Re: strange pix firewall problem

haseeb_eng · ‎03-31-2003

In pix 515 when from outside(not internet other WAN site) anybody tries to access inside network it can't . But if i ping from inside network to outside network host it pings and after this outside network access the inside network resources easily uptill 10 hours . After 10 or 12 hours again same problem happens we have to ping from inside network to outside host if we want outside host to access inside network . Access-lists are being used and NAT is disable what could be the possible problem

j.khandia · ‎03-31-2003

Are you running a VPN to establish connections to outside hosts?

pmajumder · ‎03-31-2003

We are also having the same issue as Haseeb. We are also using Access-lists, with NAT disabled. The communication is also between the inside and our DMZ. VPN is not involved here. PIX version is 6.2(2).

Regards,

Pradeep Majumder

j.khandia · ‎03-31-2003

Without seeing yours or Haseeb config it would be difficult to ascertain what the issue is.

Before you decide to post your configs on the forum ensure you blank out or do not include the password lines from the config I would also suggest starring out the Ip addresses of your interfaces.

shannong · ‎03-31-2003

What do you mean by "nat is disabled"?

If you're using NAT 0 (or any other nat/global method)to provide connectivity to a lower security interface, then the hosts won't always be available for connectivity by the remote hosts. When you ping out, a translation is built and the hosts can connect. After a period of inactivity, the translation will timeout and will no longer be available to that lower security interface. The ACL may be there, but there must be a NAT translation when accessing hosts from a lower security interface to a higher one.

This is what the static command is for. To make the NAT process always available. You can do static statements for a whole subnet that is really just NATted back to itself. For exmaple, this command would NAT the whole inside network of 192.168.0.0/24 back to itself on the dmz interface. The translations will be "permanent" and not timeout.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

-Shannon

haseeb_eng · ‎03-31-2003

well VPN concontrator is behind the firewall(inside network) but i could'nt see any vpn config on the firewall , but i did'nt check vpn concentrator . One more thing i wana tell that the border router to which pix is connecting is having 3 serial interfaces . one is going to the internet and other 2 will to other WAN sites(not internet) . And from the internet i want to access only VPN concentrator . But from other 2 WAN sites whole network . Shannon has also a point . For the VPN i had used this command :-

arp inside VPN-ip-address VPN-MAC-address

haseeb_eng · ‎03-31-2003

It has to do with vpn concentrator config also ? If yes then what about the other whole network . In the inside network i have 10.0.0.x and 168 class B network .

haseeb_eng · ‎03-31-2003

I had checked the vpn concentrator it is configured for vpn tunnels . And the client are able to access it from the internet but only when you ping it from inside and after 10 hours you have to ping again from inside to outside in order to maintain the connection . I had checked the access-lists also but it seems fine to me . Should i use SYSOPT CONNECTION PERMIT-IPSEC command? I will also try to use static command