topic Re: Pix515E does not allow any additional servers/hosts to be de in Network Security

Pix515E does not allow any additional servers/hosts to be deployed

prasey — Mon, 11 Mar 2019 12:03:30 GMT

Hi,

I have a scenario.

1. We are using Pix515E with Restricted license

2. Currently we have moved 9 servers behing the pix firewall

3. Now we are planning to move additional servers, but somehow pix does not allow it

4. NAT translations are ok

5. Configs has been verified to be ok

6. ACL are allowed

7. Inside servers can ping and reach/ browse the new webserver

8. New webserver is able to ping other inside servers and gateway-pix firewall

9. Outside hosts/ Internet users are not able to reach the new server

10. Pix logs does not shows anythings suspicious

11. Capture shows the ack is just not happening

12. We have tried to reboot / reapply the configs

Can someone please help to advise, what may be wrong

Re: Pix515E does not allow any additional servers/hosts to be de

Alan Huseyin Kayahan — Fri, 15 Feb 2008 18:38:17 GMT

Hi Prasanna

Please post your running config and output of sh ver command.

"Now we are planning to move additional servers, but somehow pix does not allow it "

Can you describe this please? What error do you encounter?

Regards

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Fri, 15 Feb 2008 19:11:11 GMT

Hi,

Thanks for reply.

Heres the running config edited before posting 😉

I could see the NAT translations happening

Required traffic is allowed on the firewall

We are currently moving a server in this setup behind the pix firewall.

Existing servers in this network could access the new server

But Internet users/ from outside interface we are unable to reach this server

Even from router I am unable to ping this server, though I have tried allowing the icmp from the router.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security80

hostname pix

clock timezone utc+8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 8080

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 110 permit icmp any any

access-list 110 permit tcp 200.x.x.x 255.255.255.192 any

access-list 110 permit tcp 200.x.x.x 255.255.255.192 250.x.x.x 255.255.255.192

access-list 111 permit icmp host 192.168.1.1 any

access-list 111 permit tcp any 200.x.x.x 255.255.255.192

access-list 111 permit tcp any 250.x.x.x 255.255.255.192

access-list 112 permit icmp any any

access-list 112 permit tcp 250.x.x.x 255.255.255.192 any

access-list 112 permit tcp 250.x.x.x 255.255.255.192 200.x.x.x 255.255.255.192

no pager

logging on

logging timestamp

logging standby

logging buffered warnings

logging trap warnings

logging history errors

logging device-id hostname

logging host inside 192.168.150.10

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.1.2 255.255.255.252

ip address inside 200.x.x.x 255.255.255.192

ip address intf2 250.x.x.x 255.255.255.192

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

static (intf2,outside) 250.x.x.x 250.x.x.x netmask 255.255.255.192 0 0

static (inside,outside) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0

static (inside,intf2) 200.x.x.x 200.x.x.x netmask 255.255.255.192 0 0

access-group 111 in interface outside

access-group 110 in interface inside

access-group 112 in interface intf2

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.150.0 255.255.255.0 200.x.x.130 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http 192.168.1.0 255.255.255.0 inside

snmp-server location xxx

snmp-server contact xxx

snmp-server community xxx

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:dc9d7ae796879bf7eacbc082387f2db9

: end

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Fri, 15 Feb 2008 19:11:29 GMT

show version

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pix up 2 hours 25 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 0011.2164.3c0a, irq 10

1: ethernet1: address is 0011.2164.3c0b, irq 11

2: ethernet2: address is 000d.88ee.8ec0, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 808549223 (0x302c27bb)

Running Activation Key: 0x18eaa253 0x445d4e76 0x4a743bdc 0x2ec5df9c

Heres the capture logs for the new server captured on the outside interface

00:40:48.749549 157.233.234.4.59474 > 250.x.x.207.80: S 2108858885:2108858885(0) win 65535

Re: Pix515E does not allow any additional servers/hosts to be de

Alan Huseyin Kayahan — Sat, 16 Feb 2008 00:16:46 GMT

x.x.x es makes it hard to understand. Can you attach as a file (attached files exipre in time) . What is your inside server IP? (with subnetmask) Are 200.x.x.x public IPs?

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Sat, 16 Feb 2008 01:57:21 GMT

Hi,

Thanks again!

I am attaching the configs, only deleting the object-groups. All other configs are intact.

Deleting object-group is just to shorten the cli, as we have a huge number of ip's under object-groups.

Yes, inside server ip is 203.127.218.207/26 are public ip's

Re: Pix515E does not allow any additional servers/hosts to be de

Alan Huseyin Kayahan — Sat, 16 Feb 2008 15:27:14 GMT

Thanks for your time on config posting.

Here is te issue

static (intf2,outside) 203.127.218.192 203.127.218.192 netmask 255.255.255.192 0 0

static (inside,outside) 203.127.218.128 203.127.218.128 netmask 255.255.255.192 0 0

ip address inside 203.127.218.129 255.255.255.192

According to above lines, I understand that this server was previously located at intf2 because as you see 203.127.218.207/26 does not belong to 203.127.218.128/26. You have two options

1) Change the server ip in a range of defined static above (between 203.127.218.128-203.127.218.190) (Recommended)

2) We have to make a huge change in config to be able to keep 207 in inside if it is a must not to change the IP.

Regards

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Sun, 17 Feb 2008 02:28:45 GMT

Yes, Indeed server 203.127.218.207/26 belongs to intf2 and subnet 203.127.218.192/26 and will remain there. We have tried moving to subnet 203.127.218.128/26 still the same results.

As we are using ver6.3, NAT0 alone is not sufficient, hence we are using static nat and could see the nat translations.

Config:-

ip address intf2 203.127.218.193 255.255.255.192

Re: Pix515E does not allow any additional servers/hosts to be de

Alan Huseyin Kayahan — Sun, 17 Feb 2008 17:03:10 GMT

So let me rephrase and correct me if I am wrong.

Server X WAS! located at intf2 with an IP of 203.127.128.207/26 and now you moved it to inside interface. If correct,

1) Assign this server a public IP in 203.127.128.128/26 subnet.

2) Change the gateway of this server from 203.127.218.193 to 203.127.218.129

3) Run clear xlate and clear arp command in PIX

4) Run arp -d in command line of server for 4-5 times

Now here is the issue

"Outside hosts/ Internet users are not able to reach the new server "

You have the following acl

access-list 111 permit tcp any host 203.127.218.207

Now change this acl for the new IP address that you assigned Server X

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Mon, 18 Feb 2008 09:43:09 GMT

Thanks for your efforts sir!

These has been tried before, and found to be not working.

Rephrasing the problem:-

If I add new servers either in Inside int or intf2, it does not work. Existing servers are working fine.

For testing, I brought down one of the production servers, and used its ip for the new test server. Now the new test server works. But with the new ip, say in .128 or .192 subnet, the new servers does not work.

Re: Pix515E does not allow any additional servers/hosts to be de

prasey — Wed, 20 Feb 2008 03:35:37 GMT

Big THANKS to husycisco !

I have figured out the problem now. Unfortunately all the 3 test servers we had been using to test were faulty in a way or other. either nic card, or image ....

Thanks for your effort and time sir.

Highly appreciate your help.

Re: Pix515E does not allow any additional servers/hosts to be de

Alan Huseyin Kayahan — Wed, 20 Feb 2008 04:01:39 GMT

Glad that you sorted it out 🙂

Regards