05-16-2003 04:20 AM - edited 02-20-2020 10:44 PM
I have upgraded from version 6.0(2) to 6.22 and then to 6.31 only to find that the Pix stop passing my X-windows traffic in the later versions of software. My configuration remain unchanged and the upgrade process went fine. I have opened a couple of cases and had no luck , other that to downgrade back to 6.0(2) which is unacceptable. Has anyone else ran across anything similiar?
05-16-2003 10:29 AM
Hi. Can you give us a few more details about the setup?
Are you trying to connect inbound or outbound with the X-windows data? Do you have any ACL's or static maps in place? Do any errors get generated when the traffic is stopped? Etc.
Regards,
-Joshua
05-16-2003 12:31 PM
The traffic is inbound and the appropriate ACLs are applied. I do not receive any errors. In my syslogs it appears the PIX denies the traffic and I see a TCP reset. My config is the same as it was while I was running 6.0(2) and X-windows was working fine. Thanks
05-20-2003 04:21 AM
Hi. Can you post your ACL configurations as well as your static maps and any errors that get logged to syslog?
Thanks.
05-20-2003 04:55 AM
access-list 100 permit tcp host 165.166.240.2 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.3 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.4 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.7 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.8 host 165.166.242.35
There are no statics since we are routing this class C internally for now.
Syslog:
May 16 2003 14:35:34: %PIX-6-302013: Built inbound TCP connection 5788701 for outside:165.166.240.3/40641 (165.166.240.3/40641) to inside:165.166.242.35/6000 (165.166.242.35/6000)
May 16 2003 14:35:40: %PIX-6-302014: Teardown TCP connection 5788784 for outside:165.166.240.2/0 to inside:165.166.242.35/6000 duration 0:00:00 bytes 0 Deny
May 16 2003 14:35:54: %PIX-6-302014: Teardown TCP connection 5788701 for outside:165.166.240.3/40641 to inside:165.166.242.35/6000 duration 0:00:20 bytes 22220 TCP Reset-I
05-20-2003 10:05 AM
Maybe I'm missing something here, but you say your not using any static maps? How are you passing the traffic from the outside interface to your internal server?
If you can post your entire configuration, I can attempt to reproduce what your doing and find out where the problem is.
Regards,
-Joshua
05-20-2003 11:35 AM
inside client is 165.166.242.35 running Humminbird Exceed
Outside servers are 165.166.240.2,3,4,7, and 8. I have allowed all TCP traffic from 165.166.240.2-8 to 165.166.242.35 so statics are not required. Keep in mind this config works great on 6.0(2).
:
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 FAILOVER security10
nameif ethernet3 DMZ-3 security15
nameif ethernet4 DMZ-2 security20
nameif ethernet5 DMZ-1 security25
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip host 207.144.131.35 host 165.166.242.15
access-list 100 permit ip host 207.144.131.35 host 165.166.242.16
access-list 100 permit ip any host 165.166.200.2
access-list 100 permit tcp host 165.166.240.2 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.3 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.4 host 165.166.242.35
access-list 100 permit tcp any host 165.166.200.5 eq ftp
access-list 100 permit esp any host 165.166.200.6
access-list 100 permit udp any host 165.166.200.6
access-list 100 permit ip any host 165.166.242.51
access-list 100 permit tcp any host 165.166.242.51 eq 5900
access-list 100 permit tcp any host 165.166.200.6 eq 6000
access-list 100 permit tcp any host 165.166.200.6 eq 6001
access-list 100 permit tcp any host 165.166.200.6 eq 6002
access-list 100 permit tcp any host 165.166.200.6 eq 6003
access-list 100 permit tcp any host 165.166.200.6 eq 6004
access-list 100 permit udp any host 165.166.200.6 eq 10001
access-list 100 permit tcp any host 165.166.200.6 eq login
access-list 100 permit tcp host 165.166.240.7 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.8 host 165.166.242.35
access-list 100 permit tcp any host 165.166.200.7 eq ftp
access-list 100 permit tcp any host 165.166.200.7 eq www
access-list 100 permit udp any host 165.166.200.7 eq snmp
access-list 100 permit udp any host 165.166.200.7 eq snmptrap
access-list 100 permit udp any host 165.166.200.5 eq 21
access-list 100 permit tcp any host 165.166.200.7 eq 8081
access-list 100 permit udp any host 10.100.26.33 eq 2076
access-list 100 permit udp any host 10.100.26.33 eq 2077
access-list 100 permit udp any host 10.100.26.33 eq 2078
access-list 100 permit udp any host 165.166.175.250 eq 2076
access-list 100 permit udp any host 165.166.175.250 eq 2077
access-list 100 permit tcp any host 165.166.242.51 eq 5800
access-list 100 permit tcp any host 165.166.200.7 eq pop3
access-list 100 permit udp any host 165.166.200.7 eq tftp
access-list 100 permit udp any host 10.100.26.34 eq 59156
access-list 100 permit tcp any host 165.166.175.250 eq 2078
access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq snmp
access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq snmptrap
access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 24
access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 27
access-list 100 permit udp host 209.193.244.50 host 165.166.200.10 eq 1301
access-list 100 permit tcp any host 165.166.175.250 eq smtp
access-list 100 permit tcp any host 165.166.200.7 eq smtp
access-list 100 permit icmp any any echo-reply
access-list 100 permit tcp any host 165.166.175.250 eq www
access-list 100 permit ip host 165.166.240.6 host 165.166.242.35
access-list 100 permit tcp host 165.166.240.6 host 165.166.242.35
access-list 100 permit udp host 165.166.240.6 host 165.166.242.35
access-list 100 permit icmp host 165.166.240.6 host 165.166.242.35
access-list 100 permit tcp any host 165.166.200.7 eq ssh
access-list 100 permit tcp any host 10.100.13.32 eq https
access-list 100 permit tcp any host 10.100.13.32 eq www
access-list 100 permit tcp any host 165.166.175.250 eq https
access-list 100 permit tcp any host 165.166.200.6 eq https
access-list 100 permit tcp any host 165.166.200.7 eq domain
access-list 100 permit udp any host 165.166.200.7 eq domain
access-list 100 permit tcp any host 165.166.200.17 eq ssh
access-list 100 permit udp any host 165.166.200.17 eq snmp
access-list 100 permit udp any host 165.166.200.17 eq snmptrap
access-list 100 permit udp any host 165.166.200.17 eq 22
access-list 100 permit udp any host 165.166.200.7
access-list 100 permit tcp any host 165.166.200.13 eq 10032
access-list 100 permit tcp any host 165.166.200.13 eq h323
access-list 100 permit tcp any host 165.166.200.13 eq 49152
access-list 100 permit tcp any host 165.166.200.13 eq 49153
access-list 100 permit tcp any host 165.166.200.13 eq 49154
access-list 100 permit tcp any host 165.166.200.13 eq 49155
access-list 100 permit tcp any host 165.166.200.13 eq 49156
access-list 100 permit tcp any host 165.166.200.13 eq 49157
access-list 100 permit tcp any host 165.166.200.13 eq 49158
access-list 100 permit tcp any host 165.166.200.13 eq 49159
access-list 100 permit udp any host 165.166.200.13 eq 49153
access-list 100 permit udp any host 165.166.200.13 eq 49154
access-list 100 permit udp any host 165.166.200.13 eq 49156
access-list 100 permit udp any host 165.166.200.13 eq 49157
access-list 100 permit udp any host 165.166.200.13 eq 49158
access-list 100 permit udp any host 165.166.200.13 eq 49159
access-list 100 permit tcp any host 165.166.200.12 eq smtp
access-list 100 permit tcp host 204.116.80.28 host 165.166.242.18 eq 397
access-list 100 permit tcp host 204.116.80.28 host 165.166.242.15 eq 397
access-list 100 permit udp host 204.116.80.28 host 165.166.242.15 eq 397
access-list 100 permit udp host 204.116.80.28 host 165.166.242.18 eq 397
access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq radius
access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq radius-acct
access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq 1812
access-list 100 permit udp 165.166.175.0 255.255.255.0 host 165.166.200.44 eq 1813
access-list 100 permit tcp any host 165.166.200.13 eq 10025
access-list 100 permit tcp any host 165.166.200.13 eq 10026
access-list 100 permit tcp any host 165.166.200.13 eq 10027
access-list 100 permit tcp any host 165.166.200.12 eq 10028
access-list 101 permit icmp 165.166.200.0 255.255.255.224 host 165.166.200.1 echo-reply
access-list 101 permit tcp host 165.166.200.12 host 165.166.200.1 eq smtp
access-list 101 permit tcp host 165.166.200.12 host 165.166.200.1 eq 3389
access-list 101 permit icmp host 165.166.200.6 any
access-list 101 permit icmp host 165.166.200.6 any echo-reply
access-list 101 permit tcp host 165.166.200.7 any eq 8081
access-list 101 permit tcp host 165.166.200.7 any eq telnet
access-list 101 permit udp host 165.166.200.7 any eq snmp
access-list 101 permit udp host 165.166.200.7 any eq snmptrap
access-list 101 permit icmp host 165.166.200.7 any
access-list 101 permit icmp host 165.166.200.7 any echo-reply
access-list 101 permit tcp host 165.166.200.6 any
access-list 101 permit ip host 165.166.200.6 any
access-list 101 permit udp host 165.166.200.6 any
access-list 101 permit tcp host 165.166.200.5 any eq ftp
access-list 101 permit esp host 165.166.200.6 any
access-list 101 permit tcp host 165.166.200.12 any eq smtp
ip address outside 165.166.175.250 255.255.255.0
ip address inside 10.100.10.4 255.255.255.0
ip address FAILOVER 192.168.1.1 255.255.255.0
ip address DMZ-3 127.0.0.1 255.255.255.255
ip address DMZ-2 165.166.200.33 255.255.255.224
ip address DMZ-1 165.166.200.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
global (DMZ-2) 1 interface
global (DMZ-1) 1 interface
nat (inside) 0 access-list 200
nat (inside) 0 165.166.0.0 255.255.0.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) udp 165.166.175.250 2076 10.100.26.33 2076 netmask 255.255.255.255 0 0
static (inside,outside) udp 165.166.175.250 2077 10.100.26.33 2077 netmask 255.255.255.255 0 0
static (inside,outside) tcp 165.166.175.250 2078 10.100.26.33 2078 netmask 255.255.255.255 0 0
static (inside,outside) tcp 165.166.175.250 www 10.100.13.32 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 165.166.175.250 pptp 10.104.10.37 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 165.166.175.250 https 10.100.13.32 https netmask 255.255.255.255 0 0
static (inside,DMZ-1) tcp 165.166.200.1 smtp 10.100.13.32 smtp netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.5 165.166.200.5 netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.6 165.166.200.6 netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.7 165.166.200.7 netmask 255.255.255.255 0 0
static (inside,outside) 165.166.200.10 10.100.26.34 netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.14 165.166.200.14 netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.17 165.166.200.17 netmask 255.255.255.255 0 0
static (inside,outside) 165.166.200.13 10.100.26.40 netmask 255.255.255.255 0 0
static (inside,outside) 165.166.200.44 10.101.10.44 netmask 255.255.255.255 0 0
static (DMZ-1,outside) 165.166.200.12 165.166.200.12 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group 101 in interface DMZ-1
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 165.166.175.1 1
route inside 10.0.0.0 255.0.0.0 10.100.10.1 1
route DMZ-2 64.53.30.0 255.255.255.0 165.166.200.40 1
05-20-2003 12:31 PM
established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535 command solved my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide