Re: PIX 501 issues with block of IP's

rusty_hanson · ‎08-11-2004

Any help would be appreciated.

I have configured many 501's in the past but recently I just ran into a problem that has me confused. Perhaps I am not configuring them the correct way or something..Anyways here is my question:

ISP gave a block of 8 IP addressess (all useable because of the way their DSL is setup,according to them).

I configured the PIX with the first useable and assigned NAT/PAT the others to local devices (Servers).

What is wierd is that only some of the 8 useables work when Nat'd.

Below are parts of the cfg.

**********************

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list in_out permit tcp any host X.X.X.175 eq www

access-list in_out permit tcp any host X.X.X.175 eq smtp

access-list in_out permit tcp any host x.x.x.175 eq pop3

access-list in_out permit tcp any host x.x.x.175 eq 3389

access-list in_out permit tcp any host x.x.x.176 eq 3389

access-list in_out permit icmp any any echo-reply

access-list in_out permit icmp any any unreachable

access-list in_out permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.174 255.255.255.0

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp x.x.x.175 www 10.0.0.1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.175 smtp 10.0.0.1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.175 pop3 10.0.0.1 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.175 3389 10.0.0.1 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.176 3389 10.0.0.2 3389 netmask 255.255.255.255 0 0

access-group in_out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

********************

In this cfg the .175 nat would not work. But, if I changed it to .177 it worked just fine.

Since I was under time constraints I slapped a 3Com Firewall in with the same original ip's being nat'd (.175) and it worked just fine. So, I know there is nothing wrong with the ip's that the ISP gave me.

Any clue?

mostiguy · ‎08-12-2004

Something seems weird - are you sure you should be using a 255.255.255.0 subnet mask on the outside? Still, even if the mask is off, I cannot think of a permutation in which .175 would be unusable, except if you were assigned x.x.x.168/29, where .168 would be the network number, and .175 would be the broadcast address. If that were the case though, you are using the wrong ip pool. So, I am fairly mystified, but for I find it strange that you got 8 ip addresses but are using a /24 mask (255.255.255.0)

rusty_hanson · ‎08-12-2004

Yeah, that is wierd but that is what the ISP said. I even advised them that I have never seen that before. They said 'That is the way they do DSL'.

Regardless the 3Com firewall worked just fine with it.

rusty_hanson · ‎08-12-2004

Was just advised by a friend to lower the image back to 6.1.

Currently I have 6.3.4 on the beast.

rusty_hanson · ‎08-23-2004

Downgraded to 6.22 and this did not resolve the problem.

Any help would be appreciated!