Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Just installed A PIX 515with version7.0 WITH A SOHO 1

Status
Not open for further replies.
sdang

sdang

MIS
Apr 15, 2007
29
US
Can someone please look at these configurations? I am completely loss now since the fixup command and conduit comands are unavailable for the PIX.

From Router - I can Ping outside world
Pix- I can Ping Outside world
Computer- I can ping firewall, when i ping the router i get a response from the nat entry on the router 172.16.0.7- I can ping the outside world

ROUTER





User Access Verification



Password:

Password:

workx>en

Password:

workx#show run

Building configuration...



Current configuration : 2399 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname workx

!

logging queue-limit 100

enable secret 5 $1$gP63$VhbMiMVPvWOO8erFpvnnK1

enable password 7 09060B1F1017021F5A58557A

!

username CRWS_Ulags privilege 15 password 7 100A585D3246142A480B7B24170D2334734B

5440505204090803

ip subnet-zero

ip name-server 68.6.16.30

ip name-server 172.16.0.13

ip dhcp excluded-address 172.16.0.7

ip dhcp excluded-address 172.16.0.2

ip dhcp excluded-address 172.16.0.3

ip dhcp excluded-address 172.16.0.13

!

!

!

!

!

!

!

!

!

interface Ethernet0

ip address 172.16.0.250 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

ip address X.167.112.184 255.255.255.192

ip nat outside

no ip mroute-cache

duplex auto

no cdp enable

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static 172.16.0.7 interface Ethernet1

ip nat inside source static 172.16.0.13 X.167.112.183

ip nat inside source static 172.16.0.4 X.167.112.185

ip nat inside source static 172.16.0.3 X.167.112.187

ip classless

ip route 0.0.0.0 0.0.0.0 X.167.112.129

ip route 172.16.0.0 255.255.0.0 X.167.112.186

ip http server

no ip http secure-server

!

access-list 102 permit ip 172.16.0.0 0.0.0.255 any

no cdp run

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

password 7 15584E1A0D383E2979676472

login

length 0

!

scheduler max-task-time 5000

!

end







FIREWALL User Access Verification



Password:

Type help or '?' for a list of available commands.

workxresearch> en

Password: ***********

workxresearch# show config

: Saved

: Written by enable_15 at 20:11:23.901 UTC Sat Apr 14 2007

!

PIX Version 7.2(2)

!

hostname workxresearch

domain-name workxresearch.com

enable password 8fSmoHmo/c94H615 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address X.167.112.186 255.255.255.192

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.0.251 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name workxresearch.com

access-list 101 extended permit tcp host 172.16.0.13 eq smtp any

access-list 101 extended permit tcp host 172.16.0.13 eq 444 any

access-list 101 extended permit tcp host 172.16.0.13 eq pptp any

access-list 101 extended permit tcp host 172.16.0.13 eq https any

access-list 101 extended permit tcp host 172.16.0.13 eq
access-list 101 extended permit gre host 172.16.0.13 any

access-list 101 extended permit tcp host 172.16.0.8 eq
access-list 101 extended permit tcp host 172.16.0.3 eq
access-list 101 extended permit tcp host 172.16.0.13 eq 3109 any

access-list 101 extended permit tcp host 172.16.0.13 eq imap4 any

access-list 101 extended permit tcp host 172.16.0.13 eq 4125 any

access-list 101 extended permit tcp host 172.16.0.13 eq 81 any

access-list 101 extended permit tcp host 172.16.0.13 eq pop3 any

access-list 101 extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 172.16.0.0 255.255.0.0

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.252.0

route outside 0.0.0.0 0.0.0.0 X.167.112.184 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp identity hostname

telnet 172.16.0.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map class_ftp

match port tcp eq 993

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

class class_ftp

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:781bdcb94192bad96cae2313c592c2f6

workxresearch#
 
Sort by date Sort by votes
So just to confirm -
1. outbound traffic works fine
2. email works fine (sending and receiving?)

Is the pix in there now?
I can ping the .186 and .184 and the .184 website comes up in Firefox but not the others. It appears your DNS entries are not right. Your DNS MX record points to the .187 address not the .183 and the .183 and .184 do not have anything listed.

Did you save the config and reload or clear conn and xlates?
Post the whole config again.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Yes outbound traffic works fine.
2. Mail was working fine sending and receiving with pix in place.

Could get a response back from .186.184.187.183 when pix was in place.

Router is currently in place.

I have the pix right now doing nothing. The Dns records were changed Back to the original.

I did save the config and reload. Are you sure i dont have the IP's backwards?

interface Ethernet0
nameif outside
security-level 0
ip address 70.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.251 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat a
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit tcp any host 70.167.112.183 eq smtp
access-list outside-in extended permit tcp any host 70.167.112.183 eq 444
access-list outside-in extended permit tcp any host 70.167.112.183 eq pptp
access-list outside-in extended permit tcp any host 70.167.112.183 eq https
access-list outside-in extended permit tcp any host 70.167.112.183 eq www
access-list outside-in extended permit gre any host 70.167.112.183
access-list outside-in extended permit tcp any host 70.167.112.183 eq 3109
access-list outside-in extended permit tcp any host 70.167.112.183 eq imap4
access-list outside-in extended permit tcp any host 70.167.112.183 eq 4125
access-list outside-in extended permit tcp any host 70.167.112.183 eq 81
access-list outside-in extended permit tcp any host 70.167.112.183 eq pop3
access-list outside-in extended permit tcp any host 70.167.112.187 eq www
access-list outside-in extended permit tcp any host 70.167.112.184 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) 70.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) 70.167.112.184 172.16.0.8 netmask 255.255.255.255
static (inside,outside) 70.167.112.185 172.16.0.3 netmask 255.255.255.255
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 70.167.112.184 1
route outside 0.0.0.0 0.0.0.0 70.167.112.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.0.250 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp


 
Upvote 0 Downvote
I meant to say I could not get a response Back from .186.184.187.183 when pix was in place.
 
Upvote 0 Downvote
Yes outbound traffic works fine.
2. Mail was working fine sending and receiving with pix in place.

Could not get a reply response back from .186.184.187.183 when pix was in place.

Router is currently in place. PIX is not

I have the pix right now doing nothing. The Dns records were changed Back to the original.

I did save the config and reload. Are you sure i dont have the IP's backwards?

interface Ethernet0
nameif outside
security-level 0
ip address 70.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.251 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat a
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit tcp any host 70.167.112.183 eq smtp
access-list outside-in extended permit tcp any host 70.167.112.183 eq 444
access-list outside-in extended permit tcp any host 70.167.112.183 eq pptp
access-list outside-in extended permit tcp any host 70.167.112.183 eq https
access-list outside-in extended permit tcp any host 70.167.112.183 eq www
access-list outside-in extended permit gre any host 70.167.112.183
access-list outside-in extended permit tcp any host 70.167.112.183 eq 3109
access-list outside-in extended permit tcp any host 70.167.112.183 eq imap4
access-list outside-in extended permit tcp any host 70.167.112.183 eq 4125
access-list outside-in extended permit tcp any host 70.167.112.183 eq 81
access-list outside-in extended permit tcp any host 70.167.112.183 eq pop3
access-list outside-in extended permit tcp any host 70.167.112.187 eq www
access-list outside-in extended permit tcp any host 70.167.112.184 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) 70.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) 70.167.112.184 172.16.0.8 netmask 255.255.255.255
static (inside,outside) 70.167.112.185 172.16.0.3 netmask 255.255.255.255
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 70.167.112.184 1
route outside 0.0.0.0 0.0.0.0 70.167.112.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.0.250 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp
 
Upvote 0 Downvote
Which one of these is correct
route outside 0.0.0.0 0.0.0.0 70.167.112.184 1
route outside 0.0.0.0 0.0.0.0 70.167.112.129 1
delete the other one. Also, remove this for the time being
icmp unreachable rate-limit 1 burst-size 1

Everything else looks as it should.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote

Ok,

I had issues again when i hookedup the PIX by it self. Still was not able to ping the natted external addresses. I was able to ping the pix fine from the outside. I really appreciate your help.

interface Ethernet0
nameif outside
security-level 0
ip address 70.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.250 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat a
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit tcp any host 70.167.112.183 eq smtp
access-list outside-in extended permit tcp any host 70.167.112.183 eq 444
access-list outside-in extended permit tcp any host 70.167.112.183 eq pptp
access-list outside-in extended permit tcp any host 70.167.112.183 eq https
access-list outside-in extended permit tcp any host 70.167.112.183 eq www
access-list outside-in extended permit gre any host 70.167.112.183
access-list outside-in extended permit tcp any host 70.167.112.183 eq 3109
access-list outside-in extended permit tcp any host 70.167.112.183 eq imap4
access-list outside-in extended permit tcp any host 70.167.112.183 eq 4125
access-list outside-in extended permit tcp any host 70.167.112.183 eq 81
access-list outside-in extended permit tcp any host 70.167.112.183 eq pop3
access-list outside-in extended permit tcp any host 70.167.112.187 eq www
access-list outside-in extended permit tcp any host 70.167.112.184 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) 70.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) 70.167.112.184 172.16.0.8 netmask 255.255.255.255
static (inside,outside) 70.167.112.185 172.16.0.3 netmask 255.255.255.255
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 70.167.112.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.0.250 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp
 
Upvote 0 Downvote
The config looks good. At this point, what is not working?
Next time, reboot the modem/csu/dsu device after you connect the pix.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Well when i hook up the pix by itself . the pix is not hooked up right now.
I can not ping these external addresses
70.167.112.183 ,70.167.112.184,70.167.112.185

but i can ping the pix .186

or access them by the web using IP's .183 or .184


 
Upvote 0 Downvote
I REBOOTED The modem place the pix in place and Still could not PING EXTERNAL ADDRESSES

70.167.112.183 ,70.167.112.184,70.167.112.185

but i can ping the pix .186

or access them by the web using IP's .183 or .184


 
Upvote 0 Downvote
This might be a case for a TAC. I don't see anything wrong with the config. Sorry I can't be of more help.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
What would a basic Configuration look like so i can let everything in? So i can start securing it 1 by 1. Thanks Again for all your help.

 
Upvote 0 Downvote
Turn on logging and see what's in the logs after you try to connect.
logging enable
logging timestamp
logging buffered debugging

try the connections
then

show logging
let me know what is happening.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
ok i enabled logging.


Here is the pings i did
C:\Documents and Settings\steve.TELANETIX>ping 70.167.112.183

Pinging 70.167.112.183 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 70.167.112.183:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\steve.TELANETIX>ping 70.167.112.184

Pinging 70.167.112.184 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 70.167.112.184:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\steve.TELANETIX>

C:\Documents and Settings\steve.TELANETIX>ping 70.167.112.187

Pinging 70.167.112.187 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 70.167.112.187:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\steve.TELANETIX>ping 70.167.112.186

Pinging 70.167.112.186 with 32 bytes of data:

Reply from 70.167.112.186: bytes=32 time=47ms TTL=243
Reply from 70.167.112.186: bytes=32 time=49ms TTL=244
Reply from 70.167.112.186: bytes=32 time=51ms TTL=244
Reply from 70.167.112.186: bytes=32 time=47ms TTL=243

Ping statistics for 70.167.112.186:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 51ms, Average = 48ms

C:\Documents and Settings\steve.TELANETIX>



LOGGING Below

Workx# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 1958 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
57:35: %PIX-6-305012: Teardown dynamic TCP translation from inside:172.16.0.10/4235 to outside:70.167.112.186/1157 duration 0:01:30
Apr 20 2007 15:57:39: %PIX-6-305012: Teardown dynamic TCP translation from inside:172.16.0.10/4215 to outside:70.167.112.186/1137 duration 0:02:00
Apr 20 2007 15:57:42: %PIX-6-302016: Teardown UDP connection 628 for outside:18.241.5.107/40578 to inside:172.16.0.10/45700 duration 0:02:02 bytes 147
Apr 20 2007 15:57:42: %PIX-7-609002: Teardown local-host outside:18.241.5.107 duration 0:02:02
Apr 20 2007 15:57:42: %PIX-6-302016: Teardown UDP connection 629 for outside:70.189.247.202/37455 to inside:172.16.0.10/45700 duration 0:02:02 bytes 133
Apr 20 2007 15:57:42: %PIX-7-609002: Teardown local-host outside:70.189.247.202 duration 0:02:02
Apr 20 2007 15:57:45: %PIX-6-302014: Teardown TCP connection 672 for outside:209.85.147.83/80 to inside:172.16.0.10/4238 duration 0:01:05 bytes 1032 TCP Reset-I
Apr 20 2007 15:57:46: %PIX-7-710005: UDP request discarded from 172.16.0.19/44676 to inside:172.16.0.255/3052
Apr 20 2007 15:57:47: %PIX-6-302016: Teardown UDP connection 630 for outside:89.78.204.12/50916 to inside:172.16.0.42/56455 duration 0:02:04 bytes 138
Apr 20 2007 15:57:47: %PIX-7-609002: Teardown local-host outside:89.78.204.12 duration 0:02:04
Apr 20 2007 15:57:49: %PIX-6-302015: Built outbound UDP connection 694 for outside:207.6.80.76/33597 (207.6.80.76/33597) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 15:57:51: %PIX-6-302016: Teardown UDP connection 639 for outside:59.147.70.22/62923 to inside:172.16.0.42/56455 duration 0:02:03 bytes 51
Apr 20 2007 15:57:51: %PIX-7-609002: Teardown local-host outside:59.147.70.22 duration 0:02:03
Apr 20 2007 15:57:56: %PIX-7-609001: Built local-host outside:74.135.228.51
Apr 20 2007 15:57:56: %PIX-6-302015: Built outbound UDP connection 695 for outside:74.135.228.51/57930 (74.135.228.51/57930) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 15:57:56: %PIX-7-609001: Built local-host outside:129.215.103.31
Apr 20 2007 15:57:56: %PIX-6-302015: Built outbound UDP connection 696 for outside:129.215.103.31/47347 (129.215.103.31/47347) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 15:58:00: %PIX-6-305012: Teardown dynamic TCP translation from inside:172.16.0.10/4250 to outside:70.167.112.186/1170 duration 0:00:30
Apr 20 2007 15:58:02: %PIX-6-302020: Built ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:02: %PIX-6-302021: Teardown ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:03: %PIX-6-302020: Built ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:03: %PIX-6-302021: Teardown ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:04: %PIX-6-302020: Built ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:04: %PIX-6-302021: Teardown ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:04: %PIX-6-302016: Teardown UDP connection 655 for outside:69.70.123.227/14976 to inside:172.16.0.10/45700 duration 0:02:03 bytes 502
Apr 20 2007 15:58:04: %PIX-7-609002: Teardown local-host outside:69.70.123.227 duration 0:02:03
Apr 20 2007 15:58:04: %PIX-6-302014: Teardown TCP connection 685 for outside:66.102.7.104/80 to inside:172.16.0.10/4247 duration 0:01:04 bytes 1296 TCP Reset-I
Apr 20 2007 15:58:05: %PIX-6-302020: Built ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:05: %PIX-6-302021: Teardown ICMP connection for faddr 209.223.155.6/512 gaddr 70.167.112.186/0 laddr 70.167.112.186/0
Apr 20 2007 15:58:06: %PIX-6-302016: Teardown UDP connection 656 for outside:130.243.133.141/56279 to inside:172.16.0.10/45700 duration 0:02:06 bytes 333
Apr 20 2007 15:58:06: %PIX-7-609002: Teardown local-host outside:130.243.133.141 duration 0:02:06


 
Upvote 0 Downvote
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 2858 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 16:05:20: %PIX-7-111009: User 'enable_15' executed cmd: show logging
Apr 20 2007 16:05:20: %PIX-7-710005: UDP request discarded from 172.16.0.19/44676 to inside:172.16.0.255/3052
Apr 20 2007 16:05:23: %PIX-6-302016: Teardown UDP connection 816 for outside:66.212.219.134/33365 to inside:172.16.0.10/45700 duration 0:02:02 bytes 129
Apr 20 2007 16:05:23: %PIX-7-609002: Teardown local-host outside:66.212.219.134 duration 0:02:02
Apr 20 2007 16:05:25: %PIX-7-609001: Built local-host outside:89.139.182.162
Apr 20 2007 16:05:25: %PIX-6-302015: Built outbound UDP connection 860 for outside:89.139.182.162/35428 (89.139.182.162/35428) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 16:05:25: %PIX-7-609001: Built local-host outside:89.2.70.31
Apr 20 2007 16:05:25: %PIX-6-302015: Built outbound UDP connection 861 for outside:89.2.70.31/19641 (89.2.70.31/19641) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 16:05:27: %PIX-7-609001: Built local-host outside:70.66.187.240
Apr 20 2007 16:05:27: %PIX-6-302015: Built outbound UDP connection 862 for outside:70.66.187.240/16167 (70.66.187.240/16167) to inside:172.16.0.10/45700 (70.167.112.186/1026)
Apr 20 2007 16:05:27: %PIX-7-609001: Built local-host outside:84.73.64.80
An TCP connection 873 for outside:216.115.218.62/443 to inside:172.16.0.10/4338 duration 0:00:00 bytes 209 TCP FINs
Apr 20 2007 16:05:46: %PIX-7-609002: Teardown local-host outside:216.115.218.62 duration 0:00:00
Apr 20 2007 16:05:46: %PIX-6-302014: Teardown TCP connection 872 for outside:212.118.246.77/443 to inside:172.16.0.10/4337 duration 0:00:00 bytes 209 TCP FINs
Apr 20 2007 16:05:46: %PIX-7-609002: Teardown local-host outside:212.118.246.77 duration 0:00:00
Apr 20 2007 16:05:46: %PIX-7-710005: UDP request discarded from 172.16.0.19/44676 to inside:172.16.0.255/3052
Apr 20 2007 16:05:47: %PIX-7-609001: Built local-host outside:66.235.3.90
Apr 20 2007 16:05:47: %PIX-6-302015: Built outbound UDP connection 875 for outside:66.235.3.90/56627 (66.235.3.90/56627) to inside:172.16.0.42/56455 (70.167.112.186/1025)
Apr 20 2007 16:05:48: %PIX-7-609001: Built local-host outside:216.115.218.62
Apr 20 2007 16:05:48: %PIX-6-305011: Built dynamic TCP translation from inside:172.16.0.10/4339 to outside:70.167.112.186/1258
Apr 20 2007 16:05:48: %PIX-6-302013: Built outbound TCP connection 876 for outside:216.115.218.62/443 (216.115.218.62/443) to inside:172.16.0.10/4339 (70.167.112.186/1258)
Apr 20 2007 16:05:48: %PIX-7-609001: Built local-host outside:212.118.246.77
Apr 20 2007 16:05:48: %PIX-6-305011: Built dynamic TCP translation from inside:172.16.0.10/4340 to outside:70.167.112.186/1259
Apr 20 2007 16:05:48: %PIX-6-302013: Built outbound TCP connection 877 for outside:212.118.246.77/443 (212.118.246.77/443) to inside:172.16.0.10/4340 (70.167.112.186/1259)
de:170.140.209.36/64550 (170.140.209.36/64550) to inside:172.16.0.10/45700 (70.167.112.186/1026)
Apr 20 2007 16:05:31: %PIX-7-609001: Built local-host outside:217.162.118.32
Apr 20 2007 16:05:31: %PIX-6-302015: Built outbound UDP connection 870 for outside:217.162.118.32/30475 (217.162.118.32/30475) to inside:172.16.0.10/45700 (70.167.112.186/1026)
Apr 20 2007 16:05:32: %PIX-6-302014: Teardown TCP connection 623 for outside:63.210.163.220/443 to inside:172.16.0.10/4213 duration 0:10:04 bytes 1337 FIN Timeout
Apr 20 2007 16:05:32: %PIX-7-609002: Teardown local-host outside:63.210.163.220 duration 0:10:04
Apr 20 2007 16:05:32: %PIX-6-302016: Teardown UDP connection 817 for outside:152.23.204.88/15902 to inside:172.16.0.42/56455 duration 0:02:06 bytes 357
Apr 20 2007 16:05:32: %PIX-7-609002: Teardown local-host outside:152.23.204.88 duration 0:02:06
Apr 20 2007 16:05:33: %PIX-7-111009: User 'enable_15' executed cmd: show logging
Apr 20 2007 16:05:36: %PIX-7-710005: UDP request discarded from 10.131.40.1/67 to outside:255.255.255.255/68
Apr 20 2007 16:05:41: %PIX-6-302015: Built outbound UDP connection 871 for outside:89.152.220.71/63844 (89.152.220.71/63844) to inside:172.16.0.10/45700 (70.167.112.186/1026)
 
Upvote 0 Downvote
I don't see any traffic for the other IPs. YOu can bring up the ASDM and watch it live.

You might also try this
make - global (outside) 1 interface
global (outside) 1 70.167.112.186 netmask 255.255.255.192
(sometimes it works, sometimes it doesn't)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote

The first command already existed.

The second one gave me and error.

Error: 70.167.112.186-70.167.112.186 overlaps with outside interface address

Any other ideas? would be appreciated.




 
Upvote 0 Downvote
OK i got it to work . I went into the ASDM and notice this rule was there .

18 any any ip Deny [Implicit rule]

I left the rule but added



access-list outside-in extended permit icmp any host X.167.112.183
access-list outside-in extended permit icmp any host X.167.112.184
access-list outside-in extended permit icmp any host X.167.112.185
access-list outside-in extended permit icmp any host X.167.112.187


Thanks for all your help.


 
Upvote 0 Downvote
That didn't show in the config????? Weird.
Glad you got it working.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks again. I notice you have your CCNP and CCSP. Could you recommend some good cisco. What route did you take and are you working on you ccie ?
 
Upvote 0 Downvote
Cisco press books, working equipment and someone leaning over my back asking when it will work. No better teacher than when you need to get it done. The SP was easy (I work mostly on PIX/ASA) the NP was significantly harder and I am not quite as good at that yet.
CCVP right now. Need the VoIP for work. Maybe CCIE security next year, but only for fun.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
362
Rick998
Rick998
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
664
Sparrow4
Sparrow4
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
481
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
224
quar
quar

Part and Inventory Search

Sponsor

Back
Top