PIX issue after replacing new public IP addresses

Discussion in 'Cisco' started by jesk, Mar 14, 2005.

  1. jesk

    jesk Guest

    We use windows 2000 server IAS as RADIUS in PIX setup to authenticate
    outbound HTTP access. After changing to the new public addresses in
    the following PIX configuration, we no longer get "HTTP authentication"
    windows to access the Internet. Attached below is the configuration
    information. Please advice if I missed something.

    Assuming these are the new public IP addresses:
    ip: 1.2.3.4 ~ 8
    gateway: 1.2.3.1
    dns: 106.10.24.10, 206.13.29.12

    I changed the following three lines to reflect the new ip addresses: ip
    address outside ...
    global (outside) ...
    route outside ...

    PIX configuration -

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    names
    access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0
    255.255.255.0
    access-list 110 deny tcp host 192.168.10.199 any eq smtp
    access-list 110 permit ip host 192.168.10.199 any
    access-list 110 deny udp host 192.168.10.11 any eq domain
    access-list 110 permit ip host 192.168.10.11 any
    access-list 110 deny udp host 192.168.10.12 any eq domain
    access-list 110 permit ip host 192.168.10.12 any
    access-list 110 permit ip host 192.168.10.13 any
    access-list 110 permit ip host 192.168.10.27 any
    access-list 110 permit ip host 192.168.10.16 any
    access-list 110 permit ip host 192.168.10.17 any
    access-list 110 permit ip host 192.168.10.200 any
    access-list 110 permit ip host 192.168.10.201 any
    access-list 110 deny udp any host 106.10.24.10 eq domain
    access-list 110 deny udp any host 206.13.29.12 eq domain
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq https
    access-list 111 permit udp any host 106.10.24.10 eq domain
    access-list 111 permit udp any host 206.13.29.12 eq domain
    access-list 112 permit tcp any any eq www
    access-list 112 permit tcp any any eq https
    access-list 112 permit udp any any eq 554
    access-list 112 permit tcp any any eq 7070
    access-list 112 permit tcp any any eq 8080
    access-list 112 permit udp any any eq 1755
    access-list 112 permit tcp any any eq 1755
    access-list 112 permit tcp any any eq ssh
    access-list 112 permit udp any any eq pcanywhere-status
    access-list 112 permit tcp any any eq pcanywhere-data
    access-list 112 permit udp any any eq 1720
    access-list 112 permit tcp any any eq 554
    access-list 112 permit udp any host 106.10.24.10 eq domain
    access-list 112 permit udp any host 206.13.29.12 eq domain
    access-list 113 permit ip any any
    pager lines 24
    logging on
    logging timestamp
    logging monitor informational
    logging buffered informational
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.2.3.4 255.255.255.248
    ip address inside 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.11.1-192.168.11.254
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    arp timeout 14400
    global (outside) 1 1.2.3.5
    nat (inside) 0 access-list 101
    nat (inside) 1 192.168.10.11 255.255.255.255 0 0
    nat (inside) 1 192.168.10.12 255.255.255.255 0 0
    nat (inside) 1 192.168.10.13 255.255.255.255 0 0
    nat (inside) 1 192.168.10.14 255.255.255.255 0 0
    nat (inside) 1 192.168.10.17 255.255.255.255 0 0
    nat (inside) 1 192.168.10.27 255.255.255.255 0 0
    nat (inside) 1 192.168.10.199 255.255.255.255 0 0
    nat (inside) 1 192.168.10.200 255.255.255.255 0 0
    nat (inside) 1 192.168.10.201 255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
    timeout xlate 12:00:01
    timeout conn 12:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 12:00:00 absolute uauth 4:00:00 inactivity
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server AuthOutbound protocol radius
    aaa-server AuthOutbound (inside) host 192.168.10.12 xyzAuth timeout 3
    aaa-server AuthOutbound (inside) host 192.168.10.11 xyzAuth timeout 3
    aaa authentication match 110 inside AuthOutbound
    http server enable
    http 192.168.10.200 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    virtual http 192.168.100.1
    floodguard enable
    sysopt connection permit-ipsec
    service resetinbound
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    console timeout 0
    terminal width 80
    : end
    jesk, Mar 14, 2005
    #1
    1. Advertising

  2. jesk

    mcaissie Guest

    Probably not the cause of your problem but did you do a

    clear xlate

    after changing the IPs , to delete the existing and no more valid PAT
    entries.


    "jesk" <> wrote in message
    news:...
    > We use windows 2000 server IAS as RADIUS in PIX setup to authenticate
    > outbound HTTP access. After changing to the new public addresses in
    > the following PIX configuration, we no longer get "HTTP authentication"
    > windows to access the Internet. Attached below is the configuration
    > information. Please advice if I missed something.
    >
    > Assuming these are the new public IP addresses:
    > ip: 1.2.3.4 ~ 8
    > gateway: 1.2.3.1
    > dns: 106.10.24.10, 206.13.29.12
    >
    > I changed the following three lines to reflect the new ip addresses: ip
    > address outside ...
    > global (outside) ...
    > route outside ...
    >
    > PIX configuration -
    >
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname pixfirewall
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > names
    > access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0
    > 255.255.255.0
    > access-list 110 deny tcp host 192.168.10.199 any eq smtp
    > access-list 110 permit ip host 192.168.10.199 any
    > access-list 110 deny udp host 192.168.10.11 any eq domain
    > access-list 110 permit ip host 192.168.10.11 any
    > access-list 110 deny udp host 192.168.10.12 any eq domain
    > access-list 110 permit ip host 192.168.10.12 any
    > access-list 110 permit ip host 192.168.10.13 any
    > access-list 110 permit ip host 192.168.10.27 any
    > access-list 110 permit ip host 192.168.10.16 any
    > access-list 110 permit ip host 192.168.10.17 any
    > access-list 110 permit ip host 192.168.10.200 any
    > access-list 110 permit ip host 192.168.10.201 any
    > access-list 110 deny udp any host 106.10.24.10 eq domain
    > access-list 110 deny udp any host 206.13.29.12 eq domain
    > access-list 111 permit tcp any any eq www
    > access-list 111 permit tcp any any eq https
    > access-list 111 permit udp any host 106.10.24.10 eq domain
    > access-list 111 permit udp any host 206.13.29.12 eq domain
    > access-list 112 permit tcp any any eq www
    > access-list 112 permit tcp any any eq https
    > access-list 112 permit udp any any eq 554
    > access-list 112 permit tcp any any eq 7070
    > access-list 112 permit tcp any any eq 8080
    > access-list 112 permit udp any any eq 1755
    > access-list 112 permit tcp any any eq 1755
    > access-list 112 permit tcp any any eq ssh
    > access-list 112 permit udp any any eq pcanywhere-status
    > access-list 112 permit tcp any any eq pcanywhere-data
    > access-list 112 permit udp any any eq 1720
    > access-list 112 permit tcp any any eq 554
    > access-list 112 permit udp any host 106.10.24.10 eq domain
    > access-list 112 permit udp any host 206.13.29.12 eq domain
    > access-list 113 permit ip any any
    > pager lines 24
    > logging on
    > logging timestamp
    > logging monitor informational
    > logging buffered informational
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 1.2.3.4 255.255.255.248
    > ip address inside 192.168.10.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpnpool 192.168.11.1-192.168.11.254
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > arp timeout 14400
    > global (outside) 1 1.2.3.5
    > nat (inside) 0 access-list 101
    > nat (inside) 1 192.168.10.11 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.12 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.13 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.14 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.17 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.27 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.199 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.200 255.255.255.255 0 0
    > nat (inside) 1 192.168.10.201 255.255.255.255 0 0
    > route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
    > timeout xlate 12:00:01
    > timeout conn 12:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 12:00:00 absolute uauth 4:00:00 inactivity
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa-server AuthOutbound protocol radius
    > aaa-server AuthOutbound (inside) host 192.168.10.12 xyzAuth timeout 3
    > aaa-server AuthOutbound (inside) host 192.168.10.11 xyzAuth timeout 3
    > aaa authentication match 110 inside AuthOutbound
    > http server enable
    > http 192.168.10.200 255.255.255.255 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > virtual http 192.168.100.1
    > floodguard enable
    > sysopt connection permit-ipsec
    > service resetinbound
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap interface outside
    > console timeout 0
    > terminal width 80
    > : end
    >
    mcaissie, Mar 14, 2005
    #2
    1. Advertising

  3. jesk

    jesk Guest

    Thanks for the prompt reply. I did not do clear xlate and I'll try
    that. -jesk

    mcaissie wrote:
    > Probably not the cause of your problem but did you do a
    >
    > clear xlate
    >
    > after changing the IPs , to delete the existing and no more valid

    PAT
    > entries.
    >
    >
    > "jesk" <> wrote in message
    > news:...
    > > We use windows 2000 server IAS as RADIUS in PIX setup to

    authenticate
    > > outbound HTTP access. After changing to the new public addresses

    in
    > > the following PIX configuration, we no longer get "HTTP

    authentication"
    > > windows to access the Internet. Attached below is the

    configuration
    > > information. Please advice if I missed something.
    > >
    > > Assuming these are the new public IP addresses:
    > > ip: 1.2.3.4 ~ 8
    > > gateway: 1.2.3.1
    > > dns: 106.10.24.10, 206.13.29.12
    > >
    > > I changed the following three lines to reflect the new ip

    addresses: ip
    > > address outside ...
    > > global (outside) ...
    > > route outside ...
    > >
    > > PIX configuration -
    > >
    > > PIX Version 6.3(3)
    > > interface ethernet0 auto
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > hostname pixfirewall
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol smtp 25
    > > names
    > > access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0
    > > 255.255.255.0
    > > access-list 110 deny tcp host 192.168.10.199 any eq smtp
    > > access-list 110 permit ip host 192.168.10.199 any
    > > access-list 110 deny udp host 192.168.10.11 any eq domain
    > > access-list 110 permit ip host 192.168.10.11 any
    > > access-list 110 deny udp host 192.168.10.12 any eq domain
    > > access-list 110 permit ip host 192.168.10.12 any
    > > access-list 110 permit ip host 192.168.10.13 any
    > > access-list 110 permit ip host 192.168.10.27 any
    > > access-list 110 permit ip host 192.168.10.16 any
    > > access-list 110 permit ip host 192.168.10.17 any
    > > access-list 110 permit ip host 192.168.10.200 any
    > > access-list 110 permit ip host 192.168.10.201 any
    > > access-list 110 deny udp any host 106.10.24.10 eq domain
    > > access-list 110 deny udp any host 206.13.29.12 eq domain
    > > access-list 111 permit tcp any any eq www
    > > access-list 111 permit tcp any any eq https
    > > access-list 111 permit udp any host 106.10.24.10 eq domain
    > > access-list 111 permit udp any host 206.13.29.12 eq domain
    > > access-list 112 permit tcp any any eq www
    > > access-list 112 permit tcp any any eq https
    > > access-list 112 permit udp any any eq 554
    > > access-list 112 permit tcp any any eq 7070
    > > access-list 112 permit tcp any any eq 8080
    > > access-list 112 permit udp any any eq 1755
    > > access-list 112 permit tcp any any eq 1755
    > > access-list 112 permit tcp any any eq ssh
    > > access-list 112 permit udp any any eq pcanywhere-status
    > > access-list 112 permit tcp any any eq pcanywhere-data
    > > access-list 112 permit udp any any eq 1720
    > > access-list 112 permit tcp any any eq 554
    > > access-list 112 permit udp any host 106.10.24.10 eq domain
    > > access-list 112 permit udp any host 206.13.29.12 eq domain
    > > access-list 113 permit ip any any
    > > pager lines 24
    > > logging on
    > > logging timestamp
    > > logging monitor informational
    > > logging buffered informational
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside 1.2.3.4 255.255.255.248
    > > ip address inside 192.168.10.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool vpnpool 192.168.11.1-192.168.11.254
    > > no failover
    > > failover timeout 0:00:00
    > > failover poll 15
    > > no failover ip address outside
    > > no failover ip address inside
    > > arp timeout 14400
    > > global (outside) 1 1.2.3.5
    > > nat (inside) 0 access-list 101
    > > nat (inside) 1 192.168.10.11 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.12 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.13 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.14 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.17 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.27 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.199 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.200 255.255.255.255 0 0
    > > nat (inside) 1 192.168.10.201 255.255.255.255 0 0
    > > route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
    > > timeout xlate 12:00:01
    > > timeout conn 12:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00

    h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 12:00:00 absolute uauth 4:00:00 inactivity
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > aaa-server AuthOutbound protocol radius
    > > aaa-server AuthOutbound (inside) host 192.168.10.12 xyzAuth timeout

    3
    > > aaa-server AuthOutbound (inside) host 192.168.10.11 xyzAuth timeout

    3
    > > aaa authentication match 110 inside AuthOutbound
    > > http server enable
    > > http 192.168.10.200 255.255.255.255 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > virtual http 192.168.100.1
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > service resetinbound
    > > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > > crypto dynamic-map dynmap 10 set transform-set myset
    > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > crypto map mymap interface outside
    > > console timeout 0
    > > terminal width 80
    > > : end
    > >
    jesk, Mar 14, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page