cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
0
Helpful
9
Replies

why is pcanywhere traffic not coming in???

earancibia
Level 1
Level 1

I setup my PIX to let pcanywhere come in to a certain machine, but it is not working. The following is my config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **moderator edit** encrypted

passwd **moderator edit** encrypted

hostname **moderator edit**

domain-name inside.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 115 permit tcp any host 216.XXX..XXX.123 eq 5631

access-list 115 permit udp any host 216.XXX.XXX.123 eq 5632

access-list 115 permit icmp any any echo-reply

access-list 115 permit icmp any any time-exceeded

access-list 115 permit icmp any any unreachable

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 216.XXX.XXX.2 255.255.255.224

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.10 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 216.XXX..XXX.123 123 192.168.0.2 netmask 255.255.255.255 0 0

access-group 115 in interface outside

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.10 255.255.255.255 inside

snmp-server location

snmp-server contact

snmp-server community **moderator edit**

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.0.10 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.0.11-192.168.0.254 inside

dhcpd dns 216.XXX.XXX.XXX 216.XXX.XXX.XXX

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain inside

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:**moderator edit**

Any help would be appreciated.

Thanks.

9 Replies 9

travis-dennis_2
Level 7
Level 7

can't help on the config but are you sure that the default ports that pcAnywhere is using have not been changed? This is possible with the recent versions.

tvanginneken
Level 4
Level 4

Hi

your outside interface is subnetted, with 32 host per subnet:

ip address outside 216.XXX.XXX.2 255.255.255.224

so the rang of ip addresses you can you is 216.XXX.XXX.1 -> 216.XXX.XXX.30

(with 216.XXX.XXX.0 as network address and 216.XXX.XXX.31 as broadcast address)

You configured your static translation:

static (inside,outside) 216.XXX..XXX.123 123 192.168.0.2 netmask 255.255.255.255 0 0

216.XXX.XXX.123 is not a adddress in the same subnet as the outside interface of your pix. You should use an address between 216.XXX.XXX.0 and 216.XXX.XXX.31.

Kind Regards,

Tom

Tom,

Actually my outside IP is 216.xxx.xxx.234.... and the IP iam trying to use for pcAnywhere is 216.xxx.xxx.235. I entered the wrong numbers when editing my config.

But, I am still having this problem.

Are the above IP's okay to use in my config or should I be looking to get a different range of IPs?

Thanks,

Eduardo

Eduardo,

the two address you mention are in the same subnet. So that should not be a problem.

I don't have much time right now, but I try have a look at it later on today.

But could you try the 'debug packet' command to see that there are actually pcanywhere packets arriving on the outside interface?

debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both]

'debug packet outside your_source_ip_address' should do it.

!!!!Be carefull because debugging really slows down your pix!!!!

After the test use the same command with 'no' in front of it, to turn of debugging

Regards,

Tom

My config now looks like this. I am able to get pcAnywhere to work on two machine, but there is one that can not even go out on the internet anymore (216.73.164.234 --> 192.168.0.2), the only way I can get it to work is by removing static entry or giving the machine a different IP.

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **moderator edit** encrypted

passwd **moderator edit** encrypted

hostname **moderator edit**

domain-name xxx.xxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 115 permit icmp any any echo-reply

access-list 115 permit icmp any any time-exceeded

access-list 115 permit icmp any any unreachable

access-list 115 permit tcp any host 216.xxx.xxx.236 eq 5631

access-list 115 permit udp any host 216.xxx.xxx.236 eq 5632

access-list 115 permit tcp any host 216.xxx.xxx.235 eq 5631

access-list 115 permit udp any host 216.xxx.xxx.235 eq 5632

access-list 115 permit tcp any host 216.xxx.xxx.234 eq ftp

access-list 115 permit tcp any host 216.xxx.xxx.234 eq 5631

access-list 115 permit udp any host 216.xxx.xxx.234 eq 5632

pager lines 24

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 216.xxx.xxx.69 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.10 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.3 255.255.255.255 inside

pdm location 192.168.0.4 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 216.xxx.xxx.235 192.168.0.3 netmask 255.255.255.255 0 0

static (inside,outside) 216.xxx.xxx.236 192.168.0.4 netmask 255.255.255.255 0 0

static (inside,outside) 216.xxx.xxx.234 192.168.0.2 netmask 255.255.255.255 0 0

access-group 115 in interface outside

route outside 0.0.0.0 0.0.0.0 216.39.237.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.10 255.255.255.255 inside

snmp-server location

snmp-server contact

snmp-server community **moderator edit**

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.0.10 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.0.11-192.168.0.254 inside

dhcpd dns 216.xxx.xxx.2 216.xxx.xxx.3

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain inside

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:**moderator edit**

: end

[OK]

If anyone has any idea why this machine can not go on the internet after entry, please let me know (FYI, this worked last night and this morning stopped working)

Thanks,

Eduardo

Eduardo,

I know this is not really an answer to your question, but could you please upgrade to the latest Pix OS (6.2) first (if it is possible)? Maybe your problems are related to a bug, because the config looks fine.

Kind Regards,

Tom

Hi,

you could try:

-clear xlate

-look for duplicate ips

I've tried "clear xlate", but it does not do anything.

Last night I changed the config, I am now using one IP for the 3 connections (port redirection). It worked for me last night just fine, I tried it a few times, then this morning my boss call me saying that he was not able to get in. When I tried it from home, same thing, not able to get in.

Besides "clear xlate", is there another table that I have to clear?

Thanks for your help

Eduardo

Have you checked that you have enough licences to cover all your inside connections ?

show local-host will list the number of active inside hosts .