PIX 501 Firewall - configuring

Discussion in 'Cisco' started by Jimmy, Oct 17, 2003.

  1. Jimmy

    Jimmy Guest

    I am trying to help out a friend with a small company with
    a PIX 501 firewall. I think it needs some (re)configuration.

    The basic problem is that the 501 seems to be stopping one
    particular system from getting to the 'net. This system used to
    work fine. All other systems still work. As a diagnostic, I
    swapped this non-working system's (fixed) IP address with a working
    system and it started working fine. So, it appears the 501 is
    blocking traffic to the 'net for this one address as part of the
    "security" configuration or perhaps there is an issue with the
    license server (they have a 10 client license but only have
    8 systems that actually need to get to the net... that does not
    mean that some of the other systems have not tried to get to the
    net an perhaps grabbed a license entry)

    I tried to access the 501 at the (fixed, locally setup) IP address
    that it is supposed to be using have via a browser. No go, no
    response. I could ping it but it would not respond to a browser.
    I also could not telnet to it. I don't know if the telnet interface
    is on or off. I didn't power cycle the 501 since the business was
    using it while I was there. I'm not sure if that would do anything.

    Questions: (Windows 2K environment)

    1. Is there any way to verify the correct address (for access) to the
    501 via some network tool i.e. can I "see" it on the network and
    verify the address it is using ? (win2k)

    2. Are 501's known to hang the browser interface like this ?

    3. Is it possible that the license server is causing this problem ?
    Or does it work in some way that it could not cause this ?

    4. Is there a table of IP addresses that are allowed to access the
    'net configured into the 501 that could be the issue ?

    At this point, some general pointers on these questions would be
    welcome. I realize there is a console interface that I can hook up a
    laptop to. I'll probably try that if there is no other alternative.
    I am not a Cisco guy at all so I was hoping to use the browser
    interface to find out what was going on and correct it.

    Thanks,
     
    Jimmy, Oct 17, 2003
    #1
    1. Advertising

  2. Jimmy

    P Guest

    > 1. Is there any way to verify the correct address (for access) to the
    > 501 via some network tool i.e. can I "see" it on the network and
    > verify the address it is using ? (win2k)


    use a console cable plugged direct into the PIX

    > 2. Are 501's known to hang the browser interface like this ?
    >

    Browser management is most likely disabled.

    > 3. Is it possible that the license server is causing this problem ?
    > Or does it work in some way that it could not cause this ?
    >
    > 4. Is there a table of IP addresses that are allowed to access the
    > 'net configured into the 501 that could be the issue ?
    >

    yes

    > At this point, some general pointers on these questions would be
    > welcome. I realize there is a console interface that I can hook up a
    > laptop to. I'll probably try that if there is no other alternative.
    > I am not a Cisco guy at all so I was hoping to use the browser
    > interface to find out what was going on and correct it.


    I'm afraid that you may need to find a cisco guy to look at this for you..
     
    P, Oct 17, 2003
    #2
    1. Advertising

  3. Jimmy

    John Guest

    On Fri, 17 Oct 2003 01:47:59 +0000, Jimmy wrote:

    > I am trying to help out a friend with a small company with
    > a PIX 501 firewall. I think it needs some (re)configuration.
    >
    > The basic problem is that the 501 seems to be stopping one
    > particular system from getting to the 'net. This system used to
    > work fine. All other systems still work. As a diagnostic, I
    > swapped this non-working system's (fixed) IP address with a working
    > system and it started working fine. So, it appears the 501 is
    > blocking traffic to the 'net for this one address as part of the
    > "security" configuration or perhaps there is an issue with the
    > license server (they have a 10 client license but only have
    > 8 systems that actually need to get to the net... that does not
    > mean that some of the other systems have not tried to get to the
    > net an perhaps grabbed a license entry)
    >
    > I tried to access the 501 at the (fixed, locally setup) IP address
    > that it is supposed to be using have via a browser. No go, no
    > response. I could ping it but it would not respond to a browser.
    > I also could not telnet to it. I don't know if the telnet interface
    > is on or off. I didn't power cycle the 501 since the business was
    > using it while I was there. I'm not sure if that would do anything.
    >
    > Questions: (Windows 2K environment)
    >
    > 1. Is there any way to verify the correct address (for access) to the
    > 501 via some network tool i.e. can I "see" it on the network and
    > verify the address it is using ? (win2k)
    >

    Well, the easiest way is probably to look at the gateway address
    configured on a machine that works. Normal config for a business that
    small would be to point the gateways at the PIX and then connect the PIX
    to a router. I don't know your internal network schema but the default
    inside interface address for the PIX is 192.168.1.1

    > 2. Are 501's known to hang the browser interface like this ?
    >


    No, but the PIX Display Manager can be rather picky about the java used
    by your browser. You are using https://pix-address aren't you? Most people
    seem to disable the web server on their Cisco routers and firewalls.

    > 3. Is it possible that the license server is causing this problem ?
    > Or does it work in some way that it could not cause this ?
    >

    It is possible that you are out of licensed connections but not the most
    likely issue.

    > 4. Is there a table of IP addresses that are allowed to access the
    > 'net configured into the 501 that could be the issue ?
    >

    There certainly could be an access-list configured to only allow certain
    addresses net access. Not the default setup but whoever installed it could
    have created one.

    > At this point, some general pointers on these questions would be
    > welcome. I realize there is a console interface that I can hook up a
    > laptop to. I'll probably try that if there is no other alternative.
    > I am not a Cisco guy at all so I was hoping to use the browser
    > interface to find out what was going on and correct it.
    >
    > Thanks,


    With any Cisco device your first line of approach should be to connect
    to the console port and take a look at how it is configured. You should
    definitely look at the extensive documentation on www.cisco.com before
    doing anything drastic like resetting or power-cycling.

    --
    ___________
    John Holmes
     
    John, Oct 17, 2003
    #3
  4. Jimmy

    John Guest

    O
    >
    >> 2. Are 501's known to hang the browser interface like this ?
    >>

    >
    > No, but the PIX Display Manager can be rather picky about the java used
    > by your browser. You are using https://pix-address aren't you? Most people
    > seem to disable the web server on their Cisco routers and firewalls.
    >


    PIX Device Manager I meant to type :)

    --
    ___________
    John Holmes
     
    John, Oct 17, 2003
    #4
  5. Jimmy

    Jimmy Guest

    On Fri, 17 Oct 2003 12:31:01 +0800, "P" <> wrote:


    >use a console cable plugged direct into the PIX

    OK

    >Browser management is most likely disabled.

    Makes sense.

    >> 4. Is there a table of IP addresses that are allowed to access the
    >> 'net configured into the 501 that could be the issue ?
    >>

    >yes

    I'll look at that then.

    >I'm afraid that you may need to find a cisco guy to look at this for you..


    Yeah, I know. I was hoping that I could get the browser interface
    enabled and correct it there where I might have a clue.
     
    Jimmy, Oct 17, 2003
    #5
  6. Jimmy

    Jimmy Guest

    On Fri, 17 Oct 2003 06:18:25 GMT, "John" <>
    wrote:


    > It is possible that you are out of licensed connections but not the most
    >likely issue.


    Do the licenses release after a period when DHCP is *not* in use ?
    Or can/do they get locked down to a specific IP and perhaps never
    released ?

    > There certainly could be an access-list configured to only allow certain
    >addresses net access. Not the default setup but whoever installed it could
    >have created one.


    I figured. I'll have to see if it shows up somewhere that I can
    actually read it.

    > With any Cisco device your first line of approach should be to connect
    >to the console port and take a look at how it is configured. You should
    >definitely look at the extensive documentation on www.cisco.com before
    >doing anything drastic like resetting or power-cycling.


    Will do.

    Thanks,
     
    Jimmy, Oct 17, 2003
    #6
  7. In article <>,
    Jimmy <> wrote:
    :The basic problem is that the 501 seems to be stopping one
    :particular system from getting to the 'net. This system used to
    :work fine. All other systems still work. As a diagnostic, I
    :swapped this non-working system's (fixed) IP address with a working
    :system and it started working fine. So, it appears the 501 is
    :blocking traffic to the 'net for this one address as part of the
    :"security" configuration or perhaps there is an issue with the
    :license server (they have a 10 client license but only have
    :8 systems that actually need to get to the net... that does not
    :mean that some of the other systems have not tried to get to the
    :net an perhaps grabbed a license entry)

    The license count is mostly really a count of the number of active
    translations. When hosts are only allowed to go out, that
    corresponds to the number of active hosts. "Active" in the
    sense that translations do expire (depending on the configured
    timeouts). The license count isn't -exactly- the same as translations,
    but the licenses time out shortly after the translations do; one
    minute as I recall. Provided, that is, that you aren't running an
    early software release: those failed to time out the licenses
    at all :(

    The situation becomes more complicated if outside hosts are allowed
    to form connections to the inside. If an IP address is being routed
    to the PIX, and the PIX has that address as the target of a
    'static' or 'nat 0 access-list', then the PIX will consider that
    a valid translation exists for that IP, and it will try to
    activate that translation *before* it checks the outside ACL.
    [Or at least this was true up to 6.3(1); 6.3(3) might handle this
    differently.] This means that if you have a 'static' that covers
    IP addresses that you don't actually allow access to, then the
    license count will be incremented when someone -tries- to access
    that address, even though they aren't allowed through. If you
    are being scanned by any of the worms or manually by someone, then
    it is possible that the translation won't time out until after
    the scanning stops, possibly days later.


    :I tried to access the 501 at the (fixed, locally setup) IP address
    :that it is supposed to be using have via a browser. No go, no
    :response. I could ping it but it would not respond to a browser.

    https is required for the device manager.


    :1. Is there any way to verify the correct address (for access) to the
    :501 via some network tool i.e. can I "see" it on the network and
    :verify the address it is using ? (win2k)

    The PIX will only respond to ping on its interface address.
    Responding to ping might be turned off, but if you can ping it then
    you know you have the right address.

    PIX doesn't go around broadcasting it's presence, though.

    Also, the address should be the same as what the other devices
    are using as their gateway address, unless they are sending to
    a local router, in which case the local router should have the
    proper address of the PIX.

    :2. Are 501's known to hang the browser interface like this ?

    Not particularily, but it is not unusual to configure a PIX to
    not respond to http or https.


    :3. Is it possible that the license server is causing this problem ?
    :Or does it work in some way that it could not cause this ?

    Possible, yes. Or it could be an access-list issue. If it were
    a license count issue then it should start working when the other
    machines are idle.


    :4. Is there a table of IP addresses that are allowed to access the
    :'net configured into the 501 that could be the issue ?

    Not inherently, but an access-list might have been configured into
    the 501.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
     
    Walter Roberson, Oct 17, 2003
    #7
  8. Jimmy

    Jimmy Guest

    On 17 Oct 2003 19:14:35 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    > When hosts are only allowed to go out, that
    >corresponds to the number of active hosts. "Active" in the
    >sense that translations do expire <> one minute as I recall.


    OK, then it's probably not that.

    >Provided, that is, that you aren't running an
    >early software release: those failed to time out the licenses
    >at all :(


    How early ? These folks never, ever upgrade anything. It's probably
    got the original firmware. I'll have to go dig for a date.

    >The situation becomes more complicated if outside hosts are allowed
    >to form connections to the inside.


    Not allowed. It's outbound only unless it's set up wrong.

    >license count will be incremented when someone -tries- to access
    >that address, even though they aren't allowed through.


    Could that happen from inside too ? COuld someone chew up a license
    slot even if they were concurrently denied access because their IP is
    not allowed out ?

    >Also, the address should be the same as what the other devices
    >are using as their gateway address, unless they are sending to
    >a local router, in which case the local router should have the
    >proper address of the PIX.

    <>
    >Not particularily, but it is not unusual to configure a PIX to
    >not respond to http or https.


    Yep, there's a 2600 in between that splits traffic to a third party
    private network or to the Internet. The 501 is on the Internet
    side. However, the guy who runs the 2600 (remotely) gave me the
    (alleged) address. It would not respond on that address but it did
    return a ping. I have to assume then that the http interface is
    shut off.

    >Possible, yes. Or it could be an access-list issue. If it were
    >a license count issue then it should start working when the other
    >machines are idle.


    No go on the timeout, so I'm leaning towards an access list.

    >Not inherently, but an access-list might have been configured into
    >the 501.


    Will that show up if I do a "show configuration" via the console ?
     
    Jimmy, Oct 17, 2003
    #8
  9. Jimmy

    John Guest

    On Fri, 17 Oct 2003 19:52:30 +0000, Jimmy wrote:

    > On 17 Oct 2003 19:14:35 GMT, -cnrc.gc.ca (Walter
    > Roberson) wrote:
    >
    >> When hosts are only allowed to go out, that
    >>corresponds to the number of active hosts. "Active" in the
    >>sense that translations do expire <> one minute as I recall.

    >
    > OK, then it's probably not that.
    >


    Just to clarify, the default timeout for an xlate (address translation)
    is 3 hours. 1 minute is the minimum that can be configured. To view the
    licenses/connections used try using "show local-host" command. You can
    clear them with "clear local-host".

    --
    ___________
    John Holmes
     
    John, Oct 18, 2003
    #9
  10. In article <>,
    John <> wrote:
    :On Fri, 17 Oct 2003 19:52:30 +0000, Jimmy wrote:

    :> On 17 Oct 2003 19:14:35 GMT, -cnrc.gc.ca (Walter
    :> Roberson) wrote:

    :>> When hosts are only allowed to go out, that
    :>>corresponds to the number of active hosts. "Active" in the
    :>>sense that translations do expire <> one minute as I recall.

    : Just to clarify, the default timeout for an xlate (address translation)
    :is 3 hours. 1 minute is the minimum that can be configured. To view the
    :licenses/connections used try using "show local-host" command. You can
    :clear them with "clear local-host".

    To clarify the clarification: what I wrote was:

    >"Active" in the
    >sense that translations do expire (depending on the configured
    >timeouts). The license count isn't -exactly- the same as translations,
    >but the licenses time out shortly after the translations do; one
    >minute as I recall.


    That is, there is a delay between the time the last translation
    involving a host times out, and the time the container for the
    host times out. That particular delay [last xlate until container delete]
    is not configurable, and appears to be in the range of one minute
    no matter how quickly the translations themselves are set to time out.
    --
    Inevitably, someone will flame me about this .signature.
     
    Walter Roberson, Oct 18, 2003
    #10
  11. In article <>,
    Jimmy <> wrote:
    :On 17 Oct 2003 19:14:35 GMT, -cnrc.gc.ca (Walter
    :Roberson) wrote:
    :>Provided, that is, that you aren't running an
    :>early software release: those failed to time out the licenses
    :>at all :(

    :How early ? These folks never, ever upgrade anything. It's probably
    :got the original firmware. I'll have to go dig for a date.

    6.1(1), fixed in 6.1(4) or so.

    Also, there's a bare possibility (but unlikely) that they are hitting
    CSCdw81126 "PIX sourced UDP traffic to non-existing ip may use many blocks"
    and running out of memory.

    I've lost track of who was asking exactly which question; there have
    been a couple similar ones in the last few days. One of the older bugs
    (6.2(1) timeframe) was CSCdt47829 "PIX won't learn MAC addresses in
    range 0008.xxxx.xxxx". That could account for a particular machine not
    working while all the others do. If I remember correctly, in your
    situation it started to work when you traded IP addresses, so that
    wouldn't have been it for you.
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, Oct 19, 2003
    #11
  12. In article <>,
    Jimmy <> wrote:
    :On 17 Oct 2003 19:14:35 GMT, -cnrc.gc.ca (Walter
    :Roberson) wrote:

    :>Not inherently, but an access-list might have been configured into
    :>the 501.

    :Will that show up if I do a "show configuration" via the console ?

    If you show access-group and there is something marked
    against the inside interfaces, then that access-list controls what can
    go out.
    --
    Caution: A subset of the statements in this message may be
    tautologically true.
     
    Walter Roberson, Oct 20, 2003
    #12
  13. Jimmy

    Jimmy Guest

    Thanks for all the pointers.

    I plan to get up there with a laptop so that I can get into the cli
    asap. I have some basic instructions on the cli but I might need
    a couple of more pointers to commands. (I do plan to RTFM before
    I go but a pointer always helps).

    What command will enable the web browser interface ?

    Will the web browser interface be automatically restricted to systems
    that are on the private side - or can the browser interface be
    accessed from the public side as well once I enable it ?

    What command will show me a list (or if there is one) of IP addresses
    that are allowed to route to the public internet ?

    What command would add a particular fixed IP to that table of
    addresses that are allowed to go through to the public side ?

    I can understand that the answer to one or more of these
    questions might be beyond the scope of what you can tell me here
    without writing a cisco course. If so, please give me what you can
    to point me in a direction. If I can at least _identify_ the problem,
    I can help them bring in the correct person to fix it (Right now they
    are getting the vendor "point a finger" run around).

    Thanks,
     
    Jimmy, Oct 20, 2003
    #13
  14. In article <>,
    Jimmy <> wrote:
    :What command will enable the web browser interface ?

    Log on to the PIX. 'enable'. Once enabled, enter configuration
    mode via 'configure terminal'. Once in configuration mode,
    give the command setup and follow the prompts.


    :What command will show me a list (or if there is one) of IP addresses
    :that are allowed to route to the public internet ?

    There isn't one. You have to deduce it by looking at the other
    outputs.


    :What command would add a particular fixed IP to that table of
    :addresses that are allowed to go through to the public side ?

    There is no table of IP addresses allowed to connect.


    :I can understand that the answer to one or more of these
    :questions might be beyond the scope of what you can tell me here
    :without writing a cisco course. If so, please give me what you can
    :to point me in a direction.

    show access-group

    Look for the one marked as being against 'inside'. The name given
    there will be that of an access-list. Use show access-list followed
    by the name of that list.

    PIX access-lists are very very similar to IOS access-lists, except
    that the bitmasks are reversed. For example:

    access-list in2out permit tcp host 192.168.1.3 168.24.39.0 255.255.255.0 eq smtp

    to permit the one IP 192.168.1.3 to SMTP to 168.24.39.* .
    The equivilent IOS access list would use 0.0.0.255 instead of 255.255.255.0


    Only the connections which are 'permit' are allowed. The list is
    evaluated from top to bottom, and stops as soon as a line matches.
    If you get to the bottom of the list and nothing matched, then
    the traffic is denied.


    For this kind of situation, you should also show nat
    and look for statements that start with nat (inside)
    Any inside IP address which is not matched by a nat (inside)
    statement will not be allowed out [unless that address matches
    a static (inside,outside) statement.]

    It is fairly common for people to use

    nat (inside) 1 0 0

    meaning that -all- internal IP addreses are allowed out (the 0 0
    being short for 0.0.0.0 0.0.0.0 which is the match of all addresses.)
    There is a possibility, though, that someone might have been more
    specific, such as

    nat (inside) 1 192.168.1.3 255.255.255.255
    nat (inside) 1 192.168.1.17 255.255.255.255

    which would only allow out 192.168.1.3 and 192.168.1.17
    unless there were other nat or static statements. Usually
    people either nat everything (0 0) or allow the entire internal
    network nat (inside) 1 192.168.1.0 255.255.255.0
    but it is -possible- to be more specific, so if the restriction
    isn't obvious from the access-group access-list then look at the
    nat's.
    --
    Tenser, said the Tensor.
    Tenser, said the Tensor.
    Tension, apprehension,
    And dissension have begun. -- Alfred Bester (tDM)
     
    Walter Roberson, Oct 20, 2003
    #14
  15. Jimmy

    Jimmy Guest

    On 20 Oct 2003 05:15:37 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    <snip detailed answer>

    Thank you Walter. I will poke it tomorrow morning and see what
    I can find. (That might be a "stand by for more ignorant
    questions" warning :)
     
    Jimmy, Oct 21, 2003
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bobby Kuzma
    Replies:
    6
    Views:
    2,905
    Rik Bain
    Dec 31, 2003
  2. Andre
    Replies:
    7
    Views:
    812
    Andre
    Feb 20, 2005
  3. MasterOfNone
    Replies:
    2
    Views:
    3,861
  4. Steven Duckworth

    PIX 501 - A few problems configuring

    Steven Duckworth, May 26, 2006, in forum: Cisco
    Replies:
    0
    Views:
    648
    Steven Duckworth
    May 26, 2006
  5. eljainc
    Replies:
    6
    Views:
    1,176
Loading...

Share This Page