Sign in with
Sign up | Sign in
Your question

PIX501 OUTSIDE HOST PROBLEM

Last response: in Networking
Share
August 4, 2006 3:59:36 PM

Hi everyone, I got a weird problem.

Here's how it goes.

I have made a static map in my PIX.

static (inside,outside) 205.236.116.161 192.168.2.161 netmask 255.255.255.255 0 0

When I try to ping the host from a remote location, it is unreachable.
When I try to ping the internal host from the PIX, it works. I know the PIX is able to communicate with the internal host.

I did a pathping on the IP 205.236.116.161 and looks like it stops at my IPS's router.

0 xxx [192.168.xxx.90]
1 192.168.xxx.1
2 10.72.64.1
3 24.200.245.22
4 10.154.0.34
5 ia-piex-bb04-pc-1.vtl.net [207.96.146.17]
6 ia-cnnu-gw01-ge1-2.vtl.net [207.96.210.157]
7 peer-telus.vtl.net [216.113.37.10]
8 qubcpqajdr01.bb.telus.com [154.11.7.107]
9 142.169.161.203
10 207.134.58.146
11 * * *

I have checked everhing in the PIX and it all looks good.

Here is my config, as you will see I have opened ICMP for outside host so I'm sure it's not a access-list issue.

: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password r16txiuATYiqieNB encrypted
passwd r16txiuATYiqieNB encrypted
hostname *********
domain-name *********
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.100.0 Montreal-iWeb
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list pptp-nonat permit ip 192.168.2.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list acl_outside permit icmp any any
access-list acl_outside permit udp 192.168.101.0 255.255.255.0 any eq pcanywhere-status
access-list acl_outside permit icmp 192.168.101.0 255.255.255.0 any
access-list acl_outside permit tcp 192.168.101.0 255.255.255.0 any eq pcanywhere-data
access-list acl_outside permit tcp 192.168.101.0 255.255.255.0 any eq www
access-list acl_outside permit tcp 192.168.101.0 255.255.255.0 any eq 3389
access-list acl_outside permit tcp any interface outside eq 4662
access-list acl_outside permit udp any interface outside eq 4762
access-list acl_outside permit tcp any interface outside eq 3154
access-list crypto-nonat permit ip 192.168.2.0 255.255.255.0 Montreal-iWeb 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 205.236.116.231 255.255.255.0
ip address inside 192.168.2.231 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-local 192.168.101.2-192.168.101.20
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pptp-nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 4662 192.168.2.240 4662 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4762 192.168.2.240 4762 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3154 192.168.2.188 3154 netmask 255.255.255.255 0 0
static (inside,outside) 205.236.116.161 192.168.2.161 netmask 255.255.255.255 0 0
static (inside,outside) 205.236.116.162 192.168.2.162 netmask 255.255.255.255 0 0
static (inside,outside) 205.236.116.163 192.168.2.163 netmask 255.255.255.255 0 0
static (inside,outside) 205.236.116.164 192.168.2.164 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 205.236.116.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ********* 255.255.255.255 outside
http ********* 255.255.255.255 outside
http ********* 255.255.255.255 outside
http ********* 255.255.255.255 outside
http ********* 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 inside
http ********* 255.255.255.255 inside
snmp-server location Beauce
snmp-server contact Francois Collerette
snmp-server community franpublic
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address crypto-nonat
crypto map outside_map 20 set peer *********
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh ********* 255.255.255.255 outside
ssh 192.168.101.0 255.255.255.0 outside
ssh ********* 255.255.255.255 outside
ssh ********* 255.255.255.255 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40 required
vpdn group 1 client configuration address local pptp-local
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username **************** password *********
vpdn username ***** password *********
vpdn username ***** password *********
vpdn enable outside
terminal width 80

Someone has any idea ? It's the first time I get this problem. At first I taught it was an ARP issue but my ISP told me that he refresh the ARP cache of the router and was still not able to ping the host 205.236.116.161.

So I guess it's something in my config after all.

Thanks a lot for your help !

Francois

More about : pix501 host problem

August 8, 2006 11:33:40 PM

I havent used the PIX firewall, but I assume that this is a Cisco Enterprise Firewall device. If Cisco, does Cisco have a forum or Newsgroup pertaining to your query? Sorry I cant help.
August 9, 2006 1:31:22 PM

Hi everyone,
i've didi a complete rewrite of the config and noticed somthing.

sysopt noproxyarp outside

I disabled that command and reboot the PIX.

Looks like everything is going well.
Related resources
August 10, 2006 3:14:18 AM

I'm happy all is working well for you now. I was thinkg the problem was related to your outside access-list permitting inbound access. You didn't permit any connections to that host you statically mapped. There should be an ACL statement on your outside access-list that looks something like this:

access-list acl_outside permit icmp any 205.236.116.161
August 10, 2006 2:10:27 PM

Yeah you are right .. there should an access-list that aplys t taht computer but since this is for production servers I have an ACL that permit ICMP to any host.

access-list acl_outside permit icmp any any

Easier for troubleshooting connectivity problems.

Thnaks for the pointer !

Francois
August 10, 2006 2:12:48 PM

Ah I apologize I didn't see that when looking at the configuration.
!