topic Re: Replacing PIX 515Ewith a new one in Network Security

Replacing PIX 515Ewith a new one

albertobrivio42 — Mon, 11 Mar 2019 09:00:00 GMT

Dear ALL,

I'm going to replace a PIX 515E running 6.1 with a new Unresticted PIX515E running 6.3, so I can

work offline with the old one to run all update tasks.

Configurations are exactly the same, but when I replace PIX , the new one does not run properly:

natted clients seem browsing internet correctly

clients mapped with static don't run

web server are not browseable from outside

Please, anyone of you could give me any ideas ?

Regards

Alberto Brivio

P.S. Failover is stopped

Re: Replacing PIX 515Ewith a new one

a.kiprawih — Fri, 24 Nov 2006 10:55:19 GMT

Can you share the configuration, or at least the one with static and access-list (specifically the one applied on Outside interface).

1. natted clients seem browsing internet correctly

- nat/global pair works.

2. clients mapped with static don't run

- could be anything, i.e wrong ip mapping.

3. web server are not browseable from outside

- could be static map problem, or ACL on outside interface.

HTH

Re: Replacing PIX 515Ewith a new one

albertobrivio42 — Fri, 24 Nov 2006 11:18:01 GMT

Hi,

below you can find conf.: I've replaced public class of addresses with

10.10.1.0 and 10.10.2.0

Thanks

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

nameif ethernet3 dmz2 security20

nameif ethernet4 dmz3 security30

nameif ethernet5 failover security40

hostname mypix

domain-name mypix.com

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl-inbound permit icmp any any

access-list acl-inbound permit ip any any

access-list acl-outbound permit icmp any any

access-list acl-outbound permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

icmp permit any dmz1

icmp permit any dmz2

icmp permit any dmz3

icmp permit any failover

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu dmz3 1500

mtu failover 1500

ip address outside 10.10.1.99 255.255.255.224

ip address inside 192.168.0.1 255.255.255.0

no ip address dmz1

no ip address dmz2

no ip address dmz3

no ip address failover

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

no failover ip address outside

no failover ip address inside

no failover ip address dmz1

no failover ip address dmz2

no failover ip address dmz3

no failover ip address failover

pdm location 192.168.0.18 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 10.10.2.128-10.10.2.254 netmask 255.255.255.128

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

alias (inside) 192.168.0.15 10.10.1.105 255.255.255.255

alias (inside) 192.168.0.230 10.10.1.98 255.255.255.255

alias (inside) 192.168.0.85 10.10.1.115 255.255.255.255

alias (inside) 192.168.0.84 10.10.1.113 255.255.255.255

alias (inside) 192.168.0.244 10.10.1.102 255.255.255.255

static (inside,outside) 10.10.1.103 192.168.0.28 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.105 192.168.0.15 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.125 192.168.0.97 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.110 192.168.0.24 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.111 192.168.0.56 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.113 192.168.0.84 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.109 192.168.0.18 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.112 192.168.0.57 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.115 192.168.0.85 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.114 192.168.1.53 netmask 255.255.255.255 0

static (inside,outside) 10.10.1.104 192.168.0.86 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.106 192.168.0.26 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.1.102 192.168.0.251 netmask 255.255.255.255 0 0

access-group acl-inbound in interface outside

access-group acl-outbound in interface inside

route outside 0.0.0.0 0.0.0.0 10.10.1.97 1

route outside 10.10.2.128 255.255.255.128 10.10.1.99 1

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt noproxyarp dmz1

sysopt noproxyarp dmz2

sysopt noproxyarp dmz3

sysopt noproxyarp failover

console timeout 0

terminal width 80

Re: Replacing PIX 515Ewith a new one

a.kiprawih — Fri, 24 Nov 2006 14:44:47 GMT

I noticed 2 static route with same admin distance value exist.

route outside 0.0.0.0 0.0.0.0 10.10.1.97 1

route outside 10.10.2.128 255.255.255.128 10.10.1.99 1

When accessing the internet, which gateway is used, and for outsider to access your servers mapped to Public IPs, which incoming gateway is used?

- The alias command+static+noproxyarp looks ok.

- The ACL and interface bind looks ok. But I believed you should put specific destination servers and service ports for "acl-inbound" acl, i.e:

access-list acl-inbound permit tcp any host 10.10.1.103 eq www

access-list acl-inbound permit tcp any host 10.10.1.105 eq 23

Re: Replacing PIX 515Ewith a new one

albertobrivio42 — Fri, 24 Nov 2006 16:00:22 GMT

Hi,

just for information:

outside 10.10.1.96 255.255.255.224 10.10.1.99 1 CONNECT static

this one is network that outside card belong to, this network is used

for server publishing and static statements

outside 10.10.2.128 255.255.255.128 10.10.2.99 1 OTHER static

this one is another network added in order to permit client natting

But thing I can't understand, is that configuration is up and running on

old PIX 515E (6.1)

Thanks anyway

Re: Replacing PIX 515Ewith a new one

a.kiprawih — Fri, 24 Nov 2006 16:36:30 GMT

The config is fine, it will not working if it is for routing to inside segment.

Can you identify which server(s) you map statically with public IPs but not able to access out or access by users from internet?

Re: Replacing PIX 515Ewith a new one

albertobrivio42 — Fri, 24 Nov 2006 16:53:21 GMT

For example:

(10.10.1.98 in real config ia a public address !)

static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255

The inside server 192.168.0.230 can't access to and it's not reachable

from internet

But any client who is natting by global specified in configuration can access

internet without problems.

Re: Replacing PIX 515Ewith a new one

a.kiprawih — Sat, 25 Nov 2006 23:46:39 GMT

Outside interface IP is running 10.10.1.99, while route to 10.10.2.128 (see route outside line 2) also pointing to 10.10.1.99.

This should be replaced with outside/internet router Faste interface facing PIX, not PIX own interface.

As for route statement (2 x route outside), it's best to put specific (longest match) first before the general route, as general route will take everything into it (PIX not smart in routing):

route outside 10.10.2.128 255.255.255.128 10.10.1.xx ---> change this to other internet router intf IP

route outside 0.0.0.0 0.0.0.0 10.10.1.97

HTH

Re: Replacing PIX 515Ewith a new one

a.kiprawih — Mon, 27 Nov 2006 00:57:01 GMT

Test with only "route outside 0.0.0.0 0.0.0.0 10.10.1.97" statement and physical connection works fine, i.e

in/out access for 192.168.0.230 via "static (inside,outside) 10.10.1.98 192.168.0.230 netmask 255.255.255.255" was ok.

2nd test with outside interface IP change to .100 did not go well. The change was to suit 2nd route statement that point to PIX own interface.

It may not related to the routing, but try to remove the "sysopt noproxyarp outside" line t isolate this issue (not tested-limited time).

It'll be good to put in the config one by one, and see/test where the choking point started.

HTH

Re: Replacing PIX 515Ewith a new one

albertobrivio42 — Mon, 04 Dec 2006 08:56:13 GMT

Hi,

I didn't forget this conversation.

Finally, I got solution by two steps:

first one, the most important, was to power down / power up switch where outside zone is attached to: without this action

nothing was running.

Second one, in order to avoid random nat problem, I had to permit proxyarp on outside segment.

Regards

Alberto Brivio