Cisco PIX 501 Battle

Discussion in 'Cisco' started by Garrett, Sep 21, 2004.

  1. Garrett

    Garrett Guest

    We can not seem to be able to get traffic to penetrate the PIX
    specifically www traffic. Another weird quark is that when you switch
    the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
    communicate outside the lan but all other computers can. Any help on
    this would be greatly appreciated.

    Running Configuration:

    sh run
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    <--- More --->
    access-list dhk permit tcp any host 69.xxx.xxx.172 eq www
    access-list dhk permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 69.xxx.xxx.173 255.xxx.xxx.248
    ip address inside xxx.0.0.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 xxx.0.0.0 255.255.255.0 0 0
    static (inside,outside) 69.xxx.xxx.172 xxx.0.0.5 netmask
    255.255.255.255 0 0
    access-group dhk in interface outside
    route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.169 1 <--This is our default
    gateway??
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    <--- More --->
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxx
    : end
    pixfirewall#
     
    Garrett, Sep 21, 2004
    #1
    1. Advertising

  2. Garrett

    paul blitz Guest


    > Another weird quark is that when you switch
    > the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
    > communicate outside the lan but all other computers can.


    That is 100% as expected / designed: the Pix is NOT a router, so if you use
    the pix as a default gateway, any traffic that goes via the pix will work
    fine... but *your webserver* will NOT have any connectivity via any other
    routers (despite the fact that the pix is 100% aware of the other routers).
    The pix has routing information for its own use (to route traffic going
    THROUGH the pix) but it does NOT act as a router for any other traffic.

    The correct way to configure things is to use another router on the network
    to route to the other known networks, and to define the pix as the as the
    default route on that router.... then point all hosts to that router as
    their default gateway.


    Paul
     
    paul blitz, Sep 21, 2004
    #2
    1. Advertising

  3. Garrett

    PES Guest

    "paul blitz" <> wrote in message
    news:4150566a$0$20254$...
    >
    >> Another weird quark is that when you switch
    >> the webserver (xxx.0.0.5) to have the pix as it's gateway it can not
    >> communicate outside the lan but all other computers can.

    >
    > That is 100% as expected / designed: the Pix is NOT a router, so if you
    > use
    > the pix as a default gateway, any traffic that goes via the pix will work
    > fine... but *your webserver* will NOT have any connectivity via any other
    > routers (despite the fact that the pix is 100% aware of the other
    > routers).
    > The pix has routing information for its own use (to route traffic going
    > THROUGH the pix) but it does NOT act as a router for any other traffic.
    >
    > The correct way to configure things is to use another router on the
    > network
    > to route to the other known networks, and to define the pix as the as the
    > default route on that router.... then point all hosts to that router as
    > their default gateway.
    >
    >
    > Paul
    >
    >


    Paul is correct in that any packet that is sent to the pix is either going
    through it or being dropped. However, looking at your configuration, I
    disagree in the fact that this is as expected. You do not have an internal
    router judging by the pix config and you should not need one unless you have
    multiple internal network (subnets).

    That said, if you change your default gateway to the pix and it can no
    longer communicate to the lan, you either have an issue with the addressing
    in the web server, local routing table issue (on the web server), or the
    server is not responding to arps (and it was statically set in a previous
    router). The ip address should be unique and on the same network, the
    subnet should match and the gateway should be the pix and is irrelevant to
    local lan communication. You should also look at the local routing table on
    the web server by doing a "route print" from a dos or shell prompt.
     
    PES, Sep 21, 2004
    #3
  4. Garrett

    Garrett Guest

    > >
    > >

    >
    > Paul is correct in that any packet that is sent to the pix is either going
    > through it or being dropped. However, looking at your configuration, I
    > disagree in the fact that this is as expected. You do not have an internal
    > router judging by the pix config and you should not need one unless you have
    > multiple internal network (subnets).
    >
    > That said, if you change your default gateway to the pix and it can no
    > longer communicate to the lan, you either have an issue with the addressing
    > in the web server, local routing table issue (on the web server), or the
    > server is not responding to arps (and it was statically set in a previous
    > router). The ip address should be unique and on the same network, the
    > subnet should match and the gateway should be the pix and is irrelevant to
    > local lan communication. You should also look at the local routing table on
    > the web server by doing a "route print" from a dos or shell prompt.


    The webserver communicates with the lan fine after changing the
    gateway but it can not seem to be able to communicate with the
    internet after that. I am also having problems with the access-lists
    not allowing web traffic through the PIX from the internet.
     
    Garrett, Sep 22, 2004
    #4
  5. Garrett

    PES Guest

    "Garrett" <> wrote in message
    news:...
    >> >
    >> >

    >>
    >> Paul is correct in that any packet that is sent to the pix is either
    >> going
    >> through it or being dropped. However, looking at your configuration, I
    >> disagree in the fact that this is as expected. You do not have an
    >> internal
    >> router judging by the pix config and you should not need one unless you
    >> have
    >> multiple internal network (subnets).
    >>
    >> That said, if you change your default gateway to the pix and it can no
    >> longer communicate to the lan, you either have an issue with the
    >> addressing
    >> in the web server, local routing table issue (on the web server), or the
    >> server is not responding to arps (and it was statically set in a previous
    >> router). The ip address should be unique and on the same network, the
    >> subnet should match and the gateway should be the pix and is irrelevant
    >> to
    >> local lan communication. You should also look at the local routing table
    >> on
    >> the web server by doing a "route print" from a dos or shell prompt.

    >
    > The webserver communicates with the lan fine after changing the
    > gateway but it can not seem to be able to communicate with the
    > internet after that. I am also having problems with the access-lists
    > not allowing web traffic through the PIX from the internet.


    Nothing jumps out at me as being wrong with your config as in the original
    post. Have you tried static'ing your internal address to any other external
    ip address. It could be that the isp is blocking that address for some
    reason. I would try a known/tested ip address. Additionally, you could
    enable syslog on the router and see if it gives us any clues.
     
    PES, Sep 23, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew J Instone-Cowie

    Cisco VPN through a PIX 501 to another PIX?

    Andrew J Instone-Cowie, Jan 20, 2004, in forum: Cisco
    Replies:
    5
    Views:
    4,186
    Andrew J Instone-Cowie
    Jan 22, 2004
  2. Kai
    Replies:
    1
    Views:
    887
    Walter Roberson
    May 14, 2004
  3. Andre
    Replies:
    7
    Views:
    805
    Andre
    Feb 20, 2005
  4. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    693
    Walter Roberson
    May 20, 2006
  5. InetSecurity
    Replies:
    0
    Views:
    1,424
    InetSecurity
    Jun 23, 2006
Loading...

Share This Page