Solved: Re: ADSL > 877 > Pix > LAN

martynch1 · ‎02-12-2010

Hi all trust you are well.

I'm a little confused over my configuration here and why it does not work and wondered if you can help me out.

I have two servers that sit behind pix which I can not connect to, the services that are running are SSH, Web and Webmin; I can ping them both from the PIX and from the LAN I can connect to all the services that are open.

If I use the command "show conn" whilst trying to make a connection to the services I get the following: -

TCP out 82.25.211.122:4983 in smart1:1966 idle 0:00:05 Bytes 0 flags SaAB

TCP out 82.25.211.122:1039 in smart1:1966 idle 0:01:22 Bytes 0 flags SaAB

TCP out 82.25.211.122:1120 in smart1:22 idle 0:00:03 Bytes 0 flags SaAB

Then I issue the command "show xlate" -

3 in use, 59 most used
PAT Global 92.27.117.198(1966) Local smart1(1966)
PAT Global 92.27.117.198(10101) Local smart1(10101)
PAT Global 92.27.117.198(22) Local smart1(22)

Results of "show access-list"

access-list outside_access_in line 1 permit tcp any host 92.27.117.198 eq 1966 (hitcnt=10)
access-list outside_access_in line 2 permit tcp any host 92.27.117.198 eq 10101 (hitcnt=78)
access-list outside_access_in line 3 permit tcp any host 92.27.117.198 eq 1967 (hitcnt=3)
access-list outside_access_in line 4 permit tcp any host 92.27.117.198 eq 10102 (hitcnt=2)
access-list outside_access_in line 5 permit tcp any host 92.27.117.198 eq ssh (hitcnt=149)
access-list outside_access_in line 6 permit tcp any host 92.27.117.198 eq telnet (hitcnt=0)
access-list outside_access_in line 7 permit icmp any any echo-reply (hitcnt=4)
access-list inside_access_in; 1 elements
access-list inside_access_in line 1 permit tcp any any (hitcnt=0)

Below are my two configs and network diagram... please not that the IP's are 92.27 and not 192.27 as shown on image.

I hope you can help me out here as I have been at this for weeks now trying to do it myself.

Thanks

Martyn

Cisco 877 ADSL

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname r1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 $1$SAB8$FJEXDpOo3Sv1hQwQruaEE1
!
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip host pix 192.168.3.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ips po max-events 100
no ftp-server write-enable
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface Vlan1
ip address 92.27.117.197 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
!
interface Dialer0
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
!
logging trap debugging
snmp-server chassis-id Cisco 877
no cdp run
!
!
control-plane

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password w1Y.GBKFyC5NqO3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname f1
domain-name server.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.3.243 smart1
name 192.168.3.242 smart2
access-list outside_access_in permit tcp any host 92.127.117.198 eq 1966
access-list outside_access_in permit tcp any host 92.127.117.198 eq 10101
access-list outside_access_in permit tcp any host 92.127.117.198 eq 1967
access-list outside_access_in permit tcp any host 92.127.117.198 eq 10102
access-list 101 permit icmp any host 92.127.117.198 unreachable
access-list 101 permit icmp any host 92.127.117.198 time-exceeded
access-list 101 permit icmp any host 92.127.117.198
access-list 101 permit icmp any host 92.127.117.198 echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 92.127.117.198 255.255.255.252
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 92.168.3.3 255.255.255.255 inside
pdm location 92.168.3.248 255.255.255.255 inside
pdm location 92.168.3.247 255.255.255.255 inside
pdm location smart2 255.255.255.255 inside
pdm location smart1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 92.127.117.198 1966 smart1 1966 netmask 255.255.255.255 0 0
static (inside,outside) tcp 92.127.117.198 10101 smart1 10101 netmask 255.255.255.255 0 0
static (inside,outside) tcp 92.127.117.198 1967 smart2 1967 netmask 255.255.255.255 0 0
static (inside,outside) tcp 92.127.117.198 10102 smart2 10102 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 98.27.117.197 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b53965e3cd504b03f309758a56569898
: end

Jon Marshall · ‎02-12-2010

Martyn

Do the servers have their default-gateway set to the pix inside interface IP of 192.168.3.1 ?

Jon

View solution in original post

Jon Marshall · ‎02-12-2010

Can you just confirm whether the configs are cut and paste outputs because you have this in your pix config -

ip address inside 92.168.3.1 255.255.255.0

whereas it should be -

ip address inside 192.168.3.1 255.255.255.0

Jon

martynch1 · ‎02-12-2010

Mistake on my behalf when I edited the pasted config, I can confirm the address is 192.168.3.1

Thanks

Martyn

Jon Marshall · ‎02-12-2010

Martyn

Do the servers have their default-gateway set to the pix inside interface IP of 192.168.3.1 ?

Jon

martynch1 · ‎02-12-2010

Hi Jon, I will take a look at that next week, apart from that do the configs look OK to you?

Thanks

Martyn

martynch1 · ‎02-26-2010

Fantastic its now working....

How do enable telnet to the Pix?

Thanks all

Martyn