help,there is a strange thing of pix!

jeff.lee — Fri, 21 Feb 2020 06:40:17 GMT

the diagram please see www.ciscofan.com/smbc.jpg

now,the ebs router has a NM-1CE1U&NM-30DM,then remote clients can dial in the network,the pboc router has a wic-2t module,connect to remote side via DDN.the ebs interface's ip address of pix is x.x.45.2,the ebs router's ethernet ip address is x.x.45.1,and the ip address the remote client can get(the ip address pool) is from x.x.45.110-x.x.45.140.the ip address of pix515E 's inside interface is x.x.44.1.I use nat 0 0 0 to avoid any nat(image the pix as a router)then the strange thing happens,after configuration,in ebs router,can't ping any address who is like x.x.44.x,after server1 ping x.x.45.1,then both the dialer clients and the ebs router can ping server1,but can't ping server2,after server2 ping x.x.45.1(ebs router),both dialer clinets and ebs router can ping server2,etc.that means the inside computers must ping the outside computers first,then the outside computers can access(include ping) the inside server.and the even stanger thing is ,if there is no any traffic between ebs and the remote client(or the ebs router) in some time(maybe some hours,but I am not sure),the remote dialer clients or the ebs router can't ping(access) inside

servers.for instance,after one night,in the morning,the remote dialer clients or the ebs router can't ping x.x.44.x.It seems there is a time-out configuration,but how can I setup it?

the following is the pix(515e)'s configuration:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 ebs security20

nameif ethernet5 pboc security25

enable password n5vL encrypted

passwd 2KFQnencrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto

interface ethernet5 auto

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu ebs 1500

mtu pboc 1500

ip address outside 127.0.0.1 255.0.0.0

ip address inside x.x.44.1 255.255.255.0

ip address intf2 129.0.0.1 255.255.255.0

ip address intf3 127.0.0.1 255.255.255.255

ip address ebs x.x..45.2 255.255.255.0

ip address pboc x.x.46.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address ebs 0.0.0.0

failover ip address pboc 0.0.0.0

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

conduit permit ip any any

route pboc 10.24.15.0 255.255.255.0 x.x.46.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

Re: help,there is a strange thing of pix!

mostiguy — Mon, 07 Apr 2003 12:18:54 GMT

You don't have any static commands to create static translation slots. Thus, you need outbound traffic to create temporary translation slots, but as these are not permanent, you will have problems.

static (inside, outside) x.x.44.0 x.x.44.0 netmask 255.255.255.0

should bring you happiness

Re: help,there is a strange thing of pix!

jeff.lee — Tue, 15 Apr 2003 00:10:45 GMT

yes,it works,but could u tell me what is the function of "static (inside, outside) x.x.44.0 x.x.44.0 netmask 255.255.255.0 "?thanks

Re: help,there is a strange thing of pix!

mostiguy — Tue, 15 Apr 2003 12:21:44 GMT

Static commands make a permanent translation slot for traffic. In an environment with no nat (nat 0...), you use a netstatic (a static command for an entire block of IP addresses). This makes all of those hosts *potentially* accessible through the pix - you still need to open up the ports via a ACL or conduit.

Similar thing applies for natted environments, but there you typically have one static command per one server you want accessible. In PAT, you use statics to forward unique ports.

But why static? If you only use nat 0 - only *temporary* translation slots are created - so that if host A is sending outbound traffic to the internet, then host B (provided there is a access list/conduit that permits this behaviour) can make a connection to A. But if A stops sending any outbound traffic, eventually the temporary translation slot times out, and no external hosts can initiate connections to A. Hence the need for a mechanism through which permanent translation slots can be made.

Matt

topic Re: help,there is a strange thing of pix! in Network Security

help,there is a strange thing of pix!

Re: help,there is a strange thing of pix!

Re: help,there is a strange thing of pix!

Re: help,there is a strange thing of pix!