Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Strange PIX static and holes for ports issue...

Reply
Thread Tools

Strange PIX static and holes for ports issue...

 
 
dmgeller@gmail.com
Guest
Posts: n/a
 
      01-16-2006
Greetings,

I am installing a PIX 515e in a datacenter (in D.C.) and for some
reason it is just not behaving. I have another 515e in the home office
(in L.A) and it works like a charm. The configs are pretty much the
same minus the IPs and the one in DC needs more ports open.

So the strangeness is that none of the static mapped ports are passing
traffic from "out to in"or from "in to out". However, the DHCP
assigned computers are surfing around just fine. Additionally, the
servers that are statically mapped with open ports cannot pass traffic
through the PIX. They can get to it but not through it!

I have been comparing line by line a few of my working config files but
just cannot come up with what may be going on. If anyone of you can
shed some light, it would be very much appreciated, and drinks are me
in SF, LA, or DC!!!

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 vpn security10
enable password xxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
hostname VIRPIX01
domain-name politicalsystems.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.0 LA_internal
name 192.168.11.0 WLA_internal
name 192.168.12.0 VIR_Internal
name 192.168.13.0 DC_Internal
name 192.168.222.0 VIR_VPN_Pool
name 192.168.12.3 VIRMAIL01
name 192.168.12.4 VIRDB01
name 192.168.12.5 VIRCRUNCH
name 192.168.12.6 VIRMAIL02
name 192.168.12.9 VIRWWW01
name 192.168.12.51 VIRMAIL03-IRON
access-list inside_outbound_nat0_acl permit ip VIR_Internal
255.255.255.0 DC_Internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip VIR_Internal
255.255.255.0 VIR_VPN_Pool 255.255.255.0
access-list inside_outbound_nat0_acl permit ip VIR_Internal
255.255.255.0 WLA_internal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip VIR_Internal
255.255.255.0 LA_internal 255.255.255.0
access-list outside_cryptomap_20 permit ip VIR_Internal 255.255.255.0
LA_internal 255.255.255.0
access-list outside_cryptomap_40 permit ip VIR_Internal 255.255.255.0
DC_Internal 255.255.255.0
access-list outside_cryptomap_60 permit ip VIR_Internal 255.255.255.0
WLA_internal 255.255.255.0
access-list open_port permit udp any host x.x.x.84 eq domain
access-list open_port permit tcp any host x.x.x.84 eq www
access-list open_port permit tcp any host x.x.x.84 eq https
access-list open_port permit tcp any host x.x.x.85 eq ftp
access-list open_port permit tcp any host x.x.x.85 eq smtp
access-list open_port permit udp any host x.x.x.85 eq domain
access-list open_port permit tcp any host x.x.x.88 eq www
access-list open_port permit tcp any host x.x.x.88 eq https
access-list open_port permit tcp any host x.x.x.89 eq smtp
access-list open_port permit tcp any host x.x.x.90 eq www
access-list open_port permit tcp any host x.x.x.90 eq https
access-list open_port permit tcp any host x.x.x.91 eq smtp
access-list open_port permit tcp any host x.x.x.92 eq smtp
access-list open_port permit tcp any host x.x.x.94 eq ftp
access-list open_port permit tcp any host x.x.x.94 eq smtp
access-list open_port permit udp any host x.x.x.87 eq domain
access-list open_port permit tcp any host x.x.x.87 eq www
access-list open_port permit tcp any host x.x.x.87 eq https
access-list open_port permit icmp any any
pager lines 24
icmp permit any outside
icmp permit any inside
icmp permit any vpn
mtu outside 1500
mtu inside 1500
mtu vpn 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.12.1 255.255.255.0
ip address vpn 192.168.112.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VIR_VPN_Clients 192.168.112.100-192.168.112.199 mask
255.255.255.0
pdm location LA_internal 255.255.255.0 outside
pdm location DC_Internal 255.255.255.0 outside
pdm location WLA_internal 255.255.255.0 outside
pdm location VIRMAIL01 255.255.255.255 inside
pdm location VIRDB01 255.255.255.255 inside
pdm location VIRMAIL02 255.255.255.255 inside
pdm location VIRWWW01 255.255.255.255 inside
pdm location 192.168.12.10 255.255.255.255 inside
pdm location 192.168.12.11 255.255.255.255 inside
pdm location 192.168.12.12 255.255.255.255 inside
pdm location 192.168.12.13 255.255.255.255 inside
pdm location VIRMAIL03-IRON 255.255.255.255 inside
pdm location LA_internal 255.255.255.0 vpn
pdm location WLA_internal 255.255.255.0 vpn
pdm location DC_Internal 255.255.255.0 vpn
pdm location 192.168.12.41 255.255.255.255 inside
pdm location VIR_VPN_Pool 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.90 VIRWWW01 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.87 192.168.12.10 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.84 192.168.12.11 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.88 192.168.12.12 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.85 VIRMAIL01 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.89 192.168.12.13 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.83 VIRDB01 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.91 VIRMAIL02 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.94 VIRMAIL03-IRON netmask 255.255.255.255
0 0
static (vpn,outside) x.x.x.93 192.168.112.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.92 192.168.12.41 netmask 255.255.255.255
0 0

access-group open_port in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http VIR_Internal 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer x.x.x.x
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable vpn
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
telnet VIR_Internal 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh VIR_Internal 255.255.255.0 inside
ssh timeout 15
console timeout 0
vpdn group VIR_Clients accept dialin pptp
vpdn group VIR_Clients ppp authentication mschap
vpdn group VIR_Clients ppp encryption mppe 40
vpdn group VIR_Clients client configuration address local
VIR_VPN_Clients
vpdn group VIR_Clients pptp echo 60
vpdn group VIR_Clients client authentication local
vpdn enable vpn
dhcpd address 192.168.12.200-192.168.12.220 inside
dhcpd dns VIRMAIL01 208.57.0.11
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain politicalsystems.local
dhcpd enable inside
.........

 
Reply With Quote
 
 
 
 
dmgeller@gmail.com
Guest
Posts: n/a
 
      01-18-2006
Found the problem. It was the outside subnet mask...such an idiot. I
treated myself to a Guinness...

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Recommendations Please for a PCI card w/ two USB 2 Ports and FireWaire Ports Mike Digital Photography 27 02-26-2006 12:54 AM
pix holes for vpn and tunnels jcharth@hotmail.com Cisco 1 04-02-2005 02:04 AM
Security Holes Michael O'Keefe Firefox 2 03-02-2005 08:21 PM
Setting up DNS "black holes" with config file cci admin Cisco 3 06-03-2004 03:30 AM
Poking Holes in the Firewall ToppJimmy MCSE 19 04-20-2004 04:53 PM



Advertisments