Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
4
Replies

PIX Config. problem

cabell911
Level 1
Level 1

‎11-27-2003 06:17 PM - edited ‎02-20-2020 11:07 PM

Does anyone see anything wrong with this config. ? I just recently had to switch ISP and got only one IP from my new one. Since then, internet access has been sporadic at best and I cant seem to figure it out. Simple config for the most part other than port redirection to a single internal host for smtp, pop3, and www. Thanks for any help.

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password *********** encrypted

passwd ********** encrypted

hostname test

domain-name test.com

fixup protocol dns maximum-length 512

fixup protocol domain 53

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 108 permit ip 192.168.0.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.4.1.0 255.255.255.0

pager lines 24

logging on

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside **.**.253.118 255.255.255.252

ip address inside 192.168.0.99 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool 911 172.16.1.1-172.16.1.3

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 108

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp **.**.253.118 smtp 192.168.0.3 smtp netmask 255.255.

255.255 0 0

static (inside,outside) tcp **.**.253.118 pop3 192.168.0.3 pop3 netmask 255.255.

255.255 0 0

conduit permit tcp host **.**.253.118 eq www any

conduit permit tcp host **.**.253.118 eq smtp any

conduit permit tcp host **.**.253.118 eq pop3 any

established tcp 0 0 permitto tcp 0 permitfrom tcp 0

route outside 0.0.0.0 0.0.0.0 **.**.253.117 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set wayne esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set wayne

crypto map wc 1 ipsec-isakmp

crypto map wc 1 match address 102

crypto map wc 1 set peer **.***.169.250

crypto map wc 1 set transform-set wayne

crypto map wc 10 ipsec-isakmp dynamic dynmap

crypto map wc interface outside

isakmp enable outside

isakmp key ******** address **.***.169.250 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 idle-time 1800

vpngroup vpdn3000 idle-time 1800

vpngroup group idle-time 1800

vpngroup pool idle-time 1800

vpngroup test address-pool 911

vpngroup test dns-server 192.168.0.3

vpngroup test wins-server 192.168.0.2

vpngroup test default-domain 911

vpngroup test idle-time 1800

vpngroup test password ********

telnet 192.168.0.3 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxx

: end

0 Helpful
4 Replies 4

tohuang
Level 1
Level 1

‎11-28-2003 05:26 AM

Hi,

Does it help if you remove the VPN?

Do yu want to try to config split tunnelling for your internet traffic if possible ?

Tony

0 Helpful

cabell911
Level 1
Level 1
In response to tohuang

‎11-28-2003 06:12 AM

No. Everything is the same as it has been for a couple of years. The only thing that has changed is I changed ISP and only got one external IP to use. So, I changed the outside interface IP, changed the static translations, and changed the conduits to point to my internal server that hosts smtp, pop3, and www. That is when my problems started.

0 Helpful

jmia
Level 7
Level 7
In response to cabell911

‎11-28-2003 07:28 AM

I would suggest that you convert your conduits to access-list first and check if this sorts out your problem. Mixing conduits and ACL’s is not recommended as the ACL’s will always be executed first.

Also clear translations with command clear xlate after the change and save with write memory.

Also here’s a good document on converting conduits to ACL’s by Bill Donaldson of GIAC Organisation.

http://www.giac.org/practical/GSEC/Bill_Donaldson_GSEC.pdf

Hope this helps and let me know how you get on.

Jay.

0 Helpful

cabell911
Level 1
Level 1
In response to jmia

‎11-28-2003 07:37 AM

The access-lists are only applied at the crypto map.

Shouldn't have any bearing on my conduits.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card