1. Home
  2. Networking Firewalls
  3. Urgent---can't ping a host inside PIX firewall please help

Urgent---can't ping a host inside PIX firewall please help

I can't ping the host 209.178.196.211. Please see the config. Because of this the mail coming through SMTP is hosed. I'd appreciate your help.

: Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 9Hxv6QfoEUwhwV2T encrypted passwd 9Hxv6QfoEUwhwV2T encrypted hostname iexpect-corp fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol smtp 25 names name 192.168.5.10 corp-smtp name 192.168.5.13 njrep1 name 192.168.5.150 trig1 name 192.168.5.151 trig2 name 192.168.5.61 brett name 192.168.5.58 sfg name 192.168.5.152 sfg2 name 192.168.5.63 pepsanchez name 192.168.5.9 corp-smtp2 access-list ipsec permit ip 192.168.5.0 255.255.255.0 10.0.255.0

255.255.255.0 access-list ipsec permit ip 192.168.11.0 255.255.255.0 10.0.255.0 255.255.255.0 access-list incoming permit tcp any host 209.178.196.211 eq smtp access-list incoming permit tcp any host 209.178.196.212 eq smtp access-list incoming permit icmp any any echo-reply access-list incoming permit icmp any any time-exceeded access-list incoming permit icmp any any unreachable access-list incoming permit tcp any host 209.178.196.211 eq 5631 access-list incoming permit tcp any host 209.178.196.211 eq 5632 access-list incoming permit udp any host 209.178.196.211 eq 5632 access-list incoming permit udp host 216.34.112.198 eq dnsix any access-list incoming permit udp host 216.33.202.54 eq dnsix any access-list incoming permit tcp any eq telnet host 216.74.138.147 access-list incoming permit tcp any host 209.178.196.212 eq telnet access-list incoming permit tcp any eq telnet host 209.178.196.212 access-list incoming permit tcp any host 209.178.196.211 eq www access-list incoming permit tcp any host 209.178.196.212 eq www access-list incoming permit tcp any host 209.178.196.212 eq ftp access-list incoming permit tcp any eq ftp host 209.178.196.212 access-list incoming permit tcp any host 209.178.196.213 eq 22 access-list incoming permit tcp any host 209.178.196.213 eq www access-list incoming permit tcp any host 209.178.196.211 eq 3389 access-list incoming permit tcp any host 209.178.196.212 eq 3389 access-list incoming permit tcp any host njrep1 eq 22 access-list incoming permit tcp any host njrep1 eq ftp access-list incoming permit tcp any host 209.178.196.215 eq 4662 access-list incoming permit udp any host 209.178.196.215 eq 4672 access-list incoming permit tcp any host 209.178.196.217 eq www access-list incoming permit tcp any host 209.178.196.213 eq 443 access-list incoming permit tcp any host 209.178.196.217 eq 22 access-list incoming permit tcp any host 209.178.196.222 eq 5900 access-list incoming permit tcp 202.138.142.224 255.255.255.224 host 209.178.196.216 eq 443 access-list incoming permit tcp any host 209.178.196.217 eq 443 access-list incoming permit tcp any host 209.178.196.222 eq www access-list incoming permit tcp any host 209.178.196.222 eq 129 access-list incoming permit tcp any host 209.178.196.222 eq 132 access-list incoming permit tcp any host 209.178.196.211 eq ftp access-list incoming permit tcp any host 209.178.196.216 access-list incoming permit icmp any host 209.178.196.222 access-list incoming permit tcp any host 209.178.196.211 access-list incoming permit icmp any host 209.178.196.211 access-list outgoing permit tcp any any access-list outgoing permit icmp any any access-list outgoing permit icmp any any echo-reply access-list outgoing permit udp any any access-list outgoing permit tcp any any eq www access-list outgoing permit tcp any host 216.239.35.101 eq www access-list outgoing permit udp any host 216.34.112.198 eq dnsix access-list outgoing permit udp any host 216.33.202.54 eq dnsix pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 209.178.196.210 255.255.255.240 ip address inside 192.168.5.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool corp-home 192.168.99.1-192.168.99.224 pdm history enable arp timeout 60 global (outside) 1 209.178.196.220-209.178.196.221 global (outside) 1 209.178.196.219 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 alias (inside) sfg 209.178.196.216 255.255.255.255 alias (inside) sfg2 209.178.196.217 255.255.255.255 alias (inside) corp-smtp 209.178.196.211 255.255.255.255 alias (inside) 192.168.11.150 209.178.196.213 255.255.255.255 alias (inside) 192.168.5.149 209.178.196.222 255.255.255.255 static (inside,outside) 209.178.196.213 trig1 netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.214 trig2 netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.211 corp-smtp netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.215 brett netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.216 sfg netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.217 sfg2 netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.222 192.168.5.149 netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.218 pepsanchez netmask 255.255.255.255 0 0 static (inside,outside) 209.178.196.212 corp-smtp2 netmask 255.255.255.255 0 0 access-group incoming in interface outside route outside 0.0.0.0 0.0.0.0 209.178.196.209 1 route inside 192.168.11.0 255.255.255.0 192.168.5.2 1 route inside 192.168.254.0 255.255.255.0 192.168.5.2 1 timeout xlate 3:00:00 timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http corp-smtp2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set iexpect esp-des esp-md5-hmac crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map corp 1 ipsec-isakmp crypto map corp 1 match address ipsec crypto map corp 1 set peer 216.74.138.157 crypto map corp 1 set transform-set iexpect crypto map corp 10 ipsec-isakmp dynamic dynmap crypto map corp client configuration address initiate crypto map corp client configuration address respond crypto map corp interface outside isakmp enable outside isakmp key ******** address 216.74.138.157 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup corphome address-pool corp-home vpngroup corphome dns-server 192.168.1.6 vpngroup corphome wins-server 192.168.1.6 vpngroup corphome default-domain corp.iexpect.com vpngroup corphome idle-time 1800 vpngroup corphome password ******** telnet corp-smtp 255.255.255.255 inside telnet 192.168.5.2 255.255.255.255 inside telnet 192.168.11.0 255.255.255.0 inside telnet 192.168.5.0 255.255.255.0 inside telnet njrep1 255.255.255.255 inside telnet corp-smtp2 255.255.255.255 inside telnet timeout 5 ssh njrep1 255.255.255.255 inside ssh timeout 5 terminal width 80 Cryptochecksum:b74f20411172389725f6e85195e68c9b
Reply to
soup_or_power
Loading thread data ...

Also the firewall itself does not respond to ping! I called the ISP (Wave2Wave) and they are not at all helpful!

Reply to
soup_or_power

Also the firewall itself does not respond to ping! I called the ISP (Wave2Wave) and they are not at all helpful!

Reply to
soup_or_power

Wave2Wave has allocated the IP's 209.178.196.210 thru 209.178.196.222 I can ping only the following list:

216, 217, 220, 222 The rest don't respond to ping. Ah!
Reply to
soup_or_power

Why so old a version? Are you aware that even if you have no support contract, you are eligable for a free upgrade to much later in 6.1 ? (And some of the text is interpretable as allowing you to go from 6.1 to 6.2 for free, if I recall correctly.)

6.1 had major rewrites in how NAT worked. If you stick with 6.1(1) you are asking for NAT trouble. As they say,

"Never use a dot-zero or dot-one release on a production system. Let other people find the bugs in the new dot-zero code; and don't trust the dot-one release because it's usually rushed to fix the worst bugs in the dot-zero, which leaves a lot of smaller problems, and dot-one usually introduces brand new bugs in the rush to fix the dot-zero."

Reply to
Walter Roberson

Try to post on this group comp.dcom.sys.cisco its name tell me that you may find help there. ;) see ya luckyboy

Reply to
luckyboy

Hi Walter I inherited this piece of equipment. Can you please look into the config and tell me what's wrong with it? I have made one more change since posting the config here. I allowed icmp for all hosts.

Thanks for your help

Reply to
soup_or_power

Hi Luckyboy I've posted in CDSC but there were no replies. I desperately need help on this.

Thanks

Reply to
soup_or_power

What's wrong with the config is that you are using a dot-zero or dot-one release.

Seriously. If you check the Cisco bug tracker database, I believe there are several bugs with static translation in PIX 6.1(1).

To obtain a software upgrade free, have a look at

formatting link
"6.1.4 and earlier" fixed in 6.1.5

Then

formatting link
you to 6.1.5(104)

On paper,

formatting link
get you to 6.3(5) but I've looked at the bug summary and it might be difficult to argue Cisco into it. The vulnerability report says "all PIX releases before 6.3(5)" but the bug indicates 6.3(4) as the "first found in" version and gives no hint that earlier versions are affected.

There is also a 6.3(5) security bug that would get you up to a

6.3(5) rebuild, but it's a nuisance to track down the report.

If I remember correctly if you dig deep enough you would be able to find something against 6.1 that would allow you to get to 6.2 and from there to 6.2(4), but it would take some careful reading of the Pix Security Advisories

Reply to
Walter Roberson

So are you suggesting that upgrading his PIX will fix his problem?

Reply to
Memnoch

I will eventually upgrade. For the moment, my company is without email because the PIX is blocking the traffic to the email server.

Regards

Reply to
soup_or_power

I want to highlight the config where the mail server (209.178.196.211) appears. Kindly let me know what's wrong. What does the alias command do?

access-list incoming permit tcp any host 209.178.196.211 alias (inside) corp-smtp 209.178.196.211 255.255.255.255 static (inside,outside) 209.178.196.211 corp-smtp netmask

255.255.255.255 0 0
Reply to
soup_or_power

I never make promises that any particular proposed change will definitely fix a problem, because there are just too many possibilities and too much unknown information.

But I don't believe it to be useful to spend a lot of time investigating possible arcane causes to a problem when there are known bugs fixed in later releases.

For example, if the original poster were to try to work remotely, CSCdv53138, "Using Secure Shell client to connect to the PIX doesn't work in 6.1.1." There are documented problems in 6.1 relating ICMP and address translation.

Reply to
Walter Roberson

Even so, it will probably turn out to be a configuration issue rather than a bug.

Reply to
Memnoch

The reverse DNS servers for your IP address range are not responding -- none of the three of them (w2wnj-dns*.wave2wave.com)

That would interfere with sending systems that want to verify IP addresses and domain names, but would not interfere with attempts to contact the mail port directly.

Attempts to telnet to your smtp port time out. That indicates that the problem is not the smtp fixup and ESMTP: when the smtp fixup is active, you get a mail prompt mediate through the PIX.

If your internal DNS servers rely upon your ISP's DNS servers when attempting to resolve outside IP addresses, *and* if your Windows 2000 mail server is set to attempt to do reverse lookup of IPs before it even returns a basic 220 prompt, then possibly the PIX is passing along the packets but the mail server is not answering. A similar problem could happen if your mail server attempts to run IDENT checks on incoming connections and you have bad DNS problems. But it would be uncommon do do those checks on a windows mail server -- they are checks more likely to be found on a zealous Unix mail server.

Out of your entire subnet, the only ports that appear to be responding are a few that are on your router. You could potentially be having problems at the router level.

Reply to
Walter Roberson

pinging of the firewall is not controlled by access control lists and static and so on: it is controlled by a seperate command, 'icmp'.

icmp permit any echo outside icmp permit any unreachable outside

However, if you have no icmp statement at all then the default is to permit all icmp to the PIX itself. I did not see such a statement in your configuration, which indicates that you have a problem, possibly with your router.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.