10-27-2001 07:27 AM - edited 03-08-2019 08:58 PM
PIX 520 with a 4 port and 2 single port ethernet cards running 5.1(4).
Access lists from inside to outside and dial-up networks, and the return, work fine but only ICMP traffic passes onto the perimeter network.
All the configured interfaces are on the 4 port card and the perimeter network is configured to allow ip any any both on the outbound and return.
No NAT is being used.
Anyone any ideas?
cheers,
russ
10-27-2001 05:36 PM
hi russ,
how much is a car ? - as always it depends ...
please try to be a bit more specific:
what kind of traffic are you trying to get trough the pix?
what is the pix's response (syslog)?
change ip and post the config.
btw: 5.1(4) is not really up to date (even in the deferred 5.1-train)
thanks
ralf krist
10-28-2001 01:55 AM
Outbound traffic we know is failing is HTTP and TelNet. We can't even telnet to the 3640 the other side of the perimeter interface (via a FastHub).
Inbound traffic we know is failing is some IP mainframe printing which I think is initited on port 512.
Don't have access to the logs at the moment, but from memory the outbound connection gets setup, then gets rest and the return inbound then isn't allowed due to there being no matching outbound connection.
We are not seeing syslog's saying denied due to access-list xyz.
cheers,
Russ
10-28-2001 03:47 AM
Edit config here:
Note, I know the way 10.128.3.0 has been subnetted is messy and not idel but is temporary waiting for another change. Remember that we can ping & trace route and so I don't think this is the cause (?).
nameif ethernet0 external_services security0
nameif ethernet1 inside security100
nameif ethernet2 uk_wan security20
nameif ethernet3 dial_services security50
nameif ethernet4 eth4 security40
nameif ethernet5 eth5 security10
hostname NFW10
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inbound permit
.... 44 rules here, all permits no denys ....
access-list inbound permit
access-list no-nat permit ip any any
access-list outbound permit icmp any any
..... 205 rules, all permits, no denys, including....
access-list outbound permit ip 10.128.16.0 255.255.248.0 any
access-list outbound permit ip 10.128.14.0 255.255.254.0 any
access-list outbound permit tcp host 10.128.9.nn1 any eq 17
access-list outbound permit tcp host 10.128.9.nn2 any eq 17
access-list outbound permit udp host 10.128.9.nn1 any eq dnsix
access-list outbound permit udp host 10.128.9.nn2 any eq dnsix
access-list outbound permit udp host 10.128.9.nn1 any eq 17
access-list outbound permit udp host 10.128.9.nn2 any eq 17
access-list dialup permit
.... 15 rules here, all permits, no denys....
access-list dialup permit
access-list ukwan permit ip any 10.128.16.0 255.255.248.0
access-list ukwan permit ip any 10.128.14.0 255.255.254.0
access-list ukwan permit ip any 10.42.0.0 255.255.0.0
access-list ukwan permit ip any 10.10.115.0 255.255.255.0
access-list ukwan permit ip any 10.128.9.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging standby
no logging console
no logging monitor
logging buffered debugging
logging trap informational
logging history informational
logging facility 23
logging queue 512
logging host inside 10.128.9.220
logging host inside 10.128.14.237
interface ethernet0 100basetx
interface ethernet1 100full
interface ethernet2 10baset
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 100basetx
mtu external_services 1500
mtu inside 1500
mtu uk_wan 1500
mtu dial_services 1500
mtu eth4 1500
mtu eth5 1500
ip address external_services 10.128.2.254 255.255.255.0
ip address inside 10.128.9.248 255.255.255.0
ip address uk_wan 10.128.3.206 255.255.255.248
ip address dial_services 10.128.3.254 255.255.255.0
ip address eth4 127.0.0.4 255.255.255.255
ip address eth5 127.0.0.1 255.255.255.255
no failover
failover timeout 0:00:00
failover ip address external_services 10.128.2.253
failover ip address inside 10.128.9.247
failover ip address uk_wan 10.128.3.205
failover ip address dial_services 10.128.3.205
failover ip address eth4 0.0.0.0
failover ip address eth5 0.0.0.0
arp timeout 14400
nat (external_services) 0 access-list no-nat
nat (inside) 0 access-list no-nat
nat (uk_wan) 0 access-list no-nat
nat (dial_services) 0 access-list no-nat
access-group inbound in interface external_services
access-group outbound in interface inside
access-group ukwan in interface uk_wan
access-group dialup in interface dial_services
route uk_wan 0.0.0.0 0.0.0.0 10.128.3.201 1
route inside 10.10.115.0 255.255.255.0 10.128.9.254 1
route inside 10.128.14.0 255.255.254.0 10.128.9.254 1
route inside 10.128.16.0 255.255.248.0 10.128.9.254 1
route external_services
.... 10 of these ....
route external_services
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
floodguard enable
isakmp identity hostname
telnet timeout 60
terminal width 132
10-28-2001 09:31 AM
Problem fixed.
Turns out the perimeter network was returning traffic via a router at the DR site, hence the connections being reset on the PIX.
Managed services providers huh!
cheers
russ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide