1. Home
  2. Cisco Systems
  3. Strange PIX static and holes for ports issue...

Strange PIX static and holes for ports issue...

Greetings,

I am installing a PIX 515e in a datacenter (in D.C.) and for some reason it is just not behaving. I have another 515e in the home office (in L.A) and it works like a charm. The configs are pretty much the same minus the IPs and the one in DC needs more ports open.

So the strangeness is that none of the static mapped ports are passing traffic from "out to in"or from "in to out". However, the DHCP assigned computers are surfing around just fine. Additionally, the servers that are statically mapped with open ports cannot pass traffic through the PIX. They can get to it but not through it!

I have been comparing line by line a few of my working config files but just cannot come up with what may be going on. If anyone of you can shed some light, it would be very much appreciated, and drinks are me in SF, LA, or DC!!!

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 vpn security10 enable password xxxxxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxxxxx encrypted hostname VIRPIX01 domain-name politicalsystems.local clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.10.0 LA_internal name 192.168.11.0 WLA_internal name 192.168.12.0 VIR_Internal name 192.168.13.0 DC_Internal name 192.168.222.0 VIR_VPN_Pool name 192.168.12.3 VIRMAIL01 name 192.168.12.4 VIRDB01 name 192.168.12.5 VIRCRUNCH name 192.168.12.6 VIRMAIL02 name 192.168.12.9 VIRWWW01 name 192.168.12.51 VIRMAIL03-IRON access-list inside_outbound_nat0_acl permit ip VIR_Internal

255.255.255.0 DC_Internal 255.255.255.0 access-list inside_outbound_nat0_acl permit ip VIR_Internal 255.255.255.0 VIR_VPN_Pool 255.255.255.0 access-list inside_outbound_nat0_acl permit ip VIR_Internal 255.255.255.0 WLA_internal 255.255.255.0 access-list inside_outbound_nat0_acl permit ip VIR_Internal 255.255.255.0 LA_internal 255.255.255.0 access-list outside_cryptomap_20 permit ip VIR_Internal 255.255.255.0 LA_internal 255.255.255.0 access-list outside_cryptomap_40 permit ip VIR_Internal 255.255.255.0 DC_Internal 255.255.255.0 access-list outside_cryptomap_60 permit ip VIR_Internal 255.255.255.0 WLA_internal 255.255.255.0 access-list open_port permit udp any host x.x.x.84 eq domain access-list open_port permit tcp any host x.x.x.84 eq www access-list open_port permit tcp any host x.x.x.84 eq https access-list open_port permit tcp any host x.x.x.85 eq ftp access-list open_port permit tcp any host x.x.x.85 eq smtp access-list open_port permit udp any host x.x.x.85 eq domain access-list open_port permit tcp any host x.x.x.88 eq www access-list open_port permit tcp any host x.x.x.88 eq https access-list open_port permit tcp any host x.x.x.89 eq smtp access-list open_port permit tcp any host x.x.x.90 eq www access-list open_port permit tcp any host x.x.x.90 eq https access-list open_port permit tcp any host x.x.x.91 eq smtp access-list open_port permit tcp any host x.x.x.92 eq smtp access-list open_port permit tcp any host x.x.x.94 eq ftp access-list open_port permit tcp any host x.x.x.94 eq smtp access-list open_port permit udp any host x.x.x.87 eq domain access-list open_port permit tcp any host x.x.x.87 eq www access-list open_port permit tcp any host x.x.x.87 eq https access-list open_port permit icmp any any pager lines 24 icmp permit any outside icmp permit any inside icmp permit any vpn mtu outside 1500 mtu inside 1500 mtu vpn 1500 ip address outside x.x.x.x 255.255.255.248 ip address inside 192.168.12.1 255.255.255.0 ip address vpn 192.168.112.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VIR_VPN_Clients 192.168.112.100-192.168.112.199 mask 255.255.255.0 pdm location LA_internal 255.255.255.0 outside pdm location DC_Internal 255.255.255.0 outside pdm location WLA_internal 255.255.255.0 outside pdm location VIRMAIL01 255.255.255.255 inside pdm location VIRDB01 255.255.255.255 inside pdm location VIRMAIL02 255.255.255.255 inside pdm location VIRWWW01 255.255.255.255 inside pdm location 192.168.12.10 255.255.255.255 inside pdm location 192.168.12.11 255.255.255.255 inside pdm location 192.168.12.12 255.255.255.255 inside pdm location 192.168.12.13 255.255.255.255 inside pdm location VIRMAIL03-IRON 255.255.255.255 inside pdm location LA_internal 255.255.255.0 vpn pdm location WLA_internal 255.255.255.0 vpn pdm location DC_Internal 255.255.255.0 vpn pdm location 192.168.12.41 255.255.255.255 inside pdm location VIR_VPN_Pool 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface netmask 255.255.255.255 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) x.x.x.90 VIRWWW01 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.87 192.168.12.10 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.84 192.168.12.11 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.88 192.168.12.12 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.85 VIRMAIL01 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.89 192.168.12.13 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.83 VIRDB01 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.91 VIRMAIL02 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.94 VIRMAIL03-IRON netmask 255.255.255.255 0 0 static (vpn,outside) x.x.x.93 192.168.112.1 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.92 192.168.12.41 netmask 255.255.255.255 0 0

access-group open_port in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http VIR_Internal 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer x.x.x.x crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer x.x.x.x crypto map outside_map 40 set transform-set ESP-DES-MD5 crypto map outside_map 60 ipsec-isakmp crypto map outside_map 60 match address outside_cryptomap_60 crypto map outside_map 60 set peer x.x.x.x crypto map outside_map 60 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp enable vpn isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 28800 telnet VIR_Internal 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh VIR_Internal 255.255.255.0 inside ssh timeout 15 console timeout 0 vpdn group VIR_Clients accept dialin pptp vpdn group VIR_Clients ppp authentication mschap vpdn group VIR_Clients ppp encryption mppe 40 vpdn group VIR_Clients client configuration address local VIR_VPN_Clients vpdn group VIR_Clients pptp echo 60 vpdn group VIR_Clients client authentication local vpdn enable vpn dhcpd address 192.168.12.200-192.168.12.220 inside dhcpd dns VIRMAIL01 208.57.0.11 dhcpd lease 86400 dhcpd ping_timeout 750 dhcpd domain politicalsystems.local dhcpd enable inside ........
Reply to
dmgeller
Loading thread data ...

Found the problem. It was the outside subnet mask...such an idiot. I treated myself to a Guinness...

Reply to
dmgeller

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.