PIX 501 problem seeing other computers on inside/subnet?

Discussion in 'Cisco' started by Jay, Nov 8, 2004.

  1. Jay

    Jay Guest

    Hi I am wondering if someone can help me with this project (and
    quickly if possible). I am not a cisco expert and inheirted this
    beast from someone with no instructs... Basically there are two
    computers behind the pix and those two computers can not see each
    other nor any other computers that are in our hosts data center
    (example exchange cannot resolve the IP of the
    nor can I ping ourhost.com) They seem to think it is something to do
    with the subnet at the PIX. The pix takes the .232 address and also
    gives .232 and .233 to the two computers. I can not ping .233 from
    ..232 but can ping the interal (192.168.1.5) ok. Also I use
    192.168.1.5 as the DNS which only works about 75% of the time
    (related?) They share and active directory which of course I can't
    see but can log on to the windows domain (strange...) I cannot see
    shared directories from .233 on .232 but can see shared directories
    from .233 on .232... Again not sure if this is all related but the
    ipconfig shows them both on the 255.255.255.0 subnet.

    Here is the config from pix

    ---

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ******** encrypted
    passwd ******** encrypted
    hostname hostpix
    domain-name ********
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 81
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 192.168.1.7 comp2
    name 192.168.1.5 comp1
    access-list 101 permit tcp any host comp1 eq www
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq www
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq smtp
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq ftp
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq pop2
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq pop3
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq www
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq 3389
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq 3389
    access-list 100 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.xxx.0
    255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq 2401
    access-list 100 permit tcp any host xxx.xxx.xxx.232 eq ssh
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq ftp
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq 1306
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq smtp
    access-list 100 permit tcp any host xxx.xxx.xxx.233 eq https
    access-list inside_outbound_nat0_acl permit ip host comp1 192.168.1.16
    255.255.255.240
    access-list inside_outbound_nat0_acl permit ip host comp2 192.168.1.16
    255.255.255.240
    pager lines 24
    logging on
    logging buffered informational
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.232 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 192.168.1.20-192.168.1.25
    ip local pool vpnpool 10.10.10.1-10.10.10.254
    pdm location comp1 255.255.255.255 inside
    pdm location comp2 255.255.255.255 inside
    pdm location 192.168.1.16 255.255.255.240 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 192.168.1.1 192.168.1.1 netmask
    255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.233 comp2 netmask 255.255.255.255
    0 0
    static (inside,outside) xxx.xxx.xxx.232 comp1 netmask 255.255.255.255
    0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh xxx.xxx.xxx.232 255.255.255.255 outside
    ssh yyy.yyy.yyy.0 255.255.255.0 outside
    ssh xxx.xxx.xxx.232 255.255.255.255 inside
    ssh yyy.yyy.yyy.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local vpn
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username ******** password *********
    vpdn enable outside
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username ***** password ***** encrypted privilege 15
    terminal width 80
    Cryptochecksum:93f022ec3170597a7c8c301e23e02e88
    : end
    [OK]
    hostpix#


    ---

    Any help would be MUCH appricated!

    Thanks
     
    Jay, Nov 8, 2004
    #1
    1. Advertising

  2. In article <>,
    Jay <> wrote:
    :Hi I am wondering if someone can help me with this project (and
    :quickly if possible). I am not a cisco expert and inheirted this
    :beast from someone with no instructs... Basically there are two
    :computers behind the pix and those two computers can not see each
    :eek:ther

    That part is a local problem. Make sure that both systems are on
    the same subnet internally, and that you have not somehow put in
    a static route on them that overrides the default route to 192.168.1.x
    through their interfaces.

    Note: if they were on different subnets [which doesn't appear to
    be the case from your configuration] then you would need an inside
    router: you cannot use the PIX as the gateway to route between different
    machines on different subnets feeding in to the same PIX [logical]
    interface

    :nor any other computers that are in our hosts data center

    :Here is the config from pix

    :pIX Version 6.3(1)

    That version should be upgraded, as it has bugs and security problems.
    You are entitled to a free upgrade to PIX 6.3(4) even if you do
    not have a support contract. For more information, search cisco.com
    for PIX security advisory 6.3(3) . You won't find 6.3(4) explicitly
    mentioned but you will find 6.3(3)118 or some such number mentioned,
    and they'd rather give you 6.3(4) than that intermediate engineering
    build.



    :access-list 100 permit icmp any any echo-reply
    :access-list 100 permit icmp any any time-exceeded
    :access-list 100 permit icmp any any unreachable

    You aren't permitting icmp echo in this ACL that you are applying in
    your crypto map, so the lines above do not allow your internal 192.168
    hosts to ping anything at xxx.xxx.xxx/24

    :access-list 100 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0

    On the other hand, 'ip' includes icmp so that line would permit echo
    and everything else to the xxx.xxx.xxx/24 network. But xxx.xxx.xxx/24
    you have indicated as the outside network of your PIX, not as the
    public IP range of your host's network (unless those are the same),
    so the above line is permitting access to local
    devices that are sitting outside your PIX, such as your WAN router.

    :access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

    You didn't mention anything about 10.10.10.0 ?? Is that the private IP
    space used within HQ, with xxx.xxx.xxx/24 being their public IP space?
    If it is the private IP space then because 'ip' includes 'icmp', echo
    would be allowed out and echo-reply would be allowed back.

    On the other hand, I see you have no 'crypto map', so you aren't doing
    IPSec to any HQ, so I'm more confused now about what 10.10.10/24 is for ?

    :access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

    That line is not useful. That would be to permit internal 10.10.10/24
    packets to go over the VPN to HQ if HQ had 192.168.1/24 IPs.

    :access-list inside_outbound_nat0_acl permit ip host comp1 192.168.1.16 255.255.255.240
    :access-list inside_outbound_nat0_acl permit ip host comp2 192.168.1.16 255.255.255.240

    What does that ACL get used for? Get rid of it if you aren't using it.

    :ip address outside xxx.xxx.xxx.232 255.255.255.0
    :ip address inside 192.168.1.1 255.255.255.0

    :global (outside) 1 interface
    :nat (inside) 0 access-list 100
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0

    I'm not sure why you have that line.

    :static (inside,outside) xxx.xxx.xxx.233 comp2 netmask 255.255.255.255 0 0
    :static (inside,outside) xxx.xxx.xxx.232 comp1 netmask 255.255.255.255 0 0

    :access-group 100 in interface outside

    Mistake!! You cannot use the same ACL for a nat 0 access-list and
    an access-group command! When it's access-group'd then the ACL will
    be internally modified by the PIX adaptive security to put in pinholes
    to allow traffic in or out according to valid connections made. If you
    have another use of that ACL, then that alternative functionality gets
    affected as well!
    --
    If a troll and a half can hook a reader and a half in a posting and a half,
    how many readers can six trolls hook in six postings?
     
    Walter Roberson, Nov 8, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    771
    Andre
    Feb 20, 2005
  2. Jeremy Lawrence

    Seeing other computers on the network

    Jeremy Lawrence, Feb 5, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    3,327
    =?Utf-8?B?Q2FzdWFsdHk5OTk=?=
    Feb 7, 2006
  3. Replies:
    0
    Views:
    661
  4. Scott Townsend
    Replies:
    2
    Views:
    570
    Scott Townsend
    Mar 4, 2008
  5. Scott

    Computers Not Seeing Each Other

    Scott, Apr 30, 2008, in forum: Wireless Networking
    Replies:
    6
    Views:
    415
    Chuck [MVP]
    May 1, 2008
Loading...

Share This Page