389
access-list 101 permit tcp any host x.x.x.243 eq 143
access-list 101 permit tcp any host x.x.x.244 eq www
access-list 101 permit tcp any host x.x.x.243 eq domain
access-list 101 permit tcp any host x.x.x.244 eq domain
access-list 101 permit udp any host x.x.x.244 eq domain
access-list 101 permit udp any host x.x.x.243 eq domain
access-list 101 permit tcp any host x.x.x.244 eq 3389
access-list 101 permit tcp any host x.x.x.243 eq ftp
access-list 101 permit tcp any host x.x.x.243 eq 4000
access-list 101 permit tcp any host x.x.x.245 eq 444
access-list 101 permit tcp any host x.x.x.245 eq 3389
access-list 101 permit tcp any host x.x.x.245 eq ftp
access-list 101 permit tcp any host x.x.x.245 eq www
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.242 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.50-192.168.2.100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.252
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.243 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.244 192.168.1.49 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.245 192.168.1.20 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authinbound protocol radius
aaa-server authinbound (inside) host 192.168.1.10 ****** timeout 10
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set **** esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ensg
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ****vpn address-pool ippool
vpngroup ****vpn wins-server 192.168.1.11 192.168.1.10
vpngroup ****vpn default-domain ******.com
vpngroup ****vpn idle-time 1800
vpngroup ****vpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local ippool
vpdn group 1 client configuration wins 192.168.1.11 192.168.1.10
vpdn group 1 client authentication aaa authinbound
vpdn group 1 pptp echo 60
vpdn enable outside
terminal width 80
Cryptochecksum:dcbf51e2032440e86aaccee97f1b2b64
04-01-2003 10:11 AM
Can you reproduce the problem and post the output of :
show connection local 192.168.1.x net 255.255.255.255
sho xlat loca 192.168.1.x net 255.255.255.255
Also, can you afford to disable proxy-arp on the outside interface for testing?
04-01-2003 11:36 AM
I just tried to recreate the failure and it's working again. If I can recreate it again, I'll post the results. I am now thinking gremlins. :)
04-01-2003 11:29 AM
What do the Pix logs (logging buffered 7) say when you're trying to make connections going out? Do you see failed translations? Denies?
What does the external router show as the MAC address for .245? Is it the Pix's outside interface or something else?
Is there a switch connecting the firewall and router that may be doing broadcasat supression or ARP replies on its own?
04-01-2003 11:42 AM
The router, unfortunately, is not managed by us (ISP), so I can't check the MAC address for that IP on the router. I assume since I could connect outside the firewall with that IP that it was not the router.
The connection between the PIX and the router is a small hub which I rebooted and it did not effect the original problem.
Unfortunately I can not recreate the error again, though I could recreate it a dozen times this morning and yesterday.
If it comes back, I'll post those logs too.
Thanks for the input.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: