topic Re: PIX building connections on wrong interface in Network Security

PIX building connections on wrong interface

bluesteel — Mon, 11 Mar 2019 19:07:14 GMT

I have a PIX-515 which is building connections between 2 host in the same subnet (172.16.8.0 /21), the PIX interface to this network is named 'inside' and has an IP of 172.16.8.254 /21. The pix also has a connection to a test network (172.30.8.0 /21), the pix interface for this network is named 'testlan' and has an IP of 172.30.8.250 /21. The problem is that the logs are showing a connection being built from 'inside' to 'testlan' for communications between hosts on the 172.16.8.0 /21 network?

Am I hitting a bug? The two host reside in the same network on the 'inside' interface but the connections are built to the 'testlan' interface on a different subnet!!. I believe this may be an issue with the logs being wrong as the services are up and running and none of the hosts reside in 'testlan'

LOGS:

Oct 28 22:34:49 Oct 28 2031 21:35:32 TESTPIX : %PIX-6-302015: Built outbound UDP connection 43661517 for testlan:172.16.15.246/5394 (172.16.15.246/5394) to inside:172.16.15.32/389 (172.16.15.32/389)
Oct 28 22:37:00 Oct 28 2031 21:37:43 TESTPIX : %PIX-6-302016: Teardown UDP connection 43661517 for testlan:172.16.15.246/5394 to inside:172.16.15.32/389 duration 0:02:11 bytes 504

Oct 28 22:38:31 Oct 28 2031 21:39:14 TESTPIX : %PIX-6-302015: Built outbound UDP connection 43671234 for testlan:172.16.9.15/137 (172.16.9.15/137) to inside:172.16.15.32/137 (172.16.15.32/137)
Oct 28 22:40:32 Oct 28 2031 21:41:15 TESTPIX : %PIX-6-302016: Teardown UDP connection 43671234 for testlan:172.16.9.15/137 to inside:172.16.15.32/137 duration 0:02:01 bytes 76

Oct 28 09:23:43 Oct 28 2031 08:24:26 TESTPIX : %PIX-6-302013: Built outbound TCP connection 41013159 for testlan:172.16.15.32/1026 (172.16.15.32/1026) to inside:172.16.15.31/4297 (172.16.15.31/4297)
Oct 28 09:25:44 Oct 28 2031 08:26:27 TESTPIX : %PIX-6-302014: Teardown TCP connection 41013159 for testlan:172.16.15.32/1026 to inside:172.16.15.31/4297 duration 0:02:01 bytes 0 SYN Timeout

Oct 28 09:29:20 Oct 28 2031 08:30:03 TESTPIX : %PIX-6-302015: Built outbound UDP connection 41026172 for testlan:172.16.15.32/137 (172.16.15.32/137) to inside:192.168.0.100/137 (172.30.8.250/337)
Oct 28 09:32:01 Oct 28 2031 08:32:44 TESTPIX : %PIX-6-302016: Teardown UDP connection 41026172 for testlan:172.16.15.32/137 to inside:192.168.0.100/137 duration 0:02:41 bytes 2070

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(3)

Compiled on Fri 02-Jul-04 00:07 by morlee

TESTPIX up 126 days 4 hours

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.6bf7.4e20, irq 11
1: ethernet1: address is 0003.6bf7.4e21, irq 10
2: ethernet2: address is 00e0.b601.d185, irq 9
3: ethernet3: address is 00e0.b601.d184, irq 9
4: ethernet4: address is 00e0.b601.d183, irq 9
5: ethernet5: address is 00e0.b601.d182, irq 9
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 406042612 (0x1833b7f4)
Running Activation Key: 0xb8a9f990 0xc0d952fd 0x2a2de635 0x729a7248
Configuration last modified by enable_1 at 12:02:46.599 GMT/BST Mon Nov 10 2031

nat (inside) 0 access-list acl_nonat_traffic
nat (inside) 1 172.16.0.0 255.255.248.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (testlan) 1 interface
global (testlan) 1 172.30.8.245
global (testlan) 1 172.30.8.246
global (testlan) 1 172.30.8.247
global (testlan) 1 172.30.8.248
global (testlan) 1 172.30.8.249

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 testlan security90
nameif ethernet3 WebDMZ security50
nameif ethernet4 EPOS security40
nameif ethernet5 externaldmz security10

access-group acl_outside in interface outside
access-group testlan in interface testlan
access-group acl_WebDMZ in interface WebDMZ
access-group acl_EPOS in interface EPOS
access-group acl_externaldmz in interface externaldmz

testlan 172.30.8.0 255.255.248.0 172.30.8.250 1 CONNECT static
inside 172.16.8.0 255.255.248.0 172.16.8.254 1 CONNECT static

System IP Addresses:
        ip address outside totevpn 255.255.255.248
        ip address inside 172.16.8.254 255.255.248.0
        ip address testlan 172.30.8.250 255.255.248.0
        ip address WebDMZ 172.30.240.250 255.255.255.0
        ip address EPOS 172.20.1.246 255.255.255.0
        ip address externaldmz 192.168.20.250 255.255.255.0
Current IP Addresses:
        ip address outside totevpn 255.255.255.248
        ip address inside 172.16.8.254 255.255.248.0
        ip address testlan 172.30.8.250 255.255.248.0
        ip address WebDMZ 172.30.240.250 255.255.255.0
        ip address EPOS 172.20.1.246 255.255.255.0
        ip address externaldmz 192.168.20.250 255.255.255.0

static (inside,testlan) 172.16.15.40 172.16.15.40 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.8.40 172.16.8.40 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.8.30 172.16.8.30 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.8.50 172.16.8.50 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.15.2 172.16.15.2 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.8.33 172.16.8.33 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.15.5 172.16.15.5 netmask 255.255.255.255 0 0
static (inside,testlan) Live_PostCode Live_PostCode netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.8.0 172.16.8.0 netmask 255.255.248.0 0 0
static (inside,testlan) BCSDC1 BCSDC1 netmask 255.255.255.255 0 0
static (inside,testlan) BCSTXCLUSTER BCSTXCLUSTER netmask 255.255.255.255 0 0
static (inside,testlan) 172.25.15.111 172.25.15.111 netmask 255.255.255.255 0 0
static (inside,testlan) 172.25.8.0 172.25.8.0 netmask 255.255.248.0 0 0
static (inside,testlan) 10.224.32.0 10.224.32.0 netmask 255.255.255.0 0 0
static (inside,testlan) 172.16.15.140 172.16.15.140 netmask 255.255.255.255 0 0
static (inside,testlan) 192.168.50.40 192.168.50.40 netmask 255.255.255.255 0 0
static (inside,testlan) 192.168.50.30 192.168.50.30 netmask 255.255.255.255 0 0
static (inside,testlan) 172.16.10.78 172.16.10.78 netmask 255.255.255.255 0 0
static (inside,testlan) DevServerNew DevServerNew netmask 255.255.255.255 0 0
static (inside,testlan) TOGSMA01 TOGSMA01 netmask 255.255.255.255 0 0
static (inside,testlan) 192.168.112.9 192.168.112.9 netmask 255.255.255.255 0 0
static (inside,testlan) 192.168.112.10 192.168.112.10 netmask 255.255.255.255 0 0
static (inside,testlan) 192.168.112.0 192.168.112.0 netmask 255.255.254.0 0 0
static (inside,testlan) 172.30.8.32 172.30.8.32 netmask 255.255.255.255 0 0
static (inside,testlan) 10.4.0.0 10.4.0.0 netmask 255.255.0.0 0 0
static (inside,testlan) 10.8.56.0 10.8.56.0 netmask 255.255.255.0 0 0

Re: PIX building connections on wrong interface

praprama — Wed, 10 Nov 2010 15:57:12 GMT

Hi,

Please post the output of "show static" from the PIX. Also, please apply captures on the testlan interface and check if you actually see packets going out on that interface.

https://supportforums.cisco.com/docs/DOC-1222

Regards,

Prapanch

Re: PIX building connections on wrong interface

bluesteel — Thu, 11 Nov 2010 13:06:48 GMT

Hi Prapanch,

I ran packet capture and no packets captured exiting the testlan interface. I think I'm hitting a bug as I can see in the logs that the pix is moving the host from LAN to LAN????? As you can see 172.16.15.32 is on inside: in the first log entry but moves to testlan: in the second log entry...WRONG!!!

Regards

Daniel

Re: PIX building connections on wrong interface

praprama — Thu, 11 Nov 2010 14:58:17 GMT

Hi Daniel,

It's weird that you do not see any apckets captured!! Could you post the capture configuration here just for confirmation? Also, try adding the command"ip verify reverse-path interface testlan" and "ip verify reverse-path interface inside" and see if the logs stop popping up then.

Thanks and Regards,

Prapanch

Re: PIX building connections on wrong interface

bluesteel — Thu, 11 Nov 2010 17:29:09 GMT

Hi Prapanch,

I did see traffic hitting the inside interface (in-cap) but none exiting the testlan interface (out-cap).

Kind Regards

Daniel

Re: PIX building connections on wrong interface

bluesteel — Thu, 11 Nov 2010 17:33:29 GMT

Hi Prapanch,

the packet capture config, note access-list does not need mirroring !!!!

access-list cap-list permit tcp 172.16.8.0 255.255.248.0 172.16.8.0 255.255.248.0

capture in-cap interface inside access-list cap-list buffer 1000000 packet 1522
capture out-cap interface testlan access-list cap-list buffer 1000000 packet 1522

Re: PIX building connections on wrong interface

praprama — Fri, 12 Nov 2010 15:26:35 GMT

Hi Daniel,

The captures seem alright. Did you try adding that command i mentioned and see if it helped? I owuld suggest opening up a TAC case to investigate further.

Regards,

Prapanch