Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Just installed A PIX 515with version7.0 WITH A SOHO 1

Status
Not open for further replies.
sdang

sdang

MIS
Apr 15, 2007
29
US
Can someone please look at these configurations? I am completely loss now since the fixup command and conduit comands are unavailable for the PIX.

From Router - I can Ping outside world
Pix- I can Ping Outside world
Computer- I can ping firewall, when i ping the router i get a response from the nat entry on the router 172.16.0.7- I can ping the outside world

ROUTER





User Access Verification



Password:

Password:

workx>en

Password:

workx#show run

Building configuration...



Current configuration : 2399 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname workx

!

logging queue-limit 100

enable secret 5 $1$gP63$VhbMiMVPvWOO8erFpvnnK1

enable password 7 09060B1F1017021F5A58557A

!

username CRWS_Ulags privilege 15 password 7 100A585D3246142A480B7B24170D2334734B

5440505204090803

ip subnet-zero

ip name-server 68.6.16.30

ip name-server 172.16.0.13

ip dhcp excluded-address 172.16.0.7

ip dhcp excluded-address 172.16.0.2

ip dhcp excluded-address 172.16.0.3

ip dhcp excluded-address 172.16.0.13

!

!

!

!

!

!

!

!

!

interface Ethernet0

ip address 172.16.0.250 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

ip address X.167.112.184 255.255.255.192

ip nat outside

no ip mroute-cache

duplex auto

no cdp enable

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static 172.16.0.7 interface Ethernet1

ip nat inside source static 172.16.0.13 X.167.112.183

ip nat inside source static 172.16.0.4 X.167.112.185

ip nat inside source static 172.16.0.3 X.167.112.187

ip classless

ip route 0.0.0.0 0.0.0.0 X.167.112.129

ip route 172.16.0.0 255.255.0.0 X.167.112.186

ip http server

no ip http secure-server

!

access-list 102 permit ip 172.16.0.0 0.0.0.255 any

no cdp run

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

password 7 15584E1A0D383E2979676472

login

length 0

!

scheduler max-task-time 5000

!

end







FIREWALL User Access Verification



Password:

Type help or '?' for a list of available commands.

workxresearch> en

Password: ***********

workxresearch# show config

: Saved

: Written by enable_15 at 20:11:23.901 UTC Sat Apr 14 2007

!

PIX Version 7.2(2)

!

hostname workxresearch

domain-name workxresearch.com

enable password 8fSmoHmo/c94H615 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address X.167.112.186 255.255.255.192

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.0.251 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name workxresearch.com

access-list 101 extended permit tcp host 172.16.0.13 eq smtp any

access-list 101 extended permit tcp host 172.16.0.13 eq 444 any

access-list 101 extended permit tcp host 172.16.0.13 eq pptp any

access-list 101 extended permit tcp host 172.16.0.13 eq https any

access-list 101 extended permit tcp host 172.16.0.13 eq
access-list 101 extended permit gre host 172.16.0.13 any

access-list 101 extended permit tcp host 172.16.0.8 eq
access-list 101 extended permit tcp host 172.16.0.3 eq
access-list 101 extended permit tcp host 172.16.0.13 eq 3109 any

access-list 101 extended permit tcp host 172.16.0.13 eq imap4 any

access-list 101 extended permit tcp host 172.16.0.13 eq 4125 any

access-list 101 extended permit tcp host 172.16.0.13 eq 81 any

access-list 101 extended permit tcp host 172.16.0.13 eq pop3 any

access-list 101 extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 172.16.0.0 255.255.0.0

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.252.0

route outside 0.0.0.0 0.0.0.0 X.167.112.184 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp identity hostname

telnet 172.16.0.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map class_ftp

match port tcp eq 993

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

class class_ftp

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:781bdcb94192bad96cae2313c592c2f6

workxresearch#
 
Sort by date Sort by votes
Users inside our network need to use pptp to other networks. For some reason they are unable to from there machine. Do you know what i need to open up in the PIX.
 
Upvote 0 Downvote
Add pptp to the inspection

policy-map global_policy
class inspection_default
inspect pptp


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Ok , that didnt work . The strange thing is that the NATED addresses can connect using PPTP or VPN but the ones that dont have a NAT entry can't.

 
Upvote 0 Downvote
if i add this

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

should i remove this ?

nat (inside) 1 172.16.0.0 255.255.255.0
 
Upvote 0 Downvote
error when i enable the logging

The pptp server on the outside is 63.210.163.211

the work station i am trying to pptp from is 172.16.0.2



Apr 23 2007 23:15:58: %PIX-4-106023: Deny tcp src outside:63.210.163.211/11534 d
st inside:70.167.112.184/25 by access-group "outside-in" [0x0, 0x0]


Apr 23 2007 23:16:04: %PIX-4-106023: Deny tcp src outside:63.210.163.211/11534 d
st inside:70.167.112.184/25 by access-group "outside-in" [0x0, 0x0]

Apr 23 2007 23:16:08: %PIX-6-305011: Built dynamic TCP translation from inside:1
72.16.0.2/14962 to outside:70.167.112.186/1513
Apr 23 2007 23:16:08: %PIX-6-302013: Built outbound TCP connection 1467 for outs
ide:68.210.163.211/1723 (68.210.163.211/1723) to inside:172.16.0.2/14962 (70.167
.112.186/1513)
 
Upvote 0 Downvote
The first two are denying SMTP to the .184 address. The last one is the PPTP you are looking for. It says the connection was built. Was there anything else to the logs after this?



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote


User Access Verification

Password:
Type help or '?' for a list of available commands.
Workx> en
Password:
Invalid password
Password:
Invalid password
Password:
Invalid password
Access denied.
Workx> en
Password: ***********
Workx# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 98265 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
6-302014: Teardown TCP connection 21135 for outside:63.210.163.217/1719 to insid
e:172.16.0.7/80 duration 0:01:09 bytes 462 TCP FINs
Apr 24 2007 11:49:52: %PIX-5-304001: 63.210.163.217 Accessed URL 172.16.0.7:/
Apr 24 2007 11:49:52: %PIX-6-302014: Teardown TCP connection 21136 for outside:6
3.210.163.217/1870 to inside:172.16.0.4/80 duration 0:01:08 bytes 7104 TCP Reset
-O
Apr 24 2007 11:49:52: %PIX-7-609002: Teardown local-host inside:172.16.0.4 durat
ion 0:01:08
Apr 24 2007 11:49:52: %PIX-7-609001: Built local-host inside:172.16.0.4
Apr 24 2007 11:49:52: %PIX-6-302013: Built inbound TCP connection 21164 for outs
ide:63.210.163.217/1536 (63.210.163.217/1536) to inside:172.16.0.4/80 (70.167.11
2.185/80)
Apr 24 2007 11:49:52: %PIX-5-304001: 63.210.163.217 Accessed URL 172.16.0.4:/
Apr 24 2007 11:49:53: %PIX-7-609001: Built local-host outside:76.172.46.153
Apr 24 2007 11:49:53: %PIX-6-302015: Built outbound UDP connection 21165 for out
side:76.172.46.153/5099 (76.172.46.153/5099) to inside:172.16.0.10/45700 (70.167
.112.186/1025)
Apr 24 2007 11:49:53: %PIX-7-609001: Built local-host outside:24.187.163.72
Apr 24 2007 11:49:53: %PIX-6-302015: Built outbound UDP connection 21166 for out
side:24.187.163.72/35340 (24.187.163.72/35340) to inside:172.16.0.10/45700 (70.1
67.112.186/1025)
Apr 24 2007 11:49:55: %PIX-6-305011: Built dynamic UDP translation from inside:1
72.16.0.2/500 to outside:70.167.112.186/59
Apr 24 2007 11:49:55: %PIX-6-302015: Built outbound UDP connection 21167 for out
side:68.210.163.211/500 (68.210.163.211/500) to inside:172.16.0.2/500 (70.167.11
2.186/59)
Apr 24 2007 11:49:57: %PIX-7-710005: UDP request discarded from 10.131.40.1/67 t
o outside:255.255.255.255/68
Apr 24 2007 11:49:58: %PIX-6-305012: Teardown dynamic TCP translation from insid
e:172.16.0.23/3175 to outside:70.167.112.186/8275 duration 0:01:00
Apr 24 2007 11:50:02: %PIX-7-710005: UDP request discarded from 10.131.40.1/67 t
o outside:255.255.255.255/68
Apr 24 2007 11:50:02: %PIX-7-609001: Built local-host outside:130.117.72.81
Apr 24 2007 11:50:02: %PIX-6-305011: Built dynamic TCP translation from inside:1
72.16.0.42/1428 to outside:70.167.112.186/8280
Apr 24 2007 11:50:02: %PIX-6-302013: Built outbound TCP connection 21168 for out
side:130.117.72.81/80 (130.117.72.81/80) to inside:172.16.0.42/1428 (70.167.112.
186/8280)
Apr 24 2007 11:50:03: %PIX-5-304001: 172.16.0.42 Accessed URL 130.117.72.81:/ui/
0/3.0.0.190/en/getlatestversion?ver=3.0.0.190&uhash=1b50587148337dbcd46938dfd36a
0f265
Apr 24 2007 11:50:03: %PIX-6-302014: Teardown TCP connection 21168 for outside:1
30.117.72.81/80 to inside:172.16.0.42/1428 duration 0:00:00 bytes 483 TCP FINs
Apr 24 2007 11:50:03: %PIX-7-609002: Teardown local-host outside:130.117.72.81 d
uration 0:00:00
Apr 24 2007 11:50:03: %PIX-7-609001: Built local-host outside:18.241.5.107
Apr 24 2007 11:50:03: %PIX-6-302015: Built outbound UDP connection 21169 for out
side:18.241.5.107/40578 (18.241.5.107/40578) to inside:172.16.0.10/45700 (70.167
.112.186/1025)
Apr 24 2007 11:50:03: %PIX-6-302015: Built outbound UDP connection 21170 for out
side:70.189.247.202/37455 (70.189.247.202/37455) to inside:172.16.0.10/45700 (70
.167.112.186/1025)
Apr 24 2007 11:50:03: %PIX-7-609001: Built local-host outside:128.114.56.99
Apr 24 2007 11:50:03: %PIX-6-302015: Built outbound UDP connection 21171 for out
side:128.114.56.99/50202 (128.114.56.99/50202) to inside:172.16.0.42/56455 (70.1
67.112.186/1081)
Apr 24 2007 11:50:03: %PIX-7-609001: Built local-host outside:130.111.152.204
Apr 24 2007 11:50:03: %PIX-6-302015: Built outbound UDP connection 21172 for out
side:130.111.152.204/3137 (130.111.152.204/3137) to inside:172.16.0.42/56455 (70
.167.112.186/1081)
Apr 24 2007 11:50:03: %PIX-7-609001: Built local-host outside:88.134.141.63
Apr 24 2007 11:50:03: %PIX-6-302015: Built outbound UDP connection 21173 for out
side:88.134.141.63/58335 (88.134.141.63/58335) to inside:172.16.0.42/56455 (70.1
67.112.186/1081)
Apr 24 2007 11:50:04: %PIX-6-302014: Teardown TCP connection 21157 for outside:6
8.210.163.211/1723 to inside:172.16.0.2/17160 duration 0:00:30 bytes 0 SYN Timeo
ut
Workx# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 98464 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
own local-host inside:172.16.0.4 duration 0:01:08
Apr 24 2007 11:51:01: %PIX-7-710005: UDP request discarded from 10.131.40.1/67 t
o outside:255.255.255.255/68
Apr 24 2007 11:51:01: %PIX-7-609001: Built local-host inside:172.16.0.4
Apr 24 2007 11:51:01: %PIX-6-302013: Built inbound TCP connection 21212 for outs
ide:63.210.163.217/2045 (63.210.163.217/2045) to inside:172.16.0.4/80 (70.167.11
2.185/80)
Apr 24 2007 11:51:01: %PIX-5-304001: 63.210.163.217 Accessed URL 172.16.0.4:/
Apr 24 2007 11:51:02: %PIX-6-305012: Teardown dynamic TCP translation from insid
e:172.16.0.10/3800 to outside:70.167.112.186/8285 duration 0:00:30
Apr 24 2007 11:51:06: %PIX-6-305012: Teardown dynamic TCP translation from insid
e:172.16.0.10/3801 to outside:70.167.112.186/8286 duration 0:00:30
Apr 24 2007 11:51:06: %PIX-7-710005: UDP request discarded from 172.16.0.19/4467
6 to inside:172.16.0.255/3052
Apr 24 2007 11:51:06: %PIX-6-305012: Teardown dynamic TCP translation from insid
e:172.16.0.10/3804 to outside:70.167.112.186/8287 duration 0:00:30
Apr 24 2007 11:51:07: %PIX-7-609001: Built local-host outside:216.88.137.10
Apr 24 2007 11:51:07: %PIX-6-305011: Built dynamic TCP translation from inside:1
72.16.0.23/3238 to outside:70.167.112.186/8303
Apr 24 2007 11:51:07: %PIX-6-302013: Built outbound TCP connection 21213 for out
side:216.88.137.10/135 (216.88.137.10/135) to inside:172.16.0.23/3238 (70.167.11
2.186/8303)
Apr 24 2007 11:51:07: %PIX-6-302014: Teardown TCP connection 21213 for outside:2
16.88.137.10/135 to inside:172.16.0.23/3238 duration 0:00:00 bytes 0 TCP Reset-O
Apr 24 2007 11:51:07: %PIX-7-609002: Teardown local-host outside:216.88.137.10 d
uration 0:00:00
Apr 24 2007 11:51:07: %PIX-6-305011: Built dynamic TCP translation from inside:1
72.16.0.2/17169 to outside:70.167.112.186/8304
Apr 24 2007 11:51:07: %PIX-6-302013: Built outbound TCP connection 21214 for out
side:68.210.163.211/1723 (68.210.163.211/1723) to inside:172.16.0.2/17169 (70.16
7.112.186/8304)
Apr 24 2007 11:51:08: %PIX-7-609001: Built local-host outside:216.88.137.10
Apr 24 2007 11:51:08: %PIX-6-302013: Built outbound TCP connection 21215 for out
side:216.88.137.10/135 (216.88.137.10/135) to inside:172.16.0.23/3238 (70.167.11
2.186/8303)
Apr 24 2007 11:51:08: %PIX-6-302014: Teardown TCP connection 21215 for outside:2
16.88.137.10/135 to inside:172.16.0.23/3238 duration 0:00:00 bytes 0 TCP Reset-O
Apr 24 2007 11:51:08: %PIX-7-609002: Teardown local-host outside:216.88.137.10 d
uration 0:00:00
Apr 24 2007 11:51:09: %PIX-7-609001: Built local-host outside:216.88.137.10
Apr 24 2007 11:51:09: %PIX-6-302013: Built outbound TCP connection 21216 for out
side:216.88.137.10/135 (216.88.137.10/135) to inside:172.16.0.23/3238 (70.167.11
2.186/8303)
Apr 24 2007 11:51:09: %PIX-6-302014: Teardown TCP connection 21216 for outside:2
16.88.137.10/135 to inside:172.16.0.23/3238 duration 0:00:00 bytes 0 TCP Reset-O
Apr 24 2007 11:51:09: %PIX-7-609002: Teardown local-host outside:216.88.137.10 d
uration 0:00:00
Apr 24 2007 11:51:09: %PIX-7-609001: Built local-host outside:216.88.137.2
Apr 24 2007 11:51:09: %PIX-6-305011: Built dynamic TCP translation from inside:1
72.16.0.23/3242 to outside:70.167.112.186/8305
Apr 24 2007 11:51:09: %PIX-6-302013: Built outbound TCP connection 21217 for out
side:216.88.137.2/22 (216.88.137.2/22) to inside:172.16.0.23/3242 (70.167.112.18
6/8305)
Apr 24 2007 11:51:09: %PIX-6-302014: Teardown TCP connection 21217 for outside:2
16.88.137.2/22 to inside:172.16.0.23/3242 duration 0:00:00 bytes 0 TCP Reset-O
Apr 24 2007 11:51:09: %PIX-7-609002: Teardown local-host outside:216.88.137.2 du
ration 0:00:00
Apr 24 2007 11:51:09: %PIX-7-609001: Built local-host outside:216.88.137.2
Apr 24 2007 11:51:09: %PIX-6-302013: Built outbound TCP connection 21218 for out
side:216.88.137.2/22 (216.88.137.2/22) to inside:172.16.0.23/3242 (70.167.112.18
6/8305)
Apr 24 2007 11:51:09: %PIX-6-302014: Teardown TCP connection 21218 for outside:2
16.88.137.2/22 to inside:172.16.0.23/3242 duration 0:00:00 bytes 0 TCP Reset-O
Apr 24 2007 11:51:09: %PIX-7-609002: Teardown local-host outside:216.88.137.2 du
ration 0:00:00
Workx#
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
362
Rick998
Rick998
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
664
Sparrow4
Sparrow4
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
481
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
224
quar
quar

Part and Inventory Search

Sponsor

Back
Top