Cisco PIX 501 Firewall

Discussion in 'Cisco' started by Tim Zoetebier, Sep 3, 2006.

  1. Question:

    I've a small home network
    => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX 501 as
    a "smart switch" and i've configured my network DHCP.
    Now I need 1 pc (server) to communicate with the Showcenter (client)
    OKAY i've got them communicating, BUT it's not working all that well
    (connection seems slow / to stall from time to time)
    Everything else in my network works really great (and fast; 100mbps) so it
    seems a problem in the communication between the (Server) PC and the
    (Client) Pinnacle Showcenter 200. and I know almost for sure that the
    problem is a mis configuation at the Cisco PIX 501 Firewall.

    I use these rules to allow ALL??? INSIDE (to ouside) network traffic:
    ACCESS RULE:
    Source - inside:any
    Destination - outside:any
    Interface - inside (outbound)
    Service - IP
    TRANSLATION RULE:
    (original) Interface - inside
    (original) Address - inside:any/0.0.0.0
    (translated) Interface - outside
    (translated) Address - interface PAT
    (options) DNS Rewrite - NO
    (options) Maximum Connections - unlimited
    (options) Embryonic Limit - unlimited
    (options) Random Sequence Number - yes

    Pinnacle Showcenter 200 needs these next 2 ports to communicate with the
    (server) PC:
    => 8000 (TCP) and 1900 (UDP) and these are used only for internall network
    communication (not for outside (connect to internet) connections)

    Do I need to open these in my configuration? because I thought the Cisco PIX
    501 allowed all internal traffic by default? Or am I wrong?
    If I do need to open these ports for the internall communication, how should
    I do this???


    with Kind Regards,
    Tim
    Tim Zoetebier, Sep 3, 2006
    #1
    1. Advertising

  2. Tim Zoetebier

    mak Guest

    Tim Zoetebier wrote:
    > Question:
    >
    > I've a small home network
    > => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX 501 as
    > a "smart switch" and i've configured my network DHCP.
    > Now I need 1 pc (server) to communicate with the Showcenter (client)
    > OKAY i've got them communicating, BUT it's not working all that well
    > (connection seems slow / to stall from time to time)
    > Everything else in my network works really great (and fast; 100mbps) so it
    > seems a problem in the communication between the (Server) PC and the
    > (Client) Pinnacle Showcenter 200. and I know almost for sure that the
    > problem is a mis configuation at the Cisco PIX 501 Firewall.
    >
    > I use these rules to allow ALL??? INSIDE (to ouside) network traffic:
    > ACCESS RULE:
    > Source - inside:any
    > Destination - outside:any
    > Interface - inside (outbound)
    > Service - IP
    > TRANSLATION RULE:
    > (original) Interface - inside
    > (original) Address - inside:any/0.0.0.0
    > (translated) Interface - outside
    > (translated) Address - interface PAT
    > (options) DNS Rewrite - NO
    > (options) Maximum Connections - unlimited
    > (options) Embryonic Limit - unlimited
    > (options) Random Sequence Number - yes
    >
    > Pinnacle Showcenter 200 needs these next 2 ports to communicate with the
    > (server) PC:
    > => 8000 (TCP) and 1900 (UDP) and these are used only for internall network
    > communication (not for outside (connect to internet) connections)
    >
    > Do I need to open these in my configuration? because I thought the Cisco PIX
    > 501 allowed all internal traffic by default? Or am I wrong?
    > If I do need to open these ports for the internall communication, how should
    > I do this???
    >
    >
    > with Kind Regards,
    > Tim
    >
    >

    that's right,
    pix allows traffic from lower sec level to higher by default.
    >I use my Cisco PIX 501 as
    > a "smart switch"


    what do you mean by that? how are the devices physically connected?


    if you say
    > OKAY i've got them communicating, BUT it's not working all that well
    > (connection seems slow / to stall from time to time)

    i doubt it's a pix issue, either it allows traffic or not.
    you can do some debugging with debug icmp trace, logging or capture,


    mak
    mak, Sep 4, 2006
    #2
    1. Advertising

  3. Tim Zoetebier

    Tim Guest

    "mak" <> schreef in bericht news:edgilr$5ft$...
    > Tim Zoetebier wrote:
    >> Question:
    >>
    >> I've a small home network
    >> => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX 501
    >> as a "smart switch" and i've configured my network DHCP.
    >> Now I need 1 pc (server) to communicate with the Showcenter (client)
    >> OKAY i've got them communicating, BUT it's not working all that well
    >> (connection seems slow / to stall from time to time)
    >> Everything else in my network works really great (and fast; 100mbps) so
    >> it seems a problem in the communication between the (Server) PC and the
    >> (Client) Pinnacle Showcenter 200. and I know almost for sure that the
    >> problem is a mis configuation at the Cisco PIX 501 Firewall.
    >>
    >> I use these rules to allow ALL??? INSIDE (to ouside) network traffic:
    >> ACCESS RULE:
    >> Source - inside:any
    >> Destination - outside:any
    >> Interface - inside (outbound)
    >> Service - IP
    >> TRANSLATION RULE:
    >> (original) Interface - inside
    >> (original) Address - inside:any/0.0.0.0
    >> (translated) Interface - outside
    >> (translated) Address - interface PAT
    >> (options) DNS Rewrite - NO
    >> (options) Maximum Connections - unlimited
    >> (options) Embryonic Limit - unlimited
    >> (options) Random Sequence Number - yes
    >>
    >> Pinnacle Showcenter 200 needs these next 2 ports to communicate with the
    >> (server) PC:
    >> => 8000 (TCP) and 1900 (UDP) and these are used only for internall
    >> network communication (not for outside (connect to internet) connections)
    >>
    >> Do I need to open these in my configuration? because I thought the Cisco
    >> PIX 501 allowed all internal traffic by default? Or am I wrong?
    >> If I do need to open these ports for the internall communication, how
    >> should I do this???
    >>
    >>
    >> with Kind Regards,
    >> Tim
    >>
    >>

    > that's right,
    > pix allows traffic from lower sec level to higher by default.
    > >I use my Cisco PIX 501 as
    > > a "smart switch"

    >
    > what do you mean by that? how are the devices physically connected?
    >
    >
    > if you say
    > > OKAY i've got them communicating, BUT it's not working all that well
    > > (connection seems slow / to stall from time to time)

    > i doubt it's a pix issue, either it allows traffic or not.
    > you can do some debugging with debug icmp trace, logging or capture,
    >
    >
    > mak


    [quote mak:]
    > what do you mean by that? how are the devices physically connected?

    [/quote]

    internet <=> PIX 501 Firewall (does all the routing) <=> PC's / PS2 /
    ShowCenter
    Tim, Sep 6, 2006
    #3
  4. Tim Zoetebier

    James Guest

    If the you mean that the Show Centre and the PC both connect to the
    501's 4 port Switch then there is nothing to configure to enable
    communication between the two.

    You might want to check the Speed / Duplex settings of all devices - a
    mismatch could be causing the quality issue. Manually set the Speed
    and Duplex of the PIX interfaces and all other devices. With the 501's
    switch port you can't manually set the speed / duplex of each
    individual interface so be sure to set all devices to the lowest common
    denominator.

    If you see increasing CRC errors on the PIX's ethernet 1 interface
    (show interface ethernet1) then there probably is a speed duplex
    mismatch.

    James


    Tim wrote:
    > "mak" <> schreef in bericht news:edgilr$5ft$...
    > > Tim Zoetebier wrote:
    > >> Question:
    > >>
    > >> I've a small home network
    > >> => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX 501
    > >> as a "smart switch" and i've configured my network DHCP.
    > >> Now I need 1 pc (server) to communicate with the Showcenter (client)
    > >> OKAY i've got them communicating, BUT it's not working all that well
    > >> (connection seems slow / to stall from time to time)
    > >> Everything else in my network works really great (and fast; 100mbps) so
    > >> it seems a problem in the communication between the (Server) PC and the
    > >> (Client) Pinnacle Showcenter 200. and I know almost for sure that the
    > >> problem is a mis configuation at the Cisco PIX 501 Firewall.
    > >>
    > >> I use these rules to allow ALL??? INSIDE (to ouside) network traffic:
    > >> ACCESS RULE:
    > >> Source - inside:any
    > >> Destination - outside:any
    > >> Interface - inside (outbound)
    > >> Service - IP
    > >> TRANSLATION RULE:
    > >> (original) Interface - inside
    > >> (original) Address - inside:any/0.0.0.0
    > >> (translated) Interface - outside
    > >> (translated) Address - interface PAT
    > >> (options) DNS Rewrite - NO
    > >> (options) Maximum Connections - unlimited
    > >> (options) Embryonic Limit - unlimited
    > >> (options) Random Sequence Number - yes
    > >>
    > >> Pinnacle Showcenter 200 needs these next 2 ports to communicate with the
    > >> (server) PC:
    > >> => 8000 (TCP) and 1900 (UDP) and these are used only for internall
    > >> network communication (not for outside (connect to internet) connections)
    > >>
    > >> Do I need to open these in my configuration? because I thought the Cisco
    > >> PIX 501 allowed all internal traffic by default? Or am I wrong?
    > >> If I do need to open these ports for the internall communication, how
    > >> should I do this???
    > >>
    > >>
    > >> with Kind Regards,
    > >> Tim
    > >>
    > >>

    > > that's right,
    > > pix allows traffic from lower sec level to higher by default.
    > > >I use my Cisco PIX 501 as
    > > > a "smart switch"

    > >
    > > what do you mean by that? how are the devices physically connected?
    > >
    > >
    > > if you say
    > > > OKAY i've got them communicating, BUT it's not working all that well
    > > > (connection seems slow / to stall from time to time)

    > > i doubt it's a pix issue, either it allows traffic or not.
    > > you can do some debugging with debug icmp trace, logging or capture,
    > >
    > >
    > > mak

    >
    > [quote mak:]
    > > what do you mean by that? how are the devices physically connected?

    > [/quote]
    >
    > internet <=> PIX 501 Firewall (does all the routing) <=> PC's / PS2 /
    > ShowCenter
    James, Sep 7, 2006
    #4
  5. Tim Zoetebier

    Tim Guest

    "James" <> schreef in bericht
    news:...
    > If the you mean that the Show Centre and the PC both connect to the
    > 501's 4 port Switch then there is nothing to configure to enable
    > communication between the two.


    ***
    YES! you've got the picture, that's exactly what I mean.
    I thought that that was how it works, so nothing to configure, thanks vor
    verifying that...
    ***

    >
    > You might want to check the Speed / Duplex settings of all devices - a
    > mismatch could be causing the quality issue. Manually set the Speed
    > and Duplex of the PIX interfaces and all other devices. With the 501's
    > switch port you can't manually set the speed / duplex of each
    > individual interface so be sure to set all devices to the lowest common
    > denominator.


    ***
    IT was set to 10 half duplex becaus of my isp restrictions, but it's now set
    to auto.
    This option didn't work before because than my internet connection dropped
    near dead, but now days it doesn't give that problem anymore so I (can) use
    auto option now

    Configuration-Interfaces-Inside-security level:100-Hardware:
    ethernet1-Speed&Duplex: 100FULL-MTU:1500

    Configuration-Interfaces-Outside-security level:0-Hardware:
    ethernet0-Speed&Duplex: auto-MTU:1500
    ***

    >
    > If you see increasing CRC errors on the PIX's ethernet 1 interface
    > (show interface ethernet1) then there probably is a speed duplex
    > mismatch.


    ***
    Not sure what you mean
    ***

    >
    > James
    >
    >
    > Tim wrote:
    >> "mak" <> schreef in bericht news:edgilr$5ft$...
    >> > Tim Zoetebier wrote:
    >> >> Question:
    >> >>
    >> >> I've a small home network
    >> >> => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX
    >> >> 501
    >> >> as a "smart switch" and i've configured my network DHCP.
    >> >> Now I need 1 pc (server) to communicate with the Showcenter (client)
    >> >> OKAY i've got them communicating, BUT it's not working all that well
    >> >> (connection seems slow / to stall from time to time)
    >> >> Everything else in my network works really great (and fast; 100mbps)
    >> >> so
    >> >> it seems a problem in the communication between the (Server) PC and
    >> >> the
    >> >> (Client) Pinnacle Showcenter 200. and I know almost for sure that the
    >> >> problem is a mis configuation at the Cisco PIX 501 Firewall.
    >> >>
    >> >> I use these rules to allow ALL??? INSIDE (to ouside) network traffic:
    >> >> ACCESS RULE:
    >> >> Source - inside:any
    >> >> Destination - outside:any
    >> >> Interface - inside (outbound)
    >> >> Service - IP
    >> >> TRANSLATION RULE:
    >> >> (original) Interface - inside
    >> >> (original) Address - inside:any/0.0.0.0
    >> >> (translated) Interface - outside
    >> >> (translated) Address - interface PAT
    >> >> (options) DNS Rewrite - NO
    >> >> (options) Maximum Connections - unlimited
    >> >> (options) Embryonic Limit - unlimited
    >> >> (options) Random Sequence Number - yes
    >> >>
    >> >> Pinnacle Showcenter 200 needs these next 2 ports to communicate with
    >> >> the
    >> >> (server) PC:
    >> >> => 8000 (TCP) and 1900 (UDP) and these are used only for internall
    >> >> network communication (not for outside (connect to internet)
    >> >> connections)
    >> >>
    >> >> Do I need to open these in my configuration? because I thought the
    >> >> Cisco
    >> >> PIX 501 allowed all internal traffic by default? Or am I wrong?
    >> >> If I do need to open these ports for the internall communication, how
    >> >> should I do this???
    >> >>
    >> >>
    >> >> with Kind Regards,
    >> >> Tim
    >> >>
    >> >>
    >> > that's right,
    >> > pix allows traffic from lower sec level to higher by default.
    >> > >I use my Cisco PIX 501 as
    >> > > a "smart switch"
    >> >
    >> > what do you mean by that? how are the devices physically connected?
    >> >
    >> >
    >> > if you say
    >> > > OKAY i've got them communicating, BUT it's not working all that well
    >> > > (connection seems slow / to stall from time to time)
    >> > i doubt it's a pix issue, either it allows traffic or not.
    >> > you can do some debugging with debug icmp trace, logging or capture,
    >> >
    >> >
    >> > mak

    >>
    >> [quote mak:]
    >> > what do you mean by that? how are the devices physically connected?

    >> [/quote]
    >>
    >> internet <=> PIX 501 Firewall (does all the routing) <=> PC's / PS2 /
    >> ShowCenter

    >
    Tim, Sep 8, 2006
    #5
  6. Tim Zoetebier

    James Guest

    > ***
    > IT was set to 10 half duplex becaus of my isp restrictions, but it's now set
    > to auto.
    > This option didn't work before because than my internet connection dropped
    > near dead, but now days it doesn't give that problem anymore so I (can) use
    > auto option now


    Auto is bad, bad, bad.....

    If possible always manually set the speed and duplex, this is the point
    I was trying to make. However, I think your problem may be with the
    inside interface so we can ignore the outside interface.

    >
    > Configuration-Interfaces-Inside-security level:100-Hardware:
    > ethernet1-Speed&Duplex: 100FULL-MTU:1500
    >
    > Configuration-Interfaces-Outside-security level:0-Hardware:
    > ethernet0-Speed&Duplex: auto-MTU:1500
    > ***
    >
    > >
    > > If you see increasing CRC errors on the PIX's ethernet 1 interface
    > > (show interface ethernet1) then there probably is a speed duplex
    > > mismatch.

    >
    > ***
    > Not sure what you mean
    > ***


    Run the command - show interface ethernet1:-

    interface ethernet1 "inside" is up, line protocol is up
    Hardware is i82559 ethernet, address is 0016.c835.d8e9
    IP address 192.168.1.1, subnet mask 255.255.255.0
    MTU 1500 bytes, BW 100000 Kbit full duplex
    4652226 packets input, 953253916 bytes, 0 no buffer
    Received 4877 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    5766066 packets output, 663874418 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software
    (0/27)
    output queue (curr/max blocks): hardware (1/82) software (0/1)

    Do you see any Input, CRC or Frame errors?

    What speed and duplex is the PC and the Show Centre machine set too?
    Make sure they are all set too 100 Full Duplex and not Auto Negotiate.

    James
    James, Sep 11, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob
    Replies:
    11
    Views:
    5,076
  2. Andre
    Replies:
    7
    Views:
    658
    Andre
    Feb 20, 2005
  3. Merv
    Replies:
    3
    Views:
    655
    Walter Roberson
    Feb 24, 2006
  4. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    609
    Walter Roberson
    May 20, 2006
  5. benchmark

    Cisco PIX 501 Firewall.

    benchmark, Dec 18, 2006, in forum: Cisco
    Replies:
    3
    Views:
    576
    www.BradReese.Com
    Dec 19, 2006
Loading...

Share This Page