Problem with Cisco PIX515

L

Liquidkristal

Supreme [H]ardness
Joined
Dec 17, 2000
Messages
5,075
Ok, so I am having a spot of bother with a Cisco PIX515, I have posted the current running config below, now I am no cisco expert by any means although I can do basic stuff with them, now I am having trouble with traffic sent from the outside to address: 10.75.32.25 it just doesn't appear to be going anywhere.

Now this firewall is deep inside a private network, with an upstream firewall that we don't manage. I have spoken to the people that look after that firewall and they say they they have traffic routing to 10.75.32.21 and 10.75.32.25 and thats it (although there is a website that runs from the server 172.16.102.5 which (if my understanding is correct) gets traffic via 10.75.32.23.

Any ideas would be greatly appreciated as to me it should all just work, but its not (obviously if the config is all correct then there could be a problem with the web server that we are trying to access on 10.75.32.25, although the users say that they can get to it internally (172.16.102.8) which is even more confusing)

Code: 
PIX Version 6.3(3)  
    interface ethernet0 auto  
    interface ethernet1 auto  
    interface ethernet2 auto  
    nameif ethernet0 outside security0  
    nameif ethernet1 inside security100  
    nameif ethernet2 academic security50  
    fixup protocol dns maximum-length 512  
    fixup protocol ftp 21  
    fixup protocol h323 h225 1720  
    fixup protocol h323 ras 1718-1719  
    fixup protocol http 80  
    fixup protocol rsh 514  
    fixup protocol rtsp 554  
    fixup protocol sip 5060  
    fixup protocol sip udp 5060  
    fixup protocol skinny 2000  
    fixup protocol smtp 25  
    fixup protocol sqlnet 1521  
    fixup protocol tftp 69  
    names  
    name 195.157.180.168 outsideNET  
    name 195.157.180.170 globalNAT  
    name 195.157.180.174 gateway  
    name 195.157.180.173 Mail-Global  
    name 172.30.31.240 Mail-Local 
    name 10.75.32.20 outsideIF  
    name 82.219.210.17 frogman1  
    name 212.69.230.79 frogman2  
    name 78.105.118.9 frogman3  
    name 172.16.0.0 acadNET  
    name 172.16.100.254 acadIF  
    access-list acl_outside permit icmp any any echo-reply  
    access-list acl_outside permit icmp any any unreachable  
    access-list acl_outside permit icmp any any time-exceeded  
    access-list acl_outside permit tcp any host 10.75.32.22 eq smtp  
    access-list acl_outside permit tcp any host 10.75.32.22 eq 8383  
    access-list acl_outside permit tcp any host 10.75.32.22 eq 8385    
    access-list acl_outside permit tcp any host 10.75.32.22 eq 8484  
    access-list acl_outside permit tcp any host 10.75.32.22 eq 8485  
    access-list acl_outside permit ip any host 10.75.32.30  
    access-list acl_outside permit tcp any host 10.75.32.25 eq https  
    access-list acl_outside permit tcp any host 10.75.32.25 eq www  
    access-list acl_outside permit tcp any host 10.75.32.23 eq www  
    access-list acl_outside permit tcp any host 10.75.32.23 eq https  
    access-list acl_outside permit tcp host frogman1 host 10.75.32.23 eq ssh  
    access-list acl_outside permit tcp host frogman2 host 10.75.32.23 eq ssh  
    access-list acl_outside permit tcp host frogman3 host 10.75.32.23 eq ssh  
    access-list acl_outside permit tcp any host 10.75.32.23 eq 2001  
    access-list acl_outside permit tcp host frogman1 host 10.75.32.24 eq 8441  
    access-list acl_outside permit tcp host frogman2 host 10.75.32.24 eq 8441  
    access-list acl_outside permit tcp host frogman3 host 10.75.32.24 eq 8441  
    access-list acl_outside permit tcp host frogman1 host 10.75.32.24 eq 8442  
    access-list acl_outside permit tcp host frogman2 host 10.75.32.24 eq 8442  
    access-list acl_outside permit tcp host frogman3 host 10.75.32.24 eq 8442  
    access-list acl_outside permit tcp host frogman1 host 10.75.32.24 eq 8443   
    access-list acl_outside permit tcp host frogman2 host 10.75.32.24 eq 8443  
    access-list acl_outside permit tcp host frogman3 host 10.75.32.24 eq 8443  
    access-list acl_outside permit tcp any host 10.75.32.23 eq smtp  
    access-list acl_outside permit tcp any host 10.75.32.23 eq ssh  
    access-list acl_outside permit tcp any host 10.75.32.24 eq ssh  
    access-list acl_acad permit icmp any any echo-reply  
    access-list acl_acad permit icmp any any unreachable  
    access-list acl_acad permit icmp any any time-exceeded  
    access-list acl_acad permit tcp any 10.0.0.0 255.0.0.0 eq www  
    access-list acl_acad deny tcp any any eq www  
    access-list acl_acad permit tcp any 10.0.0.0 255.0.0.0 eq https  
    access-list acl_acad permit tcp any 10.0.0.0 255.0.0.0 eq 8080  
    access-list acl_acad permit tcp host 172.16.102.5 host 10.64.1.115 eq smtp  
    pager lines 24  
    logging console debugging  
    mtu outside 1500  
    mtu inside 1500  
    mtu academic 1500  
    ip address outside outsideIF 255.255.252.0  
    no ip address inside  
    ip address academic acadIF 255.255.0.0  
    ip audit info action alarm  
    ip audit attack action alarm  
    pdm history enable  
    arp timeout 14400  
    global (outside) 1 10.75.32.21  
    nat (academic) 1 acadNET 255.255.0.0 0 0  
    static (academic,outside) 10.75.32.22 Mail-Local netmask 255.255.255.255 0 0  
    static (academic,outside) 10.75.32.30 172.30.30.36 netmask 255.255.255.255 0 0  
    static (academic,outside) 10.75.32.23 172.16.102.5 netmask 255.255.255.255 0 0  
    static (academic,outside) 10.75.32.24 172.16.102.6 netmask 255.255.255.255 0 0  
    static (academic,outside) 10.75.32.25 172.16.102.8 netmask 255.255.255.255 0 0  
    access-group acl_outside in interface outside  
    access-group acl_acad in interface academic  
    route outside 0.0.0.0 0.0.0.0 10.75.32.1 1  
    timeout xlate 3:00:00  
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00  
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00  
    timeout uauth 0:05:00 absolute  
    aaa-server TACACS+ protocol tacacs+  
    aaa-server RADIUS protocol radius  
    aaa-server LOCAL protocol local  
    snmp-server host outside 172.31.10.153  
    snmp-server host outside 172.31.10.154  
    snmp-server host outside 172.31.10.155  
    no snmp-server location  
    no snmp-server contact    
    snmp-server community CPQ_HHS  
    no snmp-server enable traps  
    floodguard enable  
    telnet 172.30.31.0 255.255.255.0 academic  
    telnet timeout 5  
    ssh timeout 5  
    console timeout 0  
    terminal width 120  
    Cryptochecksum:hi2u  
    : end  
    PIX515#
 
The config looks good although it's been a few years since I've had to troubleshoot a PIX running a 6.x release.

What I would do is take a look at the xlate and connection tables to see if the NAT is working properly and the connections are getting through the firewall.

Code: 
sh xlate | grep 10.75.32.25
sh conn detail | grep 10.75.32.25

If the xlate table is not correct do a "clear xlate" to refresh the NAT mappings since your statics appear correct as do your ACLs.

If that's all good setup a capture on the outside and academic interfaces and make sure the packets are actually traversing the firewall correctly.

Code: 
access-list outside_in permit tcp [I]source[/I] host 10.75.32.25 eq 80
exit
capture outside_in access-list outside_in interface outside
[I]generate traffic[/I]
sh capture outside_in
the above will show you if the packets are getting to your firewall
Code: 
access-list acad_out permit tcp [I]source[/I] host 172.16.102.8 eq 80
capture acad_out access-list acad_out interface academic
[I]generate more traffic[/I]
sh capture acad_out

Hope that helps a bit. BTW my syntax might be off a bit since the PIX 6.x commands are a little different than the 7.x+ commands. They should be pretty close though. Time to replace that firewall. ;)
 
yeah, the firewall is a little on the old side of things, the planned replacement is a long way off yet though.
 
You must log in or register to reply here.
Back
Top