Strange PIX static and holes for ports issue...

Discussion in 'Cisco' started by dmgeller@gmail.com, Jan 16, 2006.

  1. Guest

    Greetings,

    I am installing a PIX 515e in a datacenter (in D.C.) and for some
    reason it is just not behaving. I have another 515e in the home office
    (in L.A) and it works like a charm. The configs are pretty much the
    same minus the IPs and the one in DC needs more ports open.

    So the strangeness is that none of the static mapped ports are passing
    traffic from "out to in"or from "in to out". However, the DHCP
    assigned computers are surfing around just fine. Additionally, the
    servers that are statically mapped with open ports cannot pass traffic
    through the PIX. They can get to it but not through it!

    I have been comparing line by line a few of my working config files but
    just cannot come up with what may be going on. If anyone of you can
    shed some light, it would be very much appreciated, and drinks are me
    in SF, LA, or DC!!!

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 vpn security10
    enable password xxxxxxxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxxxxxx encrypted
    hostname VIRPIX01
    domain-name politicalsystems.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.10.0 LA_internal
    name 192.168.11.0 WLA_internal
    name 192.168.12.0 VIR_Internal
    name 192.168.13.0 DC_Internal
    name 192.168.222.0 VIR_VPN_Pool
    name 192.168.12.3 VIRMAIL01
    name 192.168.12.4 VIRDB01
    name 192.168.12.5 VIRCRUNCH
    name 192.168.12.6 VIRMAIL02
    name 192.168.12.9 VIRWWW01
    name 192.168.12.51 VIRMAIL03-IRON
    access-list inside_outbound_nat0_acl permit ip VIR_Internal
    255.255.255.0 DC_Internal 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip VIR_Internal
    255.255.255.0 VIR_VPN_Pool 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip VIR_Internal
    255.255.255.0 WLA_internal 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip VIR_Internal
    255.255.255.0 LA_internal 255.255.255.0
    access-list outside_cryptomap_20 permit ip VIR_Internal 255.255.255.0
    LA_internal 255.255.255.0
    access-list outside_cryptomap_40 permit ip VIR_Internal 255.255.255.0
    DC_Internal 255.255.255.0
    access-list outside_cryptomap_60 permit ip VIR_Internal 255.255.255.0
    WLA_internal 255.255.255.0
    access-list open_port permit udp any host x.x.x.84 eq domain
    access-list open_port permit tcp any host x.x.x.84 eq www
    access-list open_port permit tcp any host x.x.x.84 eq https
    access-list open_port permit tcp any host x.x.x.85 eq ftp
    access-list open_port permit tcp any host x.x.x.85 eq smtp
    access-list open_port permit udp any host x.x.x.85 eq domain
    access-list open_port permit tcp any host x.x.x.88 eq www
    access-list open_port permit tcp any host x.x.x.88 eq https
    access-list open_port permit tcp any host x.x.x.89 eq smtp
    access-list open_port permit tcp any host x.x.x.90 eq www
    access-list open_port permit tcp any host x.x.x.90 eq https
    access-list open_port permit tcp any host x.x.x.91 eq smtp
    access-list open_port permit tcp any host x.x.x.92 eq smtp
    access-list open_port permit tcp any host x.x.x.94 eq ftp
    access-list open_port permit tcp any host x.x.x.94 eq smtp
    access-list open_port permit udp any host x.x.x.87 eq domain
    access-list open_port permit tcp any host x.x.x.87 eq www
    access-list open_port permit tcp any host x.x.x.87 eq https
    access-list open_port permit icmp any any
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    icmp permit any vpn
    mtu outside 1500
    mtu inside 1500
    mtu vpn 1500
    ip address outside x.x.x.x 255.255.255.248
    ip address inside 192.168.12.1 255.255.255.0
    ip address vpn 192.168.112.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VIR_VPN_Clients 192.168.112.100-192.168.112.199 mask
    255.255.255.0
    pdm location LA_internal 255.255.255.0 outside
    pdm location DC_Internal 255.255.255.0 outside
    pdm location WLA_internal 255.255.255.0 outside
    pdm location VIRMAIL01 255.255.255.255 inside
    pdm location VIRDB01 255.255.255.255 inside
    pdm location VIRMAIL02 255.255.255.255 inside
    pdm location VIRWWW01 255.255.255.255 inside
    pdm location 192.168.12.10 255.255.255.255 inside
    pdm location 192.168.12.11 255.255.255.255 inside
    pdm location 192.168.12.12 255.255.255.255 inside
    pdm location 192.168.12.13 255.255.255.255 inside
    pdm location VIRMAIL03-IRON 255.255.255.255 inside
    pdm location LA_internal 255.255.255.0 vpn
    pdm location WLA_internal 255.255.255.0 vpn
    pdm location DC_Internal 255.255.255.0 vpn
    pdm location 192.168.12.41 255.255.255.255 inside
    pdm location VIR_VPN_Pool 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface netmask 255.255.255.255
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) x.x.x.90 VIRWWW01 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.87 192.168.12.10 netmask 255.255.255.255
    0 0
    static (inside,outside) x.x.x.84 192.168.12.11 netmask 255.255.255.255
    0 0
    static (inside,outside) x.x.x.88 192.168.12.12 netmask 255.255.255.255
    0 0
    static (inside,outside) x.x.x.85 VIRMAIL01 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.89 192.168.12.13 netmask 255.255.255.255
    0 0
    static (inside,outside) x.x.x.83 VIRDB01 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.91 VIRMAIL02 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.94 VIRMAIL03-IRON netmask 255.255.255.255
    0 0
    static (vpn,outside) x.x.x.93 192.168.112.1 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.92 192.168.12.41 netmask 255.255.255.255
    0 0

    access-group open_port in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http VIR_Internal 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer x.x.x.x
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer x.x.x.x
    crypto map outside_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer x.x.x.x
    crypto map outside_map 60 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp enable vpn
    isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 28800
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 28800
    telnet VIR_Internal 255.255.255.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh VIR_Internal 255.255.255.0 inside
    ssh timeout 15
    console timeout 0
    vpdn group VIR_Clients accept dialin pptp
    vpdn group VIR_Clients ppp authentication mschap
    vpdn group VIR_Clients ppp encryption mppe 40
    vpdn group VIR_Clients client configuration address local
    VIR_VPN_Clients
    vpdn group VIR_Clients pptp echo 60
    vpdn group VIR_Clients client authentication local
    vpdn enable vpn
    dhcpd address 192.168.12.200-192.168.12.220 inside
    dhcpd dns VIRMAIL01 208.57.0.11
    dhcpd lease 86400
    dhcpd ping_timeout 750
    dhcpd domain politicalsystems.local
    dhcpd enable inside
    .........
     
    , Jan 16, 2006
    #1
    1. Advertising

  2. Guest

    Found the problem. It was the outside subnet mask...such an idiot. I
    treated myself to a Guinness...
     
    , Jan 18, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    367
    Walter Roberson
    Apr 2, 2005
  2. Nieuws Xs4all
    Replies:
    0
    Views:
    630
    Nieuws Xs4all
    May 26, 2005
  3. Nieuws Xs4all
    Replies:
    2
    Views:
    1,626
    Jan-Willem
    May 26, 2005
  4. swapnendu
    Replies:
    2
    Views:
    958
    swapnendu
    Nov 4, 2006
  5. Giuen
    Replies:
    0
    Views:
    1,010
    Giuen
    Sep 12, 2008
Loading...

Share This Page