08-19-2002 04:48 PM - edited 02-20-2020 10:12 PM
We recently threw up a 525 w/failover. The problem is that our Kronos Timeclocks are not talking to the outside (the County). My guess is that these devices, for some reason, do not handle translation very well (or at all?). The correct UDP ports are opened in the pix as well as the arp entries and a translated IP address. Has anyone here any Experience with Kronos Timekeeper or similar time clock systems? We can't wait for the company to sort it out and are at a loss on what to do. Thoughts? Questions?
Thanks for the help.
--Josh--
08-20-2002 01:02 AM
Could you paste the config (minus passwords of course) so I can take a look ?
08-20-2002 12:02 PM
Which part of the config?
08-23-2002 04:09 PM
here is what we have to date. It WILL be locked down :)
My guess is that the arp traffic won't translate between the inside network and net1? Thanks for the help. So IP's changed.
--Josh--
-----------------------------------------------------------
Building configuration...
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 net1 security40
nameif ethernet4 net2s security45
nameif ethernet5 open security95
nameif ethernet6 intf6 security30
hostname hostname
domain-name domain-name.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sqlnet 66
no fixup protocol smtp 25
names
access-list acl_in permit tcp any any
access-list acl_in permit icmp any any
access-list acl_in deny udp any host 192.168.128.211
access-list acl_in deny udp any host 192.168.128.212
access-list acl_in deny udp any host 192.168.128.17
access-list acl_in deny udp any host 192.168.128.210
access-list acl_in deny udp any host 192.168.156.48
access-list acl_in permit udp any any
access-list acl_out permit tcp any host 192.168.131.115 eq 22
access-list acl_out permit tcp any host 192.168.131.116 eq 22
access-list acl_out permit tcp any host 192.168.131.114 eq www
access-list acl_out permit tcp any host 192.168.131.114 eq 443
access-list acl_out permit tcp any host 192.168.131.114 eq 22
access-list acl_out permit udp any host 192.168.131.116 eq domain
access-list acl_out permit udp any host 192.168.131.115 eq domain
access-list acl_out permit tcp any host 192.168.131.114 eq smtp
access-list acl_out permit udp any host 192.168.131.116 eq nameserver
access-list acl_out permit udp any host 192.168.131.115 eq nameserver
access-list acl_dmz permit udp any any
access-list acl_dmz permit tcp any any
access-list acl_dmz permit icmp any any
access-list acl_net2 permit icmp any any
access-list acl_net2 permit tcp any any
access-list acl_net2 deny udp any host 192.168.156.48
access-list acl_net2 permit udp any any
access-list acl_net1 permit icmp any any
access-list acl_net1 permit tcp any host 192.168.122.6
access-list acl_net1 deny udp any host 192.168.156.48
access-list acl_net1 permit udp any any
pager lines 24
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
interface ethernet6 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu net1 1500
mtu net2s 1500
mtu open 1500
mtu intf6 1500
ip address outside 192.168.131.125 255.255.255.240
ip address inside 10.63.32.22 255.255.254.0
ip address dmz 10.143.57.2 255.255.255.224
ip address net1 192.168.122.101 255.255.255.0
ip address net2 192.168.103.101 255.255.255.0
ip address open 10.198.226.1 255.255.255.224
ip address intf6 10.198.226.33 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 192.168.131.126
failover ip address inside 10.63.32.23
failover ip address dmz 10.143.57.5
failover ip address net1 192.168.122.102
failover ip address net2s 192.168.103.102
failover ip address open 10.198.226.2
failover ip address intf6 10.198.226.34
failover link intf6
pdm history enable
arp inside 10.63.38.13 0040.5801.dc20 alias
arp inside 10.63.38.12 0040.5801.dc01 alias
arp net1 192.168.122.53 0040.5801.dc20 alias
arp net1 192.168.122.52 0040.5801.dc01 alias
arp timeout 14400
global (outside) 1 192.168.131.124 netmask 255.255.255.240
global (dmz) 1 10.143.57.15 netmask 255.255.255.224
global (net1) 1 192.168.122.1 netmask 255.255.255.0
global (net2s) 1 192.168.103.5 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (net1) 1 0.0.0.0 0.0.0.0 0 0
nat (net2s) 1 0.0.0.0 0.0.0.0 0 0
nat (open) 1 0.0.0.0 0.0.0.0 0 0
nat (intf6) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 192.168.131.116 10.143.57.4 netmask 255.255.255.255 0 0
static (dmz,outside) 192.168.131.115 10.143.57.3 netmask 255.255.255.255 0 0
static (dmz,outside) 192.168.131.114 10.143.57.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.143.57.6 10.63.32.2 netmask 255.255.255.255 0 0
static (dmz,outside) 192.168.131.117 10.143.57.6 netmask 255.255.255.255 0 0
static (inside,net2s) 192.168.103.6 10.63.32.1 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.6 10.63.32.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.143.57.10 10.63.32.7 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.52 10.63.38.12 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.53 10.63.38.13 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.51 10.63.32.10 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.150 10.63.32.150 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.151 10.63.32.151 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.152 10.63.32.152 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.154 10.63.32.154 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.155 10.63.32.155 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.153 10.63.38.20 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.156 10.63.38.21 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.157 10.63.38.22 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.158 10.63.38.23 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.159 10.63.40.68 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.160 10.63.32.153 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.161 10.63.32.156 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.162 10.63.32.157 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.163 10.63.32.158 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.164 10.63.32.159 netmask 255.255.255.255 0 0
static (inside,net1) 192.168.122.165 10.63.32.160 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
access-group acl_net1 in interface net1
access-group acl_net2 in interface net2s
route outside 0.0.0.0 0.0.0.0 192.168.131.113 1
route inside 10.63.38.0 255.255.255.128 10.63.32.22 2
route inside 10.63.38.0 255.255.254.0 10.63.32.22 3
route inside 10.63.40.64 255.255.255.224 10.63.32.50 2
route net1 192.168.101.0 255.255.255.0 192.168.122.3 1
route net2s 192.168.104.0 255.255.255.0 192.168.103.12 1
route net1 192.168.150.0 255.255.255.0 192.168.122.3 3
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.63.32.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
telnet timeout 5
ssh 10.63.32.48 255.255.255.255 inside
ssh 10.63.32.49 255.255.255.255 inside
ssh timeout 60
terminal width 80
08-26-2002 07:05 AM
Josh
Krono clock is very time sensitive, but the timing is ajustable. Your problem may not be at the config. Your config looks fine to me. to ajust the timeout, the file is under \program files\kronos\wfc\dcm, file name is krdcm. under [data collection manager] and [comm channel name], there are timeout statics you may change. You may need to contact kronos to find out what will be the best timeout timing for you. they would like to see 70ms, but that's very hard to meet for WAN, we have changed to over 2min. hope this will help. we are using the Kronos 400 terminal clock.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide