weird issue with Pix 501

Discussion in 'Cisco' started by Michael Williams, Oct 23, 2004.

  1. While I was out of town (anotherwords, nothing changed) we can no longer
    ping any address, yet the name resolves. I am thinking the issue is the Pix.

    Running 6.3(4) and PDm 3.0(2).

    Here is our configuration:

    Windows 2003 Native DC's
    Windows 2003 Member Servers
    Windows XP SP2 clients running Office 2003
    Cisco Pix 501 firewall

    If you drop to a command line and try to tracert or ping any domain or ip,
    it resolves (DNS is fine) but we can not ping anything off our network. As a
    result, we can get to the internet sites, but mail (sending mail out via
    POP3 to our ISP no longer works. We can get mail, but not send mail.

    I have brought in a machine imaged from a different company than ours, same
    thing, not able to ping. You can not ping from any dc, member server or
    desktop. It I log in to the firewall, I can ping out.

    I know this sounds like a firewall issue, but nothing has changed in the PIX
    config in over 6 months. Also, there is a rule allowing for outbound icmp.

    The Pix config is below. We have been without mail
    now for 2 days (sending mail out that is.)

    Help

    Thanks in advance,

    Todd


    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password blahblahblah encrypted
    passwd blahblahblah encrypted
    hostname pixfirewall
    domain-name domain.com
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group service ms_terminal_services tcp
    description Microsoft Terminal Services
    port-object range 3389 3389
    object-group service ftp tcp
    port-object eq ftp
    access-list inbound permit tcp any any eq 3389
    pager lines 24
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.0.1 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.255 inside
    pdm location 192.168.0.14 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 2 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.0.14 3389 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 128.138.140.44 source outside
    ntp server 192.5.41.209 source outside prefer
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.0.0 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname blahblahblah
    vpdn group pppoe_group ppp authentication pap
    vpdn username blahblahblah password blahblahblah
    dhcpd lease 300
    dhcpd ping_timeout 100
    terminal width 80
    Cryptochecksum:5d823bb026fc9f5792000d3568123ef3
    : end
     
    Michael Williams, Oct 23, 2004
    #1
    1. Advertising

  2. Michael Williams

    PES Guest

    "Michael Williams" <> wrote in message
    news:...
    > While I was out of town (anotherwords, nothing changed) we can no longer
    > ping any address, yet the name resolves. I am thinking the issue is the
    > Pix.
    >
    > Running 6.3(4) and PDm 3.0(2).
    >
    > Here is our configuration:
    >
    > Windows 2003 Native DC's
    > Windows 2003 Member Servers
    > Windows XP SP2 clients running Office 2003
    > Cisco Pix 501 firewall
    >
    > If you drop to a command line and try to tracert or ping any domain or ip,
    > it resolves (DNS is fine) but we can not ping anything off our network. As
    > a
    > result, we can get to the internet sites, but mail (sending mail out via
    > POP3 to our ISP no longer works. We can get mail, but not send mail.


    You cannot send mail via pop3, it requires smtp. SMTP is not dependent on
    ICMP. Therefore, just becuase you cannot ping something doesn't mean that
    smtp will not work. Your pix is not configured to permit echo replies,
    there for pings to the outside will not work and should have never worked
    (and I would bet this is the case). My assumption would be that your pix is
    forwarding traffic properly (dns, pop3 and http are working). You need to
    troubleshoot the smtp connection. Are you not even getting a three way
    handshake at the tcp level? Or are you getting something like a 550 error
    or something? Are you talking to a mail server at your isp, or somewhere
    else. If the latter, I'll bet the ISP is filtering port 25. In either
    case, I would contact the isp.

    I think that your email has broken or been broken by something. As a
    result, you attempted the ping and found it failed. Then began
    troubleshooting the problem assuming that you had a firewall issue.
    However, based on your description smtp is the only issue.

    >


    <-----snip------>

    >
    > I know this sounds like a firewall issue, but nothing has changed in the
    > PIX
    > config in over 6 months. Also, there is a rule allowing for outbound icmp.


    I don't think this is an issue with the pix, but there is at least one item
    in the config that doesn't make sense.

    >
    > The Pix config is below. We have been without mail
    > now for 2 days (sending mail out that is.)
    >
    > Help
    >
    > Thanks in advance,
    >
    > Todd
    >
    >
    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password blahblahblah encrypted
    > passwd blahblahblah encrypted
    > hostname pixfirewall
    > domain-name domain.com
    > clock timezone CST -6
    > clock summer-time CDT recurring
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > object-group service ms_terminal_services tcp
    > description Microsoft Terminal Services
    > port-object range 3389 3389
    > object-group service ftp tcp
    > port-object eq ftp
    > access-list inbound permit tcp any any eq 3389


    If you want to permit all icmp you would need to add the line below. This
    would not be recommended on one to one nat, but since you only have pat,
    shouldn't creat too much risk

    access-list inbound permit icmp any any

    If you only wanted pings originating from the inside to work you could
    instead use something like
    access-list inbound permit icmp any any echo-reply

    > pager lines 24
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside pppoe setroute
    > ip address inside 192.168.0.1 255.255.255.0
    > ip verify reverse-path interface inside
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.0.0 255.255.255.255 inside
    > pdm location 192.168.0.14 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > global (inside) 2 interface


    I have no idea what the global (inside) 2 interface line is all about. I'm
    willing to bet it was a mistake. I would remove it.

    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 192.168.0.14 3389 netmask
    > 255.255.255.255 0 0
    > access-group inbound in interface outside
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > ntp server 128.138.140.44 source outside
    > ntp server 192.5.41.209 source outside prefer
    > http server enable
    > http 192.168.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet 192.168.0.0 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group pppoe_group request dialout pppoe
    > vpdn group pppoe_group localname blahblahblah
    > vpdn group pppoe_group ppp authentication pap
    > vpdn username blahblahblah password blahblahblah
    > dhcpd lease 300
    > dhcpd ping_timeout 100
    > terminal width 80
    > Cryptochecksum:5d823bb026fc9f5792000d3568123ef3
    > : end
    >
     
    PES, Oct 23, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    1
    Views:
    662
  2. Jens Haase
    Replies:
    1
    Views:
    1,120
    Walter Roberson
    Jan 29, 2004
  3. Andre
    Replies:
    7
    Views:
    791
    Andre
    Feb 20, 2005
  4. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    686
    Walter Roberson
    May 20, 2006
  5. bluewire

    Cisco pix 501 weird problem.

    bluewire, Jul 20, 2009, in forum: Hardware
    Replies:
    2
    Views:
    1,906
    bluewire
    Jul 20, 2009
Loading...

Share This Page