Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1655
Views
0
Helpful
15
Replies

Issue Accessing specific URL from PIX 525 Firewall

Go to solution
Waqas Butt
Level 1
Level 1

‎08-09-2014 11:37 PM - edited ‎03-11-2019 09:36 PM

Dear All,

Router facing Internet >>>>>>>>>Switch>>>>>> (Outside Interface) CISCO PIX 525 (Inside Interface)>>>>>>Core Access Switch

Facing using to access a URL from PIX firewall, nating didnt work at all, even i am unable to traceroute the ip of the URL from firewall console itself.

But URL can be accessed by connecting network directly to the switch using public ip address on the switch interface.

I have also cleared xlate and refresh all the rules.

Can someone advise (expert advise is required), i'll share the conf if required.

 

Regards,

Waqas

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-14-2014 05:12 AM

Hi,

 

Sent email - from nkartheekeyan@hotmail.com

 

Regards

Karthik
 

View solution in original post

0 Helpful
15 Replies 15

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-10-2014 05:00 AM

Hi Waqas,

Either problem should be with access-list or NAT..... Could you please share the configuration of yours so that i can try to help you out....

 

Regards

Karthik

 

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-10-2014 06:13 AM

Hi nkarthikeyan,

Here we go..... and traceroute also attached... 

I want to access url:  http://208.109.106.204 from inside network..... but it is not even pingable from firewall itself...

Preview file
12 KB
Preview file
2 KB
0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-10-2014 06:41 AM

Hi Waqas,

You have the right ACL set for the destination.

access-list acl_inside extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0 log

but if you look at the NAT ACL for no-nat, you have included the subnet of 208.109.0.0.... give the below mentioned command and check.... internet should go...

no access-list inside_nat0_outbound extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0

so any traffic from 10.1.40.0 will be exempted from NATing.... so you wont get the internet access....

 

so remove the no-nat statement as i said above and try...

 

Regards

Karthik

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-10-2014 07:19 AM

Hi,

Sure i did this.....

and i have only the following in place:

access-list acl_inside extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0 log

but still i am unable to reach 208.109.106.204 from inside network.... moreover this was working fine earlier without acl but just 4 days ago it stops and i tried a lot using acl rules and exemptions to allow the access..... PIX Appliance just wont ping this subnet and also wont allow to pass through.

Any other work around ?

Cheers,

Waqas

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-10-2014 10:01 AM

Hi,

 

Is that happens only to that specific site? or for all internet sites?

 

can you try to ping 4.2.2.2 or someother generic public ip like google/yahoo/cisco.com ip's?

 

Regards

Karthik

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-10-2014 10:25 PM

hi

We are able to access everything outside, It is only an issue with this site and subnet 

208.109.0.0/16

Cheers,

Waqas

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-10-2014 10:35 PM

Hi Waqas,

 

I doubt whether they have blocked the specific ip address somewhere in the path....

 

we can try one more thing..... instead of using interface as the pat.... can you try and use someother ip address in the public stack...

 

85.194.97.34 is your interface ip and .33 is your gateway.... can you make the pat with 87.194.97.35 for your PAT? if available.
no global (outside) 1 interface
global (outside) 1 87.194.97.35
nat (inside) 1 10.1.40.0 255.255.254.0

also Make sure that you have the return route in internet router pointing back to firewall outside interface....

ip route 87.194.97.32 255.255.255.240 87.194.97.34 in your internet router...

 

Regards

Karthik

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-10-2014 10:51 PM

Hi Karthik,

Similar thoughts, sure i will try this and let you know.... yes my public stack is free, currently i am on a remote location, i will do this conf and check if its working.

Appreciate your support.

 

Regards,

Waqas

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-10-2014 10:53 PM

Hi Waqas,

 

Yes. Please try in that way.... you said you are able to access that from internet switch by assigning the public ip directly right?... use that same ip in PAT and try....

 

Regards

Karthik

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-14-2014 04:23 AM

Hi Karthik,

I have changed the setting as we have planned but no luck..

Please also see below xlate -- PAT Flags...

global (outside) 1 87.194.97.36
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.40.0 255.255.254.0
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 85.194.97.33 1

 

 

show xlate detail
2798 in use, 2798 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
       r - portmap, s - static
UDP PAT from inside:10.1.41.2/50463 to outside:87.194.97.36/55437 flags ri
UDP PAT from inside:10.1.41.2/54118 to outside:87.194.97.36/18430 flags ri
UDP PAT from inside:10.1.41.2/64373 to outside:87.194.97.36/56176 flags ri
TCP PAT from inside:10.1.41.2/56688 to outside:87.194.97.36/16751 flags ri
UDP PAT from inside:10.1.41.2/63329 to outside:87.194.97.36/19333 flags ri
UDP PAT from inside:10.1.41.2/58098 to outside:87.194.97.36/49344 flags ri
UDP PAT from inside:10.1.41.2/53935 to outside:87.194.97.36/51044 flags ri
UDP PAT from inside:10.1.41.2/59574 to outside:87.194.97.36/11391 flags ri
UDP PAT from inside:10.1.41.2/57735 to outside:87.194.97.36/24946 flags ri
TCP PAT from inside:10.1.41.27/63618 to outside:87.194.97.36/15983 flags ri
TCP PAT from inside:10.1.41.79/2184 to outside:87.194.97.36/16503 flags ri
UDP PAT from inside:10.1.41.111/58608 to outside:87.194.97.36/17021 flags ri
UDP PAT from inside:10.1.41.111/64360 to outside:87.194.97.36/23578 flags ri

 

 

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to Waqas Butt

‎08-14-2014 04:36 AM

Inside we have two networks accessing outside world..

10.1.40.0 - 255.255.254.0  - All Servers using this network 

10.1.41.0 - 255.255.254.0 - All Client Computers using this network

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-14-2014 04:55 AM

Hi Waqas,

 

It is normal, in case of dynamic pat.....

sh xlate detail output of yours has

UDP PAT from inside:10.1.41.2/50463 to outside:87.194.97.36/55437 flags ri

at the same time if you check the existing connection in conn table..

sh conn | in 50463

<you can see the established connection>

 

Can you get me a remote access to that firewall so that i can check that..... it seems to be okay.....

also did you check the routes on the internet router?

Regards

Karthik

0 Helpful

Go to solution
Waqas Butt
Level 1
Level 1
In response to nkarthikeyan

‎08-14-2014 05:07 AM

Hi Karthik,

Can send me an email on:  waqas_buttg@hotmail.com

I will reply you with the access details.

Regards,

Waqas

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Waqas Butt

‎08-14-2014 05:12 AM

Hi,

 

Sent email - from nkartheekeyan@hotmail.com

 

Regards

Karthik
 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card