PIX NIX : A simple static and access-list (below) seems to have prevented ANY access through the PIX

A simple static and access-list (below) seems to have prevented ANY access
through the PIX to the web.



access-list out2in permit icmp any any echo-reply

access-list out2in permit tcp any any eq www



static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask 255.255.255.255 0
0



I was playing with these to get a web server visible from the outside; this
always failed; logs showed connections made, but timeouts occurring prior to
the web page being served.

Much more troubling is that ,twice, we lost connection to the internet via
the PIX. Rebooting to a prior clean flash worked once; the other time I
saved my work to flash , and had to , simply, delete these settings and
reboot to get back on the web.

Typical failures were :

305006: portmap translation creation failed for udp src ins

ide:192.168.0.41/1569 dst outside:198.6.1.122/53





HELP!!!

The current settings are:



sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan2 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 DMZ security50

enable password RKu3p1CF3TrlG1v9 encrypted

passwd FRou7zzj.tp5/Po3 encrypted

hostname atcentralfw

domain-name atcentral

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list out2in permit icmp any any echo-reply

access-list out2in permit tcp any any eq www

access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
255.255.255.192



pager lines 24

logging on

logging timestamp

logging console informational

logging buffered informational

logging host inside 192.168.0.33

mtu outside 1500

mtu inside 1500

ip address outside 111.111.111.11255.255.255.252

ip address inside 192.168.0.2 255.255.255.0

ip address DMZ 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool b11111p1ort 192.168.0.200-192.168.0.230

pdm location 192.168.0.31 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

http server enable

http 192.168.0.31 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 33

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP client configuration address local boxxxxxport

vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
2x6.4x.101.15

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xlxxx password *********

vpdn enable outside

username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

terminal width 80

 

Have you tried applying your out2in ACL to your outside interface? this
should permit users to access your DMZ, not sure about why your LAN does not
have Internet access.

Claude

"J Bard" <> wrote in message
news:...
>
>
>
> A simple static and access-list (below) seems to have prevented ANY access
> through the PIX to the web.
>
>
>
> access-list out2in permit icmp any any echo-reply
>
> access-list out2in permit tcp any any eq www
>
>
>
> static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask 255.255.255.255
0
> 0
>
>
>
> I was playing with these to get a web server visible from the outside;
this
> always failed; logs showed connections made, but timeouts occurring prior
to
> the web page being served.
>
> Much more troubling is that ,twice, we lost connection to the internet
via
> the PIX. Rebooting to a prior clean flash worked once; the other time I
> saved my work to flash , and had to , simply, delete these settings and
> reboot to get back on the web.
>
> Typical failures were :
>
> 305006: portmap translation creation failed for udp src ins
>
> ide:192.168.0.41/1569 dst outside:198.6.1.122/53
>
>
>
>
>
> HELP!!!
>
> The current settings are:
>
>
>
> sh run
>
> : Saved
>
> :
>
> PIX Version 6.3(1)
>
> interface ethernet0 auto
>
> interface ethernet1 auto
>
> interface ethernet1 vlan2 logical
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> nameif vlan2 DMZ security50
>
> enable password RKu3p1CF3TrlG1v9 encrypted
>
> passwd FRou7zzj.tp5/Po3 encrypted
>
> hostname atcentralfw
>
> domain-name atcentral
>
> fixup protocol ftp 21
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol http 80
>
> fixup protocol ils 389
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol sip 5060
>
> fixup protocol sip udp 5060
>
> fixup protocol skinny 2000
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> names
>
> access-list out2in permit icmp any any echo-reply
>
> access-list out2in permit tcp any any eq www
>
> access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
> 255.255.255.192
>
>
>
> pager lines 24
>
> logging on
>
> logging timestamp
>
> logging console informational
>
> logging buffered informational
>
> logging host inside 192.168.0.33
>
> mtu outside 1500
>
> mtu inside 1500
>
> ip address outside 111.111.111.11255.255.255.252
>
> ip address inside 192.168.0.2 255.255.255.0
>
> ip address DMZ 192.168.2.1 255.255.255.0
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool b11111p1ort 192.168.0.200-192.168.0.230
>
> pdm location 192.168.0.31 255.255.255.255 inside
>
> pdm history enable
>
> arp timeout 14400
>
> global (outside) 1 interface
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1
>
> timeout xlate 3:00:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
>
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server RADIUS protocol radius
>
> aaa-server LOCAL protocol local
>
> aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
>
> http server enable
>
> http 192.168.0.31 255.255.255.255 inside
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> floodguard enable
>
> sysopt connection permit-pptp
>
> telnet 0.0.0.0 0.0.0.0 inside
>
> telnet timeout 33
>
> ssh timeout 5
>
> console timeout 0
>
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
>
> vpdn group PPTP-VPDN-GROUP ppp authentication chap
>
> vpdn group PPTP-VPDN-GROUP client configuration address local boxxxxxport
>
> vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
> 2x6.4x.101.15
>
> vpdn group PPTP-VPDN-GROUP pptp echo 60
>
> vpdn group PPTP-VPDN-GROUP client authentication local
>
> vpdn username xlxxx password *********
>
> vpdn enable outside
>
> username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2
>
> username robert password wqEpZlHyXB1vk/uT encrypted privilege 2
>
> terminal width 80
>
>
>
>
>

 

Claude:

Sorry I wasn't more clear; (was very tired and got in late from the
client) those setting were applied on the outside interface when we
couldn't reach the web; the config below is what we were running but for the
access list and the static command. From what I went through,twice, with
those commands (and two variations of each ) the pix would simply not
connect to the web. This is my first PIX and it has me worried ...am I
missing something obvious or is this PIX a problem ? How often does one get
a lemon ?



"Claude LeFort" <> wrote in message
news:BPSLb.56173$...
> Have you tried applying your out2in ACL to your outside interface? this
> should permit users to access your DMZ, not sure about why your LAN does
not
> have Internet access.
>
> Claude
>
> "J Bard" <> wrote in message
> news:...
> >
> >
> >
> > A simple static and access-list (below) seems to have prevented ANY
access
> > through the PIX to the web.
> >
> >
> >
> > access-list out2in permit icmp any any echo-reply
> >
> > access-list out2in permit tcp any any eq www
> >
> >
> >
> > static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask
255.255.255.255
> 0
> > 0
> >
> >
> >
> > I was playing with these to get a web server visible from the outside;
> this
> > always failed; logs showed connections made, but timeouts occurring
prior
> to
> > the web page being served.
> >
> > Much more troubling is that ,twice, we lost connection to the internet
> via
> > the PIX. Rebooting to a prior clean flash worked once; the other time I
> > saved my work to flash , and had to , simply, delete these settings and
> > reboot to get back on the web.
> >
> > Typical failures were :
> >
> > 305006: portmap translation creation failed for udp src ins
> >
> > ide:192.168.0.41/1569 dst outside:198.6.1.122/53
> >
> >
> >
> >
> >
> > HELP!!!
> >
> > The current settings are:
> >
> >
> >
> > sh run
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.3(1)
> >
> > interface ethernet0 auto
> >
> > interface ethernet1 auto
> >
> > interface ethernet1 vlan2 logical
> >
> > nameif ethernet0 outside security0
> >
> > nameif ethernet1 inside security100
> >
> > nameif vlan2 DMZ security50
> >
> > enable password RKu3p1CF3TrlG1v9 encrypted
> >
> > passwd FRou7zzj.tp5/Po3 encrypted
> >
> > hostname atcentralfw
> >
> > domain-name atcentral
> >
> > fixup protocol ftp 21
> >
> > fixup protocol h323 h225 1720
> >
> > fixup protocol h323 ras 1718-1719
> >
> > fixup protocol http 80
> >
> > fixup protocol ils 389
> >
> > fixup protocol rsh 514
> >
> > fixup protocol rtsp 554
> >
> > fixup protocol sip 5060
> >
> > fixup protocol sip udp 5060
> >
> > fixup protocol skinny 2000
> >
> > fixup protocol smtp 25
> >
> > fixup protocol sqlnet 1521
> >
> > names
> >
> > access-list out2in permit icmp any any echo-reply
> >
> > access-list out2in permit tcp any any eq www
> >
> > access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
> > 255.255.255.192
> >
> >
> >
> > pager lines 24
> >
> > logging on
> >
> > logging timestamp
> >
> > logging console informational
> >
> > logging buffered informational
> >
> > logging host inside 192.168.0.33
> >
> > mtu outside 1500
> >
> > mtu inside 1500
> >
> > ip address outside 111.111.111.11255.255.255.252
> >
> > ip address inside 192.168.0.2 255.255.255.0
> >
> > ip address DMZ 192.168.2.1 255.255.255.0
> >
> > ip audit info action alarm
> >
> > ip audit attack action alarm
> >
> > ip local pool b11111p1ort 192.168.0.200-192.168.0.230
> >
> > pdm location 192.168.0.31 255.255.255.255 inside
> >
> > pdm history enable
> >
> > arp timeout 14400
> >
> > global (outside) 1 interface
> >
> > nat (inside) 0 access-list inside_outbound_nat0_acl
> >
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >
> > route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1
> >
> > timeout xlate 3:00:00
> >
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> >
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > timeout uauth 0:05:00 absolute
> >
> > aaa-server TACACS+ protocol tacacs+
> >
> > aaa-server RADIUS protocol radius
> >
> > aaa-server LOCAL protocol local
> >
> > aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
LOCAL
> >
> > http server enable
> >
> > http 192.168.0.31 255.255.255.255 inside
> >
> > no snmp-server location
> >
> > no snmp-server contact
> >
> > snmp-server community public
> >
> > no snmp-server enable traps
> >
> > floodguard enable
> >
> > sysopt connection permit-pptp
> >
> > telnet 0.0.0.0 0.0.0.0 inside
> >
> > telnet timeout 33
> >
> > ssh timeout 5
> >
> > console timeout 0
> >
> > vpdn group PPTP-VPDN-GROUP accept dialin pptp
> >
> > vpdn group PPTP-VPDN-GROUP ppp authentication chap
> >
> > vpdn group PPTP-VPDN-GROUP client configuration address local
boxxxxxport
> >
> > vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
> > 2x6.4x.101.15
> >
> > vpdn group PPTP-VPDN-GROUP pptp echo 60
> >
> > vpdn group PPTP-VPDN-GROUP client authentication local
> >
> > vpdn username xlxxx password *********
> >
> > vpdn enable outside
> >
> > username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2
> >
> > username robert password wqEpZlHyXB1vk/uT encrypted privilege 2
> >
> > terminal width 80
> >
> >
> >
> >
> >
>
>