Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
6
Replies

PIX525 troubles

swilk
Level 1
Level 1

‎10-27-2004 09:29 AM - edited ‎03-09-2019 09:14 AM

We have recently upgraded from a PIX515 to a PIX525 and that is when the problems began. We have 3 interfaces configured on the PIX525: Inside, Outside and Net1. We have a DS3 going into the ISP’s router then into our Packeteer. From our Packeteer into the Outside interface on the firewall. The Inside interface is our “protected” server area consisting of 100 or so servers running Linux, Windows and SUN. The Net1 interface is traffic to the rest of the Universities campus. We run a 6509 with a SUP720 as our main switch and our only router. After the upgrade, we have had several issues with the ability of traffic from off campus getting to servers.

First known issue was a SUN machine hosting a web page. Anyone from on campus could access the page but no one from off campus could access the page. We tried everything, including opening access to the server over every port. Nothing worked. Finally we changed all IP information on the server itself (IP address, Gateway ..) and then changed it back to its original settings. When we did this it worked.

Second known issue was also a SUN machine running a web page. Same problems, but this time a simple reboot of the machine solved the problem.

Third issue, Windows2000 server needing SSH access from off campus. Reboot did not work but changing all IP information did.

There have been a collection of 10 or so servers having similar issues. In all cases, traffic from on campus is able to access the servers just fine, but off campus traffic is having problems. Sometime rebooting works, sometimes changing all IP information works.

This morning we had a Linux machine with the same problems. We tried everything, opened all ports to the world, changed IP information, rebooted. Nothing worked. We finally took that server completely off-line and set up a second box with identical IP settings and that box worked. We then took the new machine off-line and placed the original server with its original settings back on-line … it worked.

I am out of ideas … anyone ever seen anything like this? Or have any ideas on what to look at next?

Labels:
0 Helpful
6 Replies 6

Patrick Iseli
Level 7
Level 7

‎10-27-2004 10:34 AM

Can publish a part of the config in the forum?

- access-list

- nat and globals

- statics

- nat 0

- routes

I guess that the inside has security level of 100 and outside has 0. Campus might be something as 50, anyway between 100 and 0.

To access from campus to inside you need an access-list and a NONAT or static.

Other problem might be that you try to connect with the public IP ? To fix that you need to do Destination NAT or DNS doctoring but DNAT would be better.

please provide us a sample config without all public IPs, use names instead.

sincerely

Patrick

0 Helpful

swilk
Level 1
Level 1
In response to Patrick Iseli

‎10-28-2004 05:10 AM

Sample of our PIX config ....

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 net1 security50

access-list acl-out permit icmp any any

access-list acl-out permit tcp any host 123.xxx.201.32 eq www

access-list acl-out permit tcp any host 123.xxx.201.32 eq https

access-list acl-out permit tcp any host 123.xxx.201.32 eq 55851

access-list net1_access_in permit tcp any host 123.xxx.201.32 eq www

access-list net1_access_in permit tcp any host 123.xxx.201.32 eq https

access-list net1_access_in permit tcp any host 123.xxx.201.32 eq 55851

ip address outside 123.xxx.254.254 255.255.255.0

ip address inside 123.xxx.201.253 255.255.255.0

ip address net1 123.xxx.200.253 255.255.255.0

static (net1,outside) 123.xxx.0.0 123.xxx.0.0 netmask 255.255.0.0 0 0

static (inside,outside) 123.xxx.201.0 123.xxx.201.0 netmask 255.255.255.0 0 0

static (inside,net1) 123.xxx.201.0 123.xxx.201.0 netmask 255.255.255.0 0 0

access-group acl-out in interface outside

access-group net1_access_in in interface net1

route outside 0.0.0.0 0.0.0.0 123.xxx.254.253 1

route net1 123.xxx.0.0 255.255.0.0 123.xxx.200.254 1

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to swilk

‎10-28-2004 06:29 AM

Config review:

1.) The 3 statics defines that no NAT is used, right.

You have configured.

static (net1,outside) 123.xxx.0.0 123.xxx.0.0 netmask 255.255.0.0

I would change this to:

static (net1,outside) 123.xxx.200.0 123.xxx.200.0 netmask 255.255.255.0

This will use the net1 123.xxx.200.0 network to communicate with the outside world and not use other nat (net1) or global statements.

2.) Your access-list for the campus network net1 allows only traffic to 123.xxx.201.32 with www, https and 55851 all other traffic is droped even dns traffic. Probably thats why nothing is working any more. After an access-list permits follows a deny any any.

3.) I do not like the route net1 123.xxx.0.0 255.255.0.0 123.xxx.200.254 because of the subnet mask. Don't forget that even your inside and outside netwoek are part of that network 123.xxx.0.0.

Might be good to add the routes in more explicit in 255.255.255.0 or what ever is the correct network mask.

sincerely

Patrick

0 Helpful

swilk
Level 1
Level 1
In response to Patrick Iseli

‎10-28-2004 12:04 PM

Correct. We are not using any NAT.

We will try changing the static (net1, outside) as you have suggested.

The DNS is entered and correct, it was just left out of my post.

We have tried changing the mask exactly as you suggested to no avail.

Again, I will try changing the static (net1, outside) and see if that helps. Any other ideas to try?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to swilk

‎10-28-2004 12:41 PM

Have you done a:

clear xlate

clear arp

after the static change?

No right now I do not see why that would not work.

Do you have error (xlate) messages in the logg?

logg on

logg buff not

I suggest you to put a traffic analyzer to where the traffic passes and if there is a reply.

Use snoop for the SUN boxes, tcpdump for your linux boxes. Cisco PIX offers the capture command.

Enables packet capture capabilities for packet sniffing and network fault isolation.

capture capture_name [access-list acl_name][buffer bytes] [ethernet-type type][interface name]

[packet-length bytes] [circular-buffer]

no capture capture_name [access-list [acl_name]] [interface name] [circular-buffer]

clear capture capture_name

show capture [capture_name] [access-list acl_name] [detail] [dump]

Have you cleared arp tables on the servers? Bur usually after about 10 minutes they are cleared by itself or after a reboot !

sincerely

Patrick

0 Helpful

carmin
Level 1
Level 1
In response to Patrick Iseli

‎11-16-2004 06:13 AM

The problem was found. The first 2 static entries got reversed. Wasn't aware but order does matter in static entries.

0 Helpful
Customers Also Viewed These Support Documents