topic Re: PIX OS version 6.3(1) bug? in Network Security

PIX OS version 6.3(1) bug?

admin_2 — Fri, 21 Feb 2020 07:15:28 GMT

I have been looking for a definite answer to whether there is a bug that will not allow my PIX 501 with 6.3(1) to use dynamic and static PAT at the same time. The problem I have is this: I'm setting up a PIX on a PPPoE dsl connection with a web server behind it. I can get dynamic PAT to work to allow all inside hosts to access the internet. I can get static PAT to allow outside access to the web server. I cannot get both to work at the same time. I am a MCSE but am new to Cisco/PIX.

In reading some posts, I saw a reference to a bug that affects this. I have seen other posts that seem to indicate I should be able to do this sucessfully. When I had it set up, I could access the web server from the outside, but only the web server could access the internet. Any suggestions? I have been using the quick start instructions that came with the PIX.

Re: PIX OS version 6.3(1) bug?

gfullage — Mon, 23 Feb 2004 05:52:20 GMT

Should work fine, you should have the following:

nat (inside) 1 0.0.0.0

global (outside) 1 interface

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

access-list inbound permit tcp any interface outside eq www

access-group inbound in interface outside

Re: PIX OS version 6.3(1) bug?

shane — Tue, 24 Feb 2004 22:06:53 GMT

I have the exact commands in my pix and I have the exact problem. My Mail Server can recieve port 25 coming inbound but cannot get outbound at all.

Re: PIX OS version 6.3(1) bug?

scoclayton — Wed, 25 Feb 2004 14:32:02 GMT

Sounds to me like a common config issue seen when doing port redirection. Can you share your config with us for review? Remember to change public IP addresses (to something consistent please) and blank your passwords.

Scott

Re: PIX OS version 6.3(1) bug?

shane — Wed, 25 Feb 2004 15:11:01 GMT

Here is the config I was testing with. Basically the 10.0.0.2 Mail server is the one that cannot get out to the internet in this config but all other machines can.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXX encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any

access-list inbound permit tcp any interface outside eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.252

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: PIX OS version 6.3(1) bug?

jmia — Wed, 25 Feb 2004 15:51:45 GMT

Hi,

Have you got any syslog messages that you can post to us please. If haven't then do the following (in config mode):

logging on

logging buffer debug

sh log

Please post the results, thanks.

Jay

Re: PIX OS version 6.3(1) bug?

shane — Wed, 25 Feb 2004 16:49:33 GMT

Well the wierd thing is I was booting all my test gear up to get the logs and it looks like everything is working now. Not sure if it needed a good reboot or clear xlate but I am able to access the internet from the mail server as well as recieve inbound ports......hmmmm

Re: PIX OS version 6.3(1) bug?

scoclayton — Wed, 25 Feb 2004 18:28:27 GMT

Cool. I was out of the office for a while but I did look at the config and you should be fine. Most people don't realize that a port static only works for packets *sourced* from that port. So, when trying to open a web browser on the mail server where you have a port static configured will not work becuase the packets from the mail server (in this case) are not *sourced* from port 25. You need to have a corresponding nat and global statement for the web browsing to work. Not sure how clear this is but your config is fine. I am guessing you may have been running into a known issue regarding statics and arp in the 6.3 code. Glad you got it fixed.

Scott