Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 problem seeing other computers on inside/subnet?

Reply
Thread Tools

PIX 501 problem seeing other computers on inside/subnet?

 
 
Jay
Guest
Posts: n/a
 
      11-08-2004
Hi I am wondering if someone can help me with this project (and
quickly if possible). I am not a cisco expert and inheirted this
beast from someone with no instructs... Basically there are two
computers behind the pix and those two computers can not see each
other nor any other computers that are in our hosts data center
(example exchange cannot resolve the IP of the http://www.velocityreviews.com/forums/(E-Mail Removed)
nor can I ping ourhost.com) They seem to think it is something to do
with the subnet at the PIX. The pix takes the .232 address and also
gives .232 and .233 to the two computers. I can not ping .233 from
..232 but can ping the interal (192.168.1.5) ok. Also I use
192.168.1.5 as the DNS which only works about 75% of the time
(related?) They share and active directory which of course I can't
see but can log on to the windows domain (strange...) I cannot see
shared directories from .233 on .232 but can see shared directories
from .233 on .232... Again not sure if this is all related but the
ipconfig shows them both on the 255.255.255.0 subnet.

Here is the config from pix

---

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname hostpix
domain-name ********
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 81
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.7 comp2
name 192.168.1.5 comp1
access-list 101 permit tcp any host comp1 eq www
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq ftp
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq pop2
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq pop3
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq 3389
access-list 100 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.xxx.0
255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq 2401
access-list 100 permit tcp any host xxx.xxx.xxx.232 eq ssh
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq ftp
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq 1306
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.233 eq https
access-list inside_outbound_nat0_acl permit ip host comp1 192.168.1.16
255.255.255.240
access-list inside_outbound_nat0_acl permit ip host comp2 192.168.1.16
255.255.255.240
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.232 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.1.20-192.168.1.25
ip local pool vpnpool 10.10.10.1-10.10.10.254
pdm location comp1 255.255.255.255 inside
pdm location comp2 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.1 192.168.1.1 netmask
255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.233 comp2 netmask 255.255.255.255
0 0
static (inside,outside) xxx.xxx.xxx.232 comp1 netmask 255.255.255.255
0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh xxx.xxx.xxx.232 255.255.255.255 outside
ssh yyy.yyy.yyy.0 255.255.255.0 outside
ssh xxx.xxx.xxx.232 255.255.255.255 inside
ssh yyy.yyy.yyy.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local vpn
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username ******** password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username ***** password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:93f022ec3170597a7c8c301e23e02e88
: end
[OK]
hostpix#


---

Any help would be MUCH appricated!

Thanks
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-08-2004
In article <(E-Mail Removed) >,
Jay <(E-Mail Removed)> wrote:
:Hi I am wondering if someone can help me with this project (and
:quickly if possible). I am not a cisco expert and inheirted this
:beast from someone with no instructs... Basically there are two
:computers behind the pix and those two computers can not see each
ther

That part is a local problem. Make sure that both systems are on
the same subnet internally, and that you have not somehow put in
a static route on them that overrides the default route to 192.168.1.x
through their interfaces.

Note: if they were on different subnets [which doesn't appear to
be the case from your configuration] then you would need an inside
router: you cannot use the PIX as the gateway to route between different
machines on different subnets feeding in to the same PIX [logical]
interface

:nor any other computers that are in our hosts data center

:Here is the config from pix

IX Version 6.3(1)

That version should be upgraded, as it has bugs and security problems.
You are entitled to a free upgrade to PIX 6.3(4) even if you do
not have a support contract. For more information, search cisco.com
for PIX security advisory 6.3(3) . You won't find 6.3(4) explicitly
mentioned but you will find 6.3(3)118 or some such number mentioned,
and they'd rather give you 6.3(4) than that intermediate engineering
build.



:access-list 100 permit icmp any any echo-reply
:access-list 100 permit icmp any any time-exceeded
:access-list 100 permit icmp any any unreachable

You aren't permitting icmp echo in this ACL that you are applying in
your crypto map, so the lines above do not allow your internal 192.168
hosts to ping anything at xxx.xxx.xxx/24

:access-list 100 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0

On the other hand, 'ip' includes icmp so that line would permit echo
and everything else to the xxx.xxx.xxx/24 network. But xxx.xxx.xxx/24
you have indicated as the outside network of your PIX, not as the
public IP range of your host's network (unless those are the same),
so the above line is permitting access to local
devices that are sitting outside your PIX, such as your WAN router.

:access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

You didn't mention anything about 10.10.10.0 ?? Is that the private IP
space used within HQ, with xxx.xxx.xxx/24 being their public IP space?
If it is the private IP space then because 'ip' includes 'icmp', echo
would be allowed out and echo-reply would be allowed back.

On the other hand, I see you have no 'crypto map', so you aren't doing
IPSec to any HQ, so I'm more confused now about what 10.10.10/24 is for ?

:access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

That line is not useful. That would be to permit internal 10.10.10/24
packets to go over the VPN to HQ if HQ had 192.168.1/24 IPs.

:access-list inside_outbound_nat0_acl permit ip host comp1 192.168.1.16 255.255.255.240
:access-list inside_outbound_nat0_acl permit ip host comp2 192.168.1.16 255.255.255.240

What does that ACL get used for? Get rid of it if you aren't using it.

:ip address outside xxx.xxx.xxx.232 255.255.255.0
:ip address inside 192.168.1.1 255.255.255.0

:global (outside) 1 interface
:nat (inside) 0 access-list 100
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0

I'm not sure why you have that line.

:static (inside,outside) xxx.xxx.xxx.233 comp2 netmask 255.255.255.255 0 0
:static (inside,outside) xxx.xxx.xxx.232 comp1 netmask 255.255.255.255 0 0

:access-group 100 in interface outside

Mistake!! You cannot use the same ACL for a nat 0 access-list and
an access-group command! When it's access-group'd then the ACL will
be internally modified by the PIX adaptive security to put in pinholes
to allow traffic in or out according to valid connections made. If you
have another use of that ACL, then that alternative functionality gets
affected as well!
--
If a troll and a half can hook a reader and a half in a posting and a half,
how many readers can six trolls hook in six postings?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Computers Not Seeing Each Other Scott Wireless Networking 6 05-01-2008 06:31 AM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
Seeing other computers on the network Jeremy Lawrence Wireless Networking 2 02-07-2006 12:33 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM



Advertisments