Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 501 Battle

Reply
Thread Tools

Cisco PIX 501 Battle

 
 
Garrett
Guest
Posts: n/a
 
      09-21-2004
We can not seem to be able to get traffic to penetrate the PIX
specifically www traffic. Another weird quark is that when you switch
the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
communicate outside the lan but all other computers can. Any help on
this would be greatly appreciated.

Running Configuration:

sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
<--- More --->
access-list dhk permit tcp any host 69.xxx.xxx.172 eq www
access-list dhk permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.xxx.xxx.173 255.xxx.xxx.248
ip address inside xxx.0.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 xxx.0.0.0 255.255.255.0 0 0
static (inside,outside) 69.xxx.xxx.172 xxx.0.0.5 netmask
255.255.255.255 0 0
access-group dhk in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.169 1 <--This is our default
gateway??
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
<--- More --->
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksumxxxxxxxxxxxxxxxxxxxxxx
: end
pixfirewall#
 
Reply With Quote
 
 
 
 
paul blitz
Guest
Posts: n/a
 
      09-21-2004

> Another weird quark is that when you switch
> the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
> communicate outside the lan but all other computers can.


That is 100% as expected / designed: the Pix is NOT a router, so if you use
the pix as a default gateway, any traffic that goes via the pix will work
fine... but *your webserver* will NOT have any connectivity via any other
routers (despite the fact that the pix is 100% aware of the other routers).
The pix has routing information for its own use (to route traffic going
THROUGH the pix) but it does NOT act as a router for any other traffic.

The correct way to configure things is to use another router on the network
to route to the other known networks, and to define the pix as the as the
default route on that router.... then point all hosts to that router as
their default gateway.


Paul


 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      09-21-2004

"paul blitz" <(E-Mail Removed)> wrote in message
news:4150566a$0$20254$(E-Mail Removed). net...
>
>> Another weird quark is that when you switch
>> the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
>> communicate outside the lan but all other computers can.

>
> That is 100% as expected / designed: the Pix is NOT a router, so if you
> use
> the pix as a default gateway, any traffic that goes via the pix will work
> fine... but *your webserver* will NOT have any connectivity via any other
> routers (despite the fact that the pix is 100% aware of the other
> routers).
> The pix has routing information for its own use (to route traffic going
> THROUGH the pix) but it does NOT act as a router for any other traffic.
>
> The correct way to configure things is to use another router on the
> network
> to route to the other known networks, and to define the pix as the as the
> default route on that router.... then point all hosts to that router as
> their default gateway.
>
>
> Paul
>
>


Paul is correct in that any packet that is sent to the pix is either going
through it or being dropped. However, looking at your configuration, I
disagree in the fact that this is as expected. You do not have an internal
router judging by the pix config and you should not need one unless you have
multiple internal network (subnets).

That said, if you change your default gateway to the pix and it can no
longer communicate to the lan, you either have an issue with the addressing
in the web server, local routing table issue (on the web server), or the
server is not responding to arps (and it was statically set in a previous
router). The ip address should be unique and on the same network, the
subnet should match and the gateway should be the pix and is irrelevant to
local lan communication. You should also look at the local routing table on
the web server by doing a "route print" from a dos or shell prompt.


 
Reply With Quote
 
Garrett
Guest
Posts: n/a
 
      09-22-2004
> >
> >

>
> Paul is correct in that any packet that is sent to the pix is either going
> through it or being dropped. However, looking at your configuration, I
> disagree in the fact that this is as expected. You do not have an internal
> router judging by the pix config and you should not need one unless you have
> multiple internal network (subnets).
>
> That said, if you change your default gateway to the pix and it can no
> longer communicate to the lan, you either have an issue with the addressing
> in the web server, local routing table issue (on the web server), or the
> server is not responding to arps (and it was statically set in a previous
> router). The ip address should be unique and on the same network, the
> subnet should match and the gateway should be the pix and is irrelevant to
> local lan communication. You should also look at the local routing table on
> the web server by doing a "route print" from a dos or shell prompt.


The webserver communicates with the lan fine after changing the
gateway but it can not seem to be able to communicate with the
internet after that. I am also having problems with the access-lists
not allowing web traffic through the PIX from the internet.
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      09-22-2004

"Garrett" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
>> >
>> >

>>
>> Paul is correct in that any packet that is sent to the pix is either
>> going
>> through it or being dropped. However, looking at your configuration, I
>> disagree in the fact that this is as expected. You do not have an
>> internal
>> router judging by the pix config and you should not need one unless you
>> have
>> multiple internal network (subnets).
>>
>> That said, if you change your default gateway to the pix and it can no
>> longer communicate to the lan, you either have an issue with the
>> addressing
>> in the web server, local routing table issue (on the web server), or the
>> server is not responding to arps (and it was statically set in a previous
>> router). The ip address should be unique and on the same network, the
>> subnet should match and the gateway should be the pix and is irrelevant
>> to
>> local lan communication. You should also look at the local routing table
>> on
>> the web server by doing a "route print" from a dos or shell prompt.

>
> The webserver communicates with the lan fine after changing the
> gateway but it can not seem to be able to communicate with the
> internet after that. I am also having problems with the access-lists
> not allowing web traffic through the PIX from the internet.


Nothing jumps out at me as being wrong with your config as in the original
post. Have you tried static'ing your internal address to any other external
ip address. It could be that the isp is blocking that address for some
reason. I would try a known/tested ip address. Additionally, you could
enable syslog on the router and see if it gives us any clues.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC OS X using Cisco VPN Client through CISCO PIX 501 InetSecurity Cisco 0 06-23-2006 01:57 AM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Cisco PIX 501 using pptp to connect to cisco vpn 3005 concentrator Kai Cisco 1 05-14-2004 02:44 PM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments