1. Home
  2. Networking Firewalls
  3. inbound PIX Traffic

inbound PIX Traffic

Went to the dc to replace, still cannot access any of th internal services. Outgoing works no problem, just cannot bring up any of the websites. Here is the latest:

It was my understanding that when you nat 0 an access list that automatically sets up all of the statics for the incoming traffic ie web sites, dns etc...

Outbound ICMP wasn't working, any help with this would be greatly appreciated.

Thanks

PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 hostname dimepix1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.84 network-object host 72.29.91.85 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.90 object-group network priv_hosts network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.74 network-object host 72.29.91.76 network-object host 72.29.91.75 network-object host 72.29.91.77 network-object host 72.29.91.78 object-group network net3_hosts network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.110 object-group network net4_hosts network-object host 72.29.91.114 network-object host 72.29.91.115 network-object host 72.29.91.116 network-object host 72.29.91.117 network-object host 72.29.91.118 object-group protocol webservices protocol-object tcp object-group service web_service tcp port-object eq ftp port-object eq www port-object eq https object-group service mail_service tcp description Allows mail services inbound port-object eq smtp port-object eq imap4 port-object eq pop3 object-group network webhosts network-object host 72.29.91.84 network-object host 72.29.91.82 network-object host 72.29.91.85 network-object host 72.29.91.83 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.77 network-object host 72.29.91.78 network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.74 object-group network mailhosts network-object host 72.29.91.83 network-object host 72.29.91.66 network-object host 72.29.91.99 network-object host 72.29.91.114 network-object host 72.29.91.115 object-group network rdp_hosts network-object host 72.29.91.84 network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.85 network-object host 72.29.91.66 network-object host 72.29.91.69 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 object-group network dnshosts network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.73 network-object host 72.29.91.76 network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.114 network-object host 72.29.91.115 access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS any access-list priv_out_acl permit ip object-group priv_hosts any access-list net3_out_acl permit ip object-group net3_hosts any access-list net4_out_acl permit ip object-group net4_hosts any access-list acl_in permit tcp any object-group webhosts object-group web_service access-list acl_in permit tcp any object-group mailhosts object-group mail_service access-list acl_in permit tcp any object-group rdp_hosts eq 3389 access-list acl_in permit tcp any object-group dnshosts eq domain access-list acl_in permit udp any object-group dnshosts eq domain access-list acl_in permit tcp any host 72.29.91.83 eq 7099 access-list acl_in permit tcp any host 72.29.91.82 eq 8888 access-list acl_in permit icmp any any access-list acl_in permit tcp any host 72.29.91.66 eq 81 access-list acl_in permit tcp any host 72.29.91.66 range 7000 7500 access-list acl_in permit tcp any host 72.29.91.107 range 7000 7500 access-list acl_in permit tcp any host 72.29.91.114 eq ssh access-list acl_in permit tcp any host 72.29.91.114 eq 993 access-list acl_in permit tcp any host 72.29.91.114 eq 995 access-list acl_in permit tcp any host 72.29.91.76 eq 9080 access-list acl_in permit tcp host 64.3.246.250 host 72.29.91.76 eq

1090 access-list acl_in permit tcp host 24.73.161.202 any eq ssh access-list acl_in permit tcp host 24.73.161.202 any eq 3389 access-list acl_in permit tcp host 24.73.161.202 any eq 9999 pager lines 24 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 72.29.91.125 255.255.255.248 no ip address inside ip address intf2 10.5.250.1 255.255.0.0 ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (priv) 0 access-list priv_out_acl nat (reggie) 0 access-list reggie_out_acl nat (net3) 0 access-list net3_out_acl nat (net4) 0 access-list net4_out_acl access-group priv_out_acl in interface priv access-group reggie_out_acl in interface reggie access-group net3_out_acl in interface net3 access-group net4_out_acl in interface net4 route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
Reply to
rtartar
Loading thread data ...

I narrowed it down to a very minimal config, still can't get it to work, I can ping from the firewall to the inside host, I can ping the firewall, shows the access-list 115 receiving traffic.

dimepix1(config)# show access-list 115 access-list 115; 4 elements access-list 115 line 1 permit icmp any any (hitcnt=66) access-list 115 line 2 permit ip any host 72.29.91.84 (hitcnt=3) access-list 115 line 3 permit tcp any host 72.29.91.84 (hitcnt=0) access-list 115 line 4 permit udp any host 72.29.91.84 (hitcnt=0)

But my following config still will not work.

PIX Version 6.3(5) interface ethernet0 auto shutdown interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical interface ethernet2 100full nameif ethernet0 goo security1 nameif ethernet1 inside security100 nameif ethernet2 outside security0 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname dimepix1 domain-name host2max.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 109 permit ip 72.29.91.80 255.255.255.240 any access-list 109 permit icmp any any access-list 109 deny ip any any access-list 110 permit ip 72.29.91.64 255.255.255.240 any access-list 111 permit ip 72.29.91.96 255.255.255.240 any access-list 112 permit ip 72.29.91.112 255.255.255.248 any access-list 115 permit icmp any any access-list 115 permit ip any host 72.29.91.84 access-list 115 permit tcp any host 72.29.91.84 access-list 115 permit udp any host 72.29.91.84 pager lines 24 mtu goo 1500 mtu inside 1500 mtu outside 1500 no ip address goo no ip address inside ip address outside 10.5.251.251 255.255.0.0 ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address goo no failover ip address inside no failover ip address outside no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (priv) 0 access-list 110 nat (reggie) 0 access-list 109 nat (net3) 0 access-list 111 nat (net4) 0 access-list 112 access-group 115 in interface outside access-group 110 in interface priv access-group 109 in interface reggie access-group 111 in interface net3 access-group 112 in interface net4

Reply to
rtartar

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.