PIX Nat Problem.. Need Ur Help

siddhartha_sarma — Mon, 11 Mar 2019 19:41:41 GMT

Problem with the PIX 525e while "NATTING " .

Reference Topology :

ISP (172.16.21.1)

Ethernet0 (172.16.21.34 /24)

--------------

PIX 525e

--------------

Giga0/0 (10.177.182.1 /24)

LAN Users

DNS provided by ISP : 172.16.0.1

Static IP addresses are assigned to LAN users with DNS : 172.16.0.1

PIX Details:

Hardware:
      PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
     Flash E28F128J3 @ 0xfff00000, 16MB
     BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Timeouts :

     timeout xlate 3:00:00

     timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
     timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
     timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
     timeout uauth 0:05:00 absolute

     Cisco PIX Security Appliance Software Version 7.0(2) Firewall mode: Router

Configuration Details :

1) PIX’s Eth0 and Gi0/0 are set to :

Permit IP any any (Inbound / Outbound)

Permit ICMP any any (Inbound / Outbound)

2) Default route is set towards 172.16.21.1

3) NAT : 10.177.182.0 /24 >>>> PAT>>>>> 172.16.21.1

---------NAT seems to be working fine because LAN users can ping the ISP Gateway of 172.16.21.1--------

Problem:

LAN users fail to open Web pages with high graphic content.

Example: Google.com can be opened from LAN, but yahoo.com is “stuck in loading” after loading some text content. Also some other Web-Sites with High Graphical content are also “stuck in loading”

....But if we run a bit torrent application we get good download speeds. Problems only comes while accessing certain web pages.

... Again If NAT is not working ..... Nothing would open.. be it Google.com or Torrent

Trouble-Shooting :

To see whether the issue is with ISP, I connected a PC Directly to ISP’s Link and Assigned IP 172.16.21.34 and gateway 172.16.21.and DNS 172.16.0.1. Everything seems to be working fine. So its not an ISP issue and the Issue is with the Firewall.

If I replace the firewall with a Router (Cisco 1841) and configure the Router to work in place of PIX then NAT works perfectly.

So I beleive that the Problem is with PIX, But i cant figure out where

Pls Help...... Any Sggesstions are highly Welcome , Thanks in Advance

Re: PIX Nat Problem.. Need Ur Help

Kureli Sankar — Sat, 29 Jan 2011 13:18:30 GMT

Hello Siddharth,

Pls. refer this link: https://supportforums.cisco.com/docs/DOC-8982

Remove http inspection if enabled.

policy-map global_policy
class inspection_default
inspect ftp
.

.
inspect http -----------------------> remove this

Let us know.

-KS

Re: PIX Nat Problem.. Need Ur Help

siddhartha_sarma — Wed, 02 Feb 2011 17:39:41 GMT

Dear Madam,

Http Inspection was disabled already, I even removed Service Policy totally.. but the problem still persists.

I also capture some packets from both the inside and the outside interfaces.. there was no "Oversized MSS"

Re: PIX Nat Problem.. Need Ur Help

siddhartha_sarma — Fri, 29 Apr 2011 08:01:33 GMT

Dear Madam,

I got the logs from pix, traffic captured on the outside interface

This is when the firewall is bypassed : Client IP 10.177.182.130, Server IP 180.151.249.174, notice that the pix is allowing the traffic

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390030 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1176 duration 0:00:27 bytes 289053 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390032 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1178 duration 0:00:27 bytes 18077 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390037 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1179 duration 0:00:24 bytes 769 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390028 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1174 duration 0:00:27 bytes 38800 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390031 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1177 duration 0:00:27 bytes 6582 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1390029 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1175 duration 0:00:27 bytes 77719 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1389139 for outside:209.85.153.154/80 to LAN_ZONE:10.177.182.130/1151 duration 0:04:10 bytes 7883 TCP FINs

6|Apr 07 2011 17:11:38|302014: Teardown TCP connection 1389140 for outside:209.85.153.154/80 to LAN_ZONE:10.177.182.130/1152 duration 0:04:10 bytes 7296 TCP FINs

6|Apr 07 2011 17:11:28|302014: Teardown TCP connection 1389026 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1131 duration 0:04:27 bytes 68873 TCP FINs

6|Apr 07 2011 17:11:28|302014: Teardown TCP connection 1389019 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1127 duration 0:04:28 bytes 145609 TCP FINs

6|Apr 07 2011 17:11:28|302014: Teardown TCP connection 1389025 for outside:209.85.153.154/80 to LAN_ZONE:10.177.182.130/1130 duration 0:04:27 bytes 7427 TCP FINs

6|Apr 07 2011 17:11:13|302013: Built outbound TCP connection 1390037 for outside:180.151.249.174/80 (180.151.249.174/80) toLAN_ZONE:10.177.182.130/1179(10.177.182.130/1179)

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390032 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1178(10.177.182.130/1178)

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390031 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1177(10.177.182.130/1177)

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390030 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1176(10.177.182.130/1176)

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390029 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1175(10.177.182.130/1175)

6|Apr 07 2011 17:11:10|302014: Teardown TCP connection 1390027 for outside:180.151.249.174/80 to LAN_ZONE:10.177.182.130/1173 duration 0:00:00 bytes 1406 TCP FINs

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390028 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1174(10.177.182.130/1174)

6|Apr 07 2011 17:11:10|302013: Built outbound TCP connection 1390027 for outside:180.151.249.174/80 (180.151.249.174/80) to LAN_ZONE:10.177.182.130/1173(10.177.182.130/1173)

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389035 for outside:74.125.95.113/80 to LAN_ZONE:10.177.182.130/1138 duration 0:04:05 bytes 1194 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1388835 for outside:80.150.142.17/80 to LAN_ZONE:10.177.182.130/1109 duration 0:05:04 bytes 9197 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389030 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1135 duration 0:04:07 bytes 2307 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389028 for outside:209.85.175.100/80 to LAN_ZONE:10.177.182.130/1133 duration 0:04:07 bytes 5345 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389023 for outside:209.85.175.100/80 to LAN_ZONE:10.177.182.130/1129 duration 0:04:07 bytes 5009 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389020 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1128 duration 0:04:08 bytes 50638 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389031 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1136 duration 0:04:07 bytes 51902 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389029 for outside:209.85.175.102/80 to LAN_ZONE:10.177.182.130/1134 duration 0:04:07 bytes 4319 TCP FINs

6|Apr 07 2011 17:11:08|302014: Teardown TCP connection 1389027 for outside:209.85.175.100/80 to LAN_ZONE:10.177.182.130/1132 duration 0:04:07 bytes 4644 TCP FINs

6|Apr 07 2011 17:11:04|302013: Built outbound TCP connection 1390014 for outside:209.85.175.101/80 (209.85.175.101/80) to LAN_ZONE:10.177.182.130/1172 (10.177.182.130/1172)

6|Apr 07 2011 17:11:04|302016: Teardown UDP connection 1390013 for outside:172.16.0.1/53 to LAN_ZONE:10.177.182.130/55470 duration 0:00:00 bytes 344

6|Apr 07 2011 17:11:04|302015: Built outbound UDP connection 1390013 for outside:172.16.0.1/53 (172.16.0.1/53) to LAN_ZONE:10.177.182.130/55470 (10.177.182.130/55470)

6|Apr 07 2011 17:11:04|302016: Teardown UDP connection 1390012 for outside:172.16.0.1/53 to LAN_ZONE:10.177.182.130/59078 duration 0:00:00 bytes 155

6|Apr 07 2011 17:11:04|302015: Built outbound UDP connection 1390012 for outside:172.16.0.1/53 (172.16.0.1/53) to LAN_ZONE:10.177.182.130/59078 (10.177.182.130/59078)

This is when the traffic is passed through the firewall : no thice that the pix is dropping the traffic , reason : IP options: "Stream ID

6|Apr 07 2011 17:04:27|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:26|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:22|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387926 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1061 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387925 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1060 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387923 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1058 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387924 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1059 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387930 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1065 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387927 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1062 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387929 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1064 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387922 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1057 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387919 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1055 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387920 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1056 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387918 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1054 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:18|302014: Teardown TCP connection 1387928 for outside:202.86.6.175/80 to LAN_ZONE:10.177.182.130/1063 duration 0:01:05 bytes 0 TCP FINs

6|Apr 07 2011 17:04:11|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:04:03|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:58|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:57|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:57|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:57|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:57|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:57|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:53|302014: Teardown TCP connection 1382520 for LAN_ZONE:10.177.182.130/4804 to NP Identity Ifc:10.177.182.1/23 duration 0:17:29 bytes 21329 TCP FINs

6|Apr 07 2011 17:03:50|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:48|106012: Deny IP from 202.86.6.175 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:46|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:43|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:41|106012: Deny IP from 203.84.220.39 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:40|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:38|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:37|106012: Deny IP from 180.151.249.174 to 10.177.182.130, IP options: "Stream ID"

6|Apr 07 2011 17:03:36|302013: Built outbound TCP connection 1388081 for outside:180.151.249.174/80 0.1/53) to LAN_ZONE:10.177.182.130/50209 (10.177.182.130/50209)

6|Apr 07 2011 17:03:28|302015: Built outbound UDP connection 1388049 for outside:172.16.0.1/53 (172.16.0.1/53) to LAN_ZONE:10.177.182.130/56402 (10.177.182.130/56402)

However Only Http traffic is being denied, all other traffic eg Torrent etc is allowed without any problem.

The ISP says its not its problem as the traffic is dropped only when passed through the firewall

Also, the ISP is passign the traffic through a Squid proxy.

Could you kindly suggest any solution to this problem

topic Re: PIX Nat Problem.. Need Ur Help in Network Security

PIX Nat Problem.. Need Ur Help

Re: PIX Nat Problem.. Need Ur Help

Re: PIX Nat Problem.. Need Ur Help

Re: PIX Nat Problem.. Need Ur Help