Re: PIX 506E Won't Let One Server Through

vdalehubbard · ‎10-01-2004

I installed a PIX 506E last week and got it configured and it was working excellent. I had some issues with a new client connecting to our location in PA from here in NC through Citrix. To norrow down what the issue was, one night I replaced our PIX with our old router to see if maybe the PIX was causing the issue. Course, it was not and so I placed the PIX right back on. Now, our Exchange server will not get to the internet. It was fine before and I have not changed anything. I have reset the router over and over and reconfigured it and still get the same results. It does fine until you bind the static ip to the inside address. Here is my configuration I have. Do you see anything that could be causing this? Thanks.

ip address outside 24.xx.xx.221 255.255.255.0

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.1 255.255.255.255 inside

pdm location 192.168.1.3 255.255.255.255 inside

pdm location 192.168.1.4

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 24.172.94.220 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 24.xx.xx.211 192.168.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 24.xx.xx.210 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 24.xx.xx.212 192.168.1.4 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 24.xx.xx.211 eq 3389 any

conduit permit udp host 24.xx.xx.211 eq 3389

conduit permit tcp host 24.xx.xx.210 eq smtp any

conduit permit tcp host 24.xx.xx.210 eq pop3 any

conduit permit tcp host 24.xx.xx.210 eq www any

conduit permit tcp host 24.xx.xx.212 eq 3389 any

conduit permit udp host 24.172.94.212 eq 3389 any

route outside 0.0.0.0 0.0.0.0 24.xx.xx.209 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.253-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

mostiguy · ‎10-01-2004

Config looks good. Did you issue a clear xlate or reboot the pix after making the changes to the static/nat/global statements? A clear xlate can be necessary to reinitialize the translate table after making changes to NATing

Patrick Iseli · ‎10-01-2004

You might have an arp issue !! Check your outbound router.

By the way conduits are replaced by access-lists now and are no longer supported.

sincerely

Patrick

vdalehubbard · ‎10-05-2004

We have our cable modem in bridge mode and this firewall working as our router.

What gets me is that it was working perfectly until I just unplugged it for about 3 minutes and plugged it straight back in.

I don't even get to the access-list part of configuring it. Just when I put the "static (inside,outside)" for the 192.168.1.3 to the 24.xx.xx.210, I no longer have internet or anything on this server (email). I tried for the past couple days again with the same results with clear xlate, clear arp, resetting it 2 more times to defaults and trying again. Weird. Any more suggestions? I appricate the help.

Patrick Iseli · ‎10-05-2004

arp issue is probably on the outside router, try a clear arp but usually after about 10 minutes this entries are cleared.