Re: Changing from Pix506E to 515E

dsalter02141982 · ‎05-21-2006

Hi,

I am upgrading our hardware from a PIX 506E to a 515E(6.3(5). I have a range of external IP addresses I use for services on the internal network. I had them working fine on the 506E. Once I moved to 515E I can not access anything from outside. I have had the ISP clear all ARP to make sure that would not cause a problem. I have looked over the configuration over and over with no success. I am sure the configuration is correct. Anyone have any advice or run into a similar problem?

Thanks

ds

vkapoor5 · ‎05-26-2006

Can you connect from inside to outside? If you are unable to connect from outside to inside, check your access-list that is applied to the outside interface. Also you will need static translations to connect to inside resources from outside.

dsalter02141982 · ‎05-26-2006

Yes, I can connect from inside to outside. I can change the accesslist and static translation to the outside interfaces' ip. And can connect great. But once I change the Static External IP back to what I need, it will stop connecting. Logs do not show a connection was ever attempted. Just for a better example I have posted the outside and statics that I have.

ip address outside xxx.xxx.xxx.2 255.255.255.192

ip address inside 10.xxx.xxx.2 255.255.255.0

#

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 37377 10.xxx.xxx.51 37377 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 37363 10.xxx.xxx.52 37363 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 6666 10.xxx.xxx.53 6666 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.4 10.xxx.xxx.54 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.5 10.xxx.xxx.72 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.6 10.xxx.xxx.71 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.7 10.xxx.xxx..71 netmask 255.255.255.255 0 0

Thanks,

ds

a.kiprawih · ‎05-26-2006

Hi Dustin,

Your config looks fine (port redirection, other static nat).

You mentioned you can connect from inside to outside, but not from outside to inside. Is is for a specific host or all of them?

Quick check - what's your route statement looks like? Do you have something like 'route outside 0.0.0.0 0.0.0.0 '?

Rgds,

AK

dsalter02141982 · ‎05-28-2006

AK,

Thanks for your response. I have attached my full config. I do have my default gateway set.

: Saved

: Written by enable_15 at 14:31:28.795 UTC Wed May 24 2006

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password **************** encrypted

passwd *************** encrypted

hostname chapix01

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-lsit 101 permit ip any any

access-list 101 permit icmp any any

access-list 101 permit tcp any host xxx.xxx.xxx.4 range 0 65535

access-list 101 permit udp any host xxx.xxx.xxx.4 range 0 65535

access-list 101 permit tcp any host xxx.xxx.xxx.5 eq www

access-list 101 permit tcp any host xxx.xxx.xxx.5 eq https

access-list 101 permit tcp any host xxx.xxx.xxx.6 eq www

access-list 101 permit tcp any host xxx.xxx.xxx.6 eq https

access-list 101 permit tcp any host xxx.xxx.xxx.7 eq www

access-list 101 permit tcp any host xxx.xxx.xxx.3 eq 37377

access-list 101 permit tcp any host xxx.xxx.xxx.3 eq 37363

access-list 101 permit tcp any host xxx.xxx.xxx.3 eq 6666

pager lines 48

logging on

icmp permit any outside

mtu outside 1500

mtu inside 1500

mtu outside2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside xxx.xxx.xxx.2 255.255.255.192

ip address inside 10.xxx.xxx.2 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 37377 10.xxx.xxx.51 37377 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 37363 10.xxx.xxx.52 37363 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.3 6666 10.xxx.xxx.53 6666 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.4 10.xxx.xxx.54 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.5 10.xxx.xxx.72 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.6 10.xxx.xxx.71 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.7 10.xxx.xxx.71 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

route inside 10.xxx.xxx.0 255.255.0.0 10.xxx.xxx.1 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.xxx.xxx.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 5

terminal width 80

Thanks in advance for any suggestions!

ds

a.kiprawih · ‎05-28-2006

Hi Dustin,

Looking at your existing ACL, I think you don't need to use the same ACL you for both inside and outside interface. Outside ACL is meant to control incoming/inbound traffic into your network, while inside ACL is meant to control what traffic can go out from your internal/inside network.

The 1st statement 'permit ip any any' will overwrite other statement. It will permit access to your xx.3 - xx.7 hosts if the internet users know the public IP (can easily scan) without being restricted to use those specified ports.

For inside ACL, use different name/ID and specify permit ip any any and icmp any any for testing purposes, e.g:

access-list 100 permit ip any any

access-list 100 permit icmp any any

access-group 100 in interface inside

For the ACL 101, remove and paste the 1st permit ip any any statement so it will sit at the very end of the ACL. This will allow you to see the ACL statistics hitting your opened ports like 80 & 443 when you issue 'show access-list 101' command.

Then test access to, for example, accessing xx.xx.xx.5 via WWW & HTTPS from outside, as well as pinging its Public IP. Use the following commands to check the sessions:

sh access-list 101 -> look for any hitcount

sh conn | i 80 -> check incoming access to port 80 (www)

sh conn | i 443 -> check incoming access to port 443 (https)

If inbound access still failing, check the log for that server.

Other than that, looks ok.

Rgds,

AK

dsalter02141982 · ‎05-30-2006

AK,

Thank you for the advice. As soon as I get back to my office I will give this a shot and let you know the outcome.

Dustin