Re: PIX 515 configuration problem !! Help ME!

From: Asim Khan (asimmegawatt@xxxxxxxxx)
Date: Wed Aug 22 2001 - 22:16:35 GMT-3

• Next message: Chuah Eng Wee: "Re: MPLS - silly question"
• Previous message: Matt Wagner: "Re: static route alternatives"
• Maybe in reply to: Scott M. Trieste: "Re: PIX 515 configuration problem !! Help ME!"
• Next in thread: John Kaberna: "Re: PIX 515 configuration problem !! Help ME!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I have a similar problem. My TEST web server which is
on the internal lan can't be accessed by the outside
world unless I reboot the pix. This happens in every
four or five hour and every time I have to reboot the
Pix. I am using two pix firewalls in active/standby
configuration. In the configuration below I have not
connected any machine in the dmz_web i.e why it is
under shutdown. The ip address of the web server is
10.10.2.5 which is statically translated to
209.208.188.161. The interesting point is that even I
have allowed everything on this machine (for testing
purpose), you can't ping the server during that period
of inaccessibility. Any suggestions????

PIX Version 6.0(1)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ_VPN security10
nameif ethernet3 DMZ_WEB security20
nameif ethernet4 pix/intf4 security20
nameif ethernet5 failover security50

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu DMZ_VPN 1500
mtu DMZ_WEB 1500
mtu pix/intf4 1500
mtu failover 1500
ip address outside 209.208.188.2 255.255.255.0
ip address inside 10.10.0.1 255.255.252.0
ip address DMZ_VPN 192.168.1.1 255.255.255.0
ip address DMZ_WEB 172.16.1.1 255.255.255.0
ip address pix/intf4 127.0.0.1 255.255.255.255
ip address failover 10.10.10.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 209.208.188.5
failover ip address inside 10.10.0.5
failover ip address DMZ_VPN 192.168.1.5
failover ip address DMZ_WEB 172.16.1.5
failover ip address pix/intf4 0.0.0.0
failover ip address failover 10.10.10.9
failover link failover

global (outside) 1 209.208.188.10-209.208.188.149
global (outside) 1 209.208.188.150
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ_VPN,outside) 209.208.188.3 192.168.1.3
netmask 255.255.255.255 0 0
static (inside,outside) 209.208.188.161 10.10.2.5
netmask 255.255.255.255 0 0

conduit permit ip host 209.208.188.3 any

conduit permit ip host 209.208.188.161 any
route outside 0.0.0.0 0.0.0.0 209.208.188.1 1

--- "Scott M. Trieste" <strieste@hotmail.com> wrote:
> Bravo,
>
> It looks like your global NAT (21.23.219.x /24)
> interferes with your static
> 21.23.219.2. Try using your outside interface as
> your outside NAT. You'll
> save a ton of address.
>
> Good Luck,
>
> -Scott
>
> ----- Original Message -----
> From: "bravo" <bravojun@hanmail.net>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, August 22, 2001 7:44 AM
> Subject: OT: PIX 515 configuration problem !! Help
> ME!
>
>
> > --------------PIX-----Router----Internet---Adsl
> User
> > | 515 1720 VPN
> > Webserver
> >
> > Hello I have a PIX problem version 6(0).1
> > When remote adsl user want to connet
> intra-webserver they cannot
> > connect web server and could not work icmp...
> > The configuration is wrong?
> > HELP ME!!
> >
> > here is configuration
> > =================================================
> > access-list 100 permit icmp any any echo-reply
> > access-list 100 permit icmp any any time-exceeded
> > access-list 100 permit icmp any any unreachable
> > access-list 100 permit tcp any host 21.23.219.2 eq
> www
> > ---> this is nat sufficient to accecpt internet
> user to our webserver???
> > ---> I think this is key don't you think so?
> >
> > ip address outside 21.23.219.5 255.255.255.0
> > ip address inside 10.10.10.1 255.255.255.0
> >
> > global (outside) 1 21.23.219.1-21.23.219.254
> > --->internet ip pool
> >
> > static (inside,outside) 21.23.219.2 10.10.10.20
> netmask 255.255.255.255 0
> 0
> > ---->web server nat mapping
> >
> > access-group 100 in interface outside
> > route outside 0.0.0.0 0.0.0.0 21.23.219.1 1
> > ---->pix default route to router's ethernet
> interface
> >
> >
> >
> >
> >
> >
> >
> > Thanks in Advance!!
> > Have a Good Day
> > Network Specialist
> > CCNP,CCNA,CCNP-Voice
> >
> >
>
===================================================================
> > ?l8. @NEM3], Daum http://www.daum.net
> > GQ8^@O3] 55Bx>K82!, 9+A&GQ FD@O@|<[!
> > "Q4Y?n9^1b http://messenger.daum.net/
> > **Please
> read:http://www.groupstudy.com/list/posting.html
> **Please
> read:http://www.groupstudy.com/list/posting.html
>

• Next message: Chuah Eng Wee: "Re: MPLS - silly question"
• Previous message: Matt Wagner: "Re: static route alternatives"
• Maybe in reply to: Scott M. Trieste: "Re: PIX 515 configuration problem !! Help ME!"
• Next in thread: John Kaberna: "Re: PIX 515 configuration problem !! Help ME!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:56 GMT-3