1. Home
  2. Cisco Systems
  3. PIX 501 and port forwarding problems and timeouts

PIX 501 and port forwarding problems and timeouts

Hi,

We have a problem with certain software having to access our internal servers via the 501. The connections are very slow, or not at all.

ie: Team Coherence (version control software) accesses our PIX-501 on port 2000 (tcp protocol), and all trafic gets diverted to one of our internal servers (IP: 192.168.15.152). The developers using Team Coherence on the internal network, have no problems at all, only user from external networks.

First Team Coherence couldn't access our internal server at all, but the QSC developers managed some magic to enable us to work, but they said we have a problem which causes tcp packets to timeout or something, and that we need to have a look at our firewall/router setup.

I don't know much about Cisco routers and our Admin has left the company. Is there anybody that could have a look at our config file and see if there is any obvious problems they can spot.

Below is the config file for our PIX 501

------------ cut ------------- : Saved : Written by enable_15 at 12:20:43.279 UTC Tue Sep 28 2004 PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******** encrypted passwd ********* encrypted hostname skynetpix domain-name skynetas.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 443 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.15.152 skysql3 access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any host 217.206.189.59 eq smtp access-list outside_access_in permit tcp any host 217.206.189.59 eq www access-list outside_access_in permit tcp any host 217.206.189.60 eq www access-list outside_access_in permit tcp any host 217.206.189.58 eq https access-list outside_access_in permit tcp any host 217.206.189.58 eq 3389 access-list outside_access_in permit tcp any host 217.206.189.58 eq www access-list outside_access_in permit tcp any host 217.206.189.59 eq 2000 access-list outside_access_in permit tcp any host 217.206.189.59 eq 8080 access-list outside_access_in permit tcp any host 217.206.189.59 eq 8081 access-list outside_access_in permit tcp any host 217.206.189.62 eq telnet access-list outside_access_in permit tcp any host 217.206.189.59 eq ftp access-list acl_rkcarvill permit ip 192.168.15.0 255.255.255.0

172.16.0.0 255.240.0.0 access-list acl_pptp permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.240.0.0 access-list acl_pptp permit ip 192.168.15.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list inside_access_in deny tcp any host 195.224.49.132 eq www access-list inside_access_in permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 217.206.189.62 255.255.255.248 ip address inside 192.168.15.101 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpdnpool 192.168.10.10-192.168.10.60 pdm location 192.168.15.101 255.255.255.255 inside pdm location 192.168.15.200 255.255.255.255 inside pdm location 192.168.15.202 255.255.255.255 inside pdm location 172.16.0.0 255.240.0.0 outside pdm location 192.168.10.0 255.255.255.0 outside pdm location 192.168.15.148 255.255.255.255 inside pdm location 195.224.49.132 255.255.255.255 outside pdm location skysql3 255.255.255.255 inside pdm location 212.124.245.94 255.255.255.255 outside pdm logging informational 200 pdm history enable arp timeout 14400 global (outside) 1 217.206.189.61 nat (inside) 0 access-list acl_pptp nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 217.206.189.60 www 192.168.15.202 www netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.60 https 192.168.15.202 https netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 8080 skysql3 8080 netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 8081 skysql3 8081 netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 2000 skysql3 2000 netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 ftp skysql3 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 smtp 192.168.15.141 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.206.189.59 www 192.168.15.141 www netmask 255.255.255.255 0 0 static (inside,outside) 217.206.189.58 192.168.15.148 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 217.206.189.57 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 inside snmp-server 192.168.15.101 no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.15.200 config.txt floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set rkcarvill esp-des esp-md5-hmac crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address acl_rkcarvill crypto map newmap 10 set peer 212.124.245.68 crypto map newmap 10 set transform-set rkcarvill crypto map newmap interface outside isakmp enable outside isakmp key vpn address 212.124.245.68 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 telnet 212.124.245.94 255.255.255.255 outside telnet 192.168.15.101 255.255.255.255 inside telnet 192.168.15.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group vpdngroup accept dialin pptp vpdn group vpdngroup ppp authentication chap vpdn group vpdngroup ppp authentication mschap vpdn group vpdngroup ppp encryption mppe 40 required vpdn group vpdngroup client configuration address local vpdnpool vpdn group vpdngroup client configuration dns 192.168.15.141 vpdn group vpdngroup pptp echo 60 vpdn group vpdngroup client authentication local vpdn username ******* password ******** vpdn enable outside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain skynetas.com terminal width 80 Cryptochecksum:59a268f5d3752384f998933250dbdf1b : end

------------ end -------------

Regards, - Graeme -

Reply to
Graeme Geldenhuys
Loading thread data ...

Start from this. Upgrade your Pix to 6.3(4). You can get the new version from Cisco free of charge because 6.3(3) had some problems (I don't know the exact symptoms, so I don't know if they play any role in your case, but you need an upgrade anyway).

Reply to
Jyri Korhonen

Hi,

I will try and do that asap. The other thing I noticed is that there is another protocol defined on port 2000.

[snip] fixup protocol skinny 2000

I did a Google search, and "skinny" is some proprietary protocol used by Cisco. Could that maybe affect Team Coherence that also uses port 2000.

I could always change the port Team Coherence uses to their new default (9222).

Regards, - Graeme -

Jyri Korh>

Reply to
Graeme Geldenhuys

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.