can't giet a PIX 515 to forward TCP traffic

Discussion in 'Cisco' started by B Squared, May 23, 2005.

  1. B Squared

    B Squared Guest

    All,

    Last Friday I posted a simple configuration file for a PIX 515
    and noted I couldn't get tcp traffic to cross the firewall. It
    was pointed out I had a faulty access-list. I was pretty sure
    there was an additional problem beyond that, but I obviously I
    wanted to correct the access-list problem. Having done that, I
    done some more testing and still have the original problem.
    Here is the posting, with the access-list now added.

    I hate to be the whiner, but I haven't been able to get traffic
    any traffic of any kind to cross between the inside and outside
    interfaces of my PIX 515. From inside the PIX and can ping out to
    hosts beyond both interfaces. And from hosts on either side, and
    can ping the respective interface. But I can't get tcp, or any
    other traffic to across the firewall. I've included the entire
    configuration, which from what I can tell, is totally vanilla
    and straight from the Cisco website tutorials. I've been fighting
    this for two days, so I'm sort of losing my religion on this.

    Any suggestions are much appreciated.

    --------------------------------------------

    PIX Version 6.3(4)

    interface ethernet0 auto
    interface ethernet1 auto

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    hostname pixfirewall

    domain-name xxxxxx.xxx

    ! the standard fixup protocols
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    names
    pager lines 24

    mtu outside 1500
    mtu inside 1500

    ip address outside xxx.xxx.50.14 255.255.255.0
    ip address inside xxx.xxx.65.193 255.255.255.224 !! a small subnet

    ip audit info action alarm
    ip audit attack action alarm

    pdm history enable

    arp timeout 14400

    ! not using NAT
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    ! I've also attempted a static route here, but to no avail

    !default route
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.50.4 1

    ! use the default timeouts
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00 !! the newsgroup editor wraps this line
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute

    ! again, the defaults
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local

    ! allow icmp for some short term debugging
    access-list ping_ok permit icmp any any
    access-list ping_ok permit ip any any !! ** added this line
    access-group ping_ok in interface inside

    ! the pdm/web interface
    http server enable
    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps

    floodguard enable

    telnet timeout 5
    ssh timeout 5
    console timeout 0

    terminal width 80

    ------------------------------

    Like I said, this seems totally vanilla to me.

    Thanks in advance for any help.

    B Squared
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    "We've all heard that a million monkeys banging on a million typewriters
    will eventually reproduce the entire works of Shakespeare. Now, thanks
    to the Internet, we know this is not true."
    --Professor Robert Silensky of California University
     
    B Squared, May 23, 2005
    #1
    1. Advertising

  2. B Squared

    Memnoch Guest

    On Mon, 23 May 2005 15:37:15 -0700, "B Squared" wrote:

    >! allow icmp for some short term debugging
    >access-list ping_ok permit icmp any any
    >access-list ping_ok permit ip any any !! ** added this line
    >access-group ping_ok in interface inside


    If memory servers you need to define static(s) if you want to allow traffic to
    flow from a low security interface to a high security interface.
     
    Memnoch, May 24, 2005
    #2
    1. Advertising

  3. In article <>, <"B Squared"> wrote:
    :I haven't been able to get traffic
    :any traffic of any kind to cross between the inside and outside
    :interfaces of my PIX 515. From inside the PIX and can ping out to
    :hosts beyond both interfaces. And from hosts on either side, and
    :can ping the respective interface. But I can't get tcp, or any
    :eek:ther traffic to across the firewall.

    What have you tried for that purpose?

    Since you have nat turned off, in order to get traffic
    back, your network would have to support proxy arp, or else your
    routers would have to be configured to route the inside address
    range to the PIX outside IP.

    Have you tried 'debug packet' against the outside interface?
    Have you tried using 'capture' to see what's getting there and
    what isn't?
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, May 24, 2005
    #3
  4. Even if you are NATless, you still have to make a "static" command to punch
    a conduit through.

    You are still doing NAT, you are just NATing to the same address :cool:.

    The PIX essentially rebuilds the connection, even if it keeps the original
    address.

    http://www.cisco.com/warp/public/707/28.html

    is a good reference. Look at "Disabling NAT."

    nat (inside) are the pool of internal addresses you want to punch through.
    You need to list the internal addresses you want to let out, there. Then ,
    add an access-list to bypass the actual address translation part of NAT.

    In your example, I think:

    nat (inside) 0 0.0.0.0 0.0.0.0 0 0

    Should be

    nat (inside) 0 x.x.65.192 255.255.255.224

    access-list 105 permit ip x.x.65.192 255.255.255.224 any
    nat (inside) 0 access-list 103

    Which should disable NAT for that network.
     
    Phillip Remaker, May 24, 2005
    #4
  5. B Squared

    S. Gione Guest

    B;

    Couple of things:

    I noticed you're using nat 0 for inside. This means you are attempting to
    use the inside network addresses on the outside, with no translation. From
    the http statements, it appears you're using the 192.168.1.0 network on the
    inside. Is this really what you are attempting to do?

    If not, you might want to use nat 1 (or other nat id) and perform nat or pat
    translation to the outside network. To complete this, you would need a
    global statement ... which would bring the inside nat (id) to the outside
    network using either nat or pat.


    <B Squared> wrote in message news:p...
    >
    >
    > All,
    >
    > Last Friday I posted a simple configuration file for a PIX 515
    > and noted I couldn't get tcp traffic to cross the firewall. It
    > was pointed out I had a faulty access-list. I was pretty sure
    > there was an additional problem beyond that, but I obviously I
    > wanted to correct the access-list problem. Having done that, I
    > done some more testing and still have the original problem.
    > Here is the posting, with the access-list now added.
    >
    > I hate to be the whiner, but I haven't been able to get traffic
    > any traffic of any kind to cross between the inside and outside
    > interfaces of my PIX 515. From inside the PIX and can ping out to
    > hosts beyond both interfaces. And from hosts on either side, and
    > can ping the respective interface. But I can't get tcp, or any
    > other traffic to across the firewall. I've included the entire
    > configuration, which from what I can tell, is totally vanilla
    > and straight from the Cisco website tutorials. I've been fighting
    > this for two days, so I'm sort of losing my religion on this.
    >
    > Any suggestions are much appreciated.
    >
    > --------------------------------------------
    >
    > PIX Version 6.3(4)
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    >
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    >
    > hostname pixfirewall
    >
    > domain-name xxxxxx.xxx
    >
    > ! the standard fixup protocols
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    >
    > names
    > pager lines 24
    >
    > mtu outside 1500
    > mtu inside 1500
    >
    > ip address outside xxx.xxx.50.14 255.255.255.0
    > ip address inside xxx.xxx.65.193 255.255.255.224 !! a small subnet
    >
    > ip audit info action alarm
    > ip audit attack action alarm
    >
    > pdm history enable
    >
    > arp timeout 14400
    >
    > ! not using NAT
    > nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    > ! I've also attempted a static route here, but to no avail
    >
    > !default route
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.50.4 1
    >
    > ! use the default timeouts
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00 !! the newsgroup editor wraps this line
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    >
    > ! again, the defaults
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    >
    > ! allow icmp for some short term debugging
    > access-list ping_ok permit icmp any any
    > access-list ping_ok permit ip any any !! ** added this line
    > access-group ping_ok in interface inside
    >
    > ! the pdm/web interface
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    >
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    >
    > floodguard enable
    >
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    >
    > terminal width 80
    >
    > ------------------------------
    >
    > Like I said, this seems totally vanilla to me.
    >
    > Thanks in advance for any help.
    >
    > B Squared
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > "We've all heard that a million monkeys banging on a million typewriters
    > will eventually reproduce the entire works of Shakespeare. Now, thanks
    > to the Internet, we know this is not true."
    > --Professor Robert Silensky of California University
    >
    >
    >
     
    S. Gione, May 24, 2005
    #5
  6. B Squared

    B Squared Guest

    S. Gione wrote:
    > B;
    >
    > Couple of things:
    >
    > I noticed you're using nat 0 for inside. This means you are attempting to
    > use the inside network addresses on the outside, with no translation. From
    > the http statements, it appears you're using the 192.168.1.0 network on the
    > inside. Is this really what you are attempting to do?


    I think this is a red herring. The two http statements:

    >>http server enable
    >>http 192.168.1.0 255.255.255.0 inside


    enable the web interface on the PIX (establish it as an http server) and
    create an address to point the browser to. However, its worth removing
    them until I get the problem fixed. Or at least that's my understanding.
    I'm going to test all the suggestions tomorrow.

    > If not, you might want to use nat 1 (or other nat id) and perform nat or pat
    > translation to the outside network. To complete this, you would need a
    > global statement ... which would bring the inside nat (id) to the outside
    > network using either nat or pat.


    B Squared
     
    B Squared, May 24, 2005
    #6
  7. In article <1116890976.969290@sj-nntpcache-3>,
    Phillip Remaker <> wrote:
    :Even if you are NATless, you still have to make a "static" command to punch
    :a conduit through.

    Only if you want to be able to initiate connections from outside
    to inside.

    If I read the OP's posting correctly, the OP is apparently not
    getting traffic in either direction.
     
    Walter Roberson, May 24, 2005
    #7
  8. In article <>, <"B Squared"> wrote:
    :I think this is a red herring. The two http statements:

    : >>http server enable
    : >>http 192.168.1.0 255.255.255.0 inside

    :enable the web interface on the PIX (establish it as an http server) and
    :create an address to point the browser to.

    Not quite, or at least not as written. That statement allows
    inside addresses in 192.168.1/24 to use pdm.

    The user's inside addresses are in a different subnet and there is no
    'route' statement pointing 192.168.1 towards the inside, so
    effectively the user will not be able to use pdm until this is
    adjusted. However, this won't affect any other traffic.
     
    Walter Roberson, May 24, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andras Kende
    Replies:
    1
    Views:
    7,174
    Walter Roberson
    Apr 29, 2004
  2. Replies:
    3
    Views:
    1,914
    Walter Roberson
    Sep 27, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    754
    Roman Nakhmanson
    Feb 22, 2006
  4. Scott Townsend

    PIX 515 to PIX 515e not passing traffic

    Scott Townsend, May 10, 2006, in forum: Cisco
    Replies:
    6
    Views:
    3,773
    Vikas
    May 25, 2006
  5. Stephen M
    Replies:
    1
    Views:
    732
    mcaissie
    Nov 14, 2006
Loading...

Share This Page