Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX problems

Reply
Thread Tools

PIX problems

 
 
Brian Bergin
Guest
Posts: n/a
 
      06-21-2004
Can anyone help me out with this config:

PIX Version 6.3(3)132
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXXXXXXXx
passwd XXXXXXXXXXXXXXXXXXXXXXXX encrypted
hostname pix501
domain-name prime.terabyte.net
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_acl permit tcp any host 1.2.3.15 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.5 255.255.254.0
ip address inside 10.0.0.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.35 255.255.255.255 inside
pdm location 10.0.0.11 255.255.255.255 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.15 10.0.0.15 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside prefer
ntp server 192.5.41.40 source outside prefer
http server enable
http 10.0.0.5 255.255.255.255 inside
http 10.0.0.35 255.255.255.255 inside
http 10.0.0.11 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
telnet 10.0.0.35 255.255.255.255 inside
telnet 10.0.0.11 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 5
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
[OK]

The server behind the PIX on 10.0.0.15 cannot route out to the Internet and
connections to its public IP on 3389 are not being sent to 10.0.0.15. What am I
missing? I'm betting it's something very simple, but I just can't see it.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-21-2004
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
:Can anyone help me out with this config:

:The server behind the PIX on 10.0.0.15 cannot route out to the Internet and
:connections to its public IP on 3389 are not being sent to 10.0.0.15.

IX Version 6.3(3)132

>access-list outside_acl permit tcp any host 1.2.3.15 eq 3389


:ip address outside 1.2.3.5 255.255.254.0

A quick check: is that really a 254 there rather than a 255? A bad netmask
on the outside could cause the symptoms you see.

:ip address inside 10.0.0.5 255.255.255.0

:global (outside) 1 interface
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:static (inside,outside) 1.2.3.15 10.0.0.15 netmask 255.255.255.255 0 0
:access-group outside_acl in interface outside
:route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

Those all look okay, so I would suggest the traditional clear xlate
Also, you might need to clear local-host .
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
 
Reply With Quote
 
 
 
 
Brian Bergin
Guest
Posts: n/a
 
      06-21-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote:

|In article <(E-Mail Removed)>,
|Brian Bergin <(E-Mail Removed)> wrote:
|:Can anyone help me out with this config:
|
|:The server behind the PIX on 10.0.0.15 cannot route out to the Internet and
|:connections to its public IP on 3389 are not being sent to 10.0.0.15.
|
|IX Version 6.3(3)132
|
|>access-list outside_acl permit tcp any host 1.2.3.15 eq 3389
|
|:ip address outside 1.2.3.5 255.255.254.0

Yep, that's right, 254... Actually, found the problem. The switch was config'd
for 100Full and the PIX for 10Full. Duh! Sorry to bother everyone. Quick
change of the PIX outside interface and, Bingo! it was up! Thanks again...

BSB

|
|A quick check: is that really a 254 there rather than a 255? A bad netmask
|on the outside could cause the symptoms you see.
|
|:ip address inside 10.0.0.5 255.255.255.0
|
|:global (outside) 1 interface
|:nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|:static (inside,outside) 1.2.3.15 10.0.0.15 netmask 255.255.255.255 0 0
|:access-group outside_acl in interface outside
|:route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
|
|Those all look okay, so I would suggest the traditional clear xlate
|Also, you might need to clear local-host .


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments