PIX NIX : A simple static and access-list (below) seems to have prevented ANY access through the PIX

Discussion in 'Cisco' started by J Bard, Jan 10, 2004.

  1. J Bard

    J Bard Guest

    A simple static and access-list (below) seems to have prevented ANY access
    through the PIX to the web.

    access-list out2in permit icmp any any echo-reply

    access-list out2in permit tcp any any eq www

    static (DMZ,outside) 1xx.21x.99.142 netmask 0

    I was playing with these to get a web server visible from the outside; this
    always failed; logs showed connections made, but timeouts occurring prior to
    the web page being served.

    Much more troubling is that ,twice, we lost connection to the internet via
    the PIX. Rebooting to a prior clean flash worked once; the other time I
    saved my work to flash , and had to , simply, delete these settings and
    reboot to get back on the web.

    Typical failures were :

    305006: portmap translation creation failed for udp src ins

    ide: dst outside:


    The current settings are:

    sh run

    : Saved


    PIX Version 6.3(1)

    interface ethernet0 auto

    interface ethernet1 auto

    interface ethernet1 vlan2 logical

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif vlan2 DMZ security50

    enable password RKu3p1CF3TrlG1v9 encrypted

    passwd FRou7zzj.tp5/Po3 encrypted

    hostname atcentralfw

    domain-name atcentral

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521


    access-list out2in permit icmp any any echo-reply

    access-list out2in permit tcp any any eq www

    access-list inside_outbound_nat0_acl permit ip any

    pager lines 24

    logging on

    logging timestamp

    logging console informational

    logging buffered informational

    logging host inside

    mtu outside 1500

    mtu inside 1500

    ip address outside

    ip address inside

    ip address DMZ

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool b11111p1ort

    pdm location inside

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0 0

    route outside 1xx.21x.9x.141 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    aaa authentication include http DMZ LOCAL

    http server enable

    http inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-pptp

    telnet inside

    telnet timeout 33

    ssh timeout 5

    console timeout 0

    vpdn group PPTP-VPDN-GROUP accept dialin pptp

    vpdn group PPTP-VPDN-GROUP ppp authentication chap

    vpdn group PPTP-VPDN-GROUP client configuration address local boxxxxxport

    vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2

    vpdn group PPTP-VPDN-GROUP pptp echo 60

    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn username xlxxx password *********

    vpdn enable outside

    username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

    username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

    terminal width 80
    J Bard, Jan 10, 2004
    1. Advertisements

  2. Have you tried applying your out2in ACL to your outside interface? this
    should permit users to access your DMZ, not sure about why your LAN does not
    have Internet access.

    Claude LeFort, Jan 10, 2004
    1. Advertisements

  3. J Bard

    J Bard Guest


    Sorry I wasn't more clear; (was very tired and got in late from the
    client) those setting were applied on the outside interface when we
    couldn't reach the web; the config below is what we were running but for the
    access list and the static command. From what I went through,twice, with
    those commands (and two variations of each ) the pix would simply not
    connect to the web. This is my first PIX and it has me worried ...am I
    missing something obvious or is this PIX a problem ? How often does one get
    a lemon ?
    J Bard, Jan 10, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.