Announcement

Collapse
No announcement yet.

Cisco PIX 515E Config issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco PIX 515E Config issue

    I need help troubleshooting a problem i am having with my current running config on my PIX 515E. I am receiving "No connection could be made because the target machine actively refused it 199.xxx.xx3.20:8092" from the page i am trying to access on the web. The current App server is working just fine with ports 8090,8091,8095,8096 (TCP & UDP) are permitted from 10.10.1.10 (DMZ, ftp, web server) to 192.168.6.6 in ACL Manager. We bought a new app server and its IP is on a public IP (we own two class Cs 199.xxx.xx3.xxx and 199.xxx.xx4.xxx). In ACL Manager i added this statement: permit ports 8092,8097 (tcp & udp) & ICMP/ECHO from Source:10.10.1.10 Destination SLTCOMMPLUS(199.xxx.xx3.20).

    The config should be attahced to this.
    Attached Files
    Last edited by adellaripa; 10th November 2008, 20:56.

  • #2
    Re: Cisco PIX 515E Config issue

    I will try and have a look at this tomorrow but could you post a quick diagram as to what you want to achieve with the different interfaces?
    I assume you have the firewall turned off on the new server and can access that port when plugged into the same network?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco PIX 515E Config issue

      The firewall is disabled on the server (sltcommplus). You can access the server from any IP within the LAn as well.

      Comment


      • #4
        Re: Cisco PIX 515E Config issue

        Any chances on the diagram?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Cisco PIX 515E Config issue

          Here is a crude design
          Attached Files

          Comment


          • #6
            Re: Cisco PIX 515E Config issue

            Sorry for the delay in this, the good lady has decided I spend too much time on this forum.....

            Thanks for the pic, I'm not sure my diag matches your though? Let me know if I have the interfaces confused.

            This may be a little beyond me but, in short, is this problem between 10.10.1.10 inbound to SLTCOMMPLUS.

            You state you have public class c ranges however they are seen as internal to this PIX, it makes me think the issue is more to do with routing rather than the PIX. What does the 3640 know about the 10.10.1.10 to 199 network routing?

            Anyone else have any thoughts too please?
            Attached Files
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Cisco PIX 515E Config issue

              I can ping via ip and name just fine to sltcommplus from 10.10.1.10 and vice-versa.

              Cisco 3640
              show ip protocols

              Automatic network summarization is not in effe
              Maximum path: 4
              Routing for Networks:
              192.168.0.0
              192.168.5.0
              192.168.7.0
              192.168.9.0
              192.168.11.0
              192.168.100.0
              192.168.101.0
              199.xxx.xx3.0
              Routing Information Sources:
              Gateway Distance Last Update
              192.168.100.1 120 00:00:18
              192.168.100.3 120 00:00:11
              192.168.11.2 120 00:00:14
              192.168.9.2 120 00:00:10
              192.168.9.6 120 00:00:22
              192.168.7.2 120 00:00:11
              192.168.5.2 120 00:00:19
              Distance: (default is 120)

              Show ip route
              N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
              E1 - OSPF external type 1, E2 - OSPF external type 2
              i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS lev
              ia - IS-IS inter area, * - candidate default, U - per-user static
              o - ODR, P - periodic downloaded static route

              Gateway of last resort is 192.168.100.1 to network 0.0.0.0
              R 192.168.12.0/24 [120/2] via 192.168.11.2, 00:00:07, Serial0/0
              192.168.13.0/30 is subnetted, 1 subnets
              R 192.168.13.0 [120/1] via 192.168.11.2, 00:00:07, Serial0/0
              R 192.168.14.0/24 [120/2] via 192.168.11.2, 00:00:07, Serial0/0
              R 192.168.30.0/24 [120/2] via 192.168.9.6, 00:00:14, Serial2/0
              [120/2] via 192.168.9.2, 00:00:00, Serial2/1
              192.168.15.0/30 is subnetted, 1 subnets
              R 192.168.15.0 [120/1] via 192.168.11.2, 00:00:07, Serial0/0
              R 192.168.8.0/24 [120/1] via 192.168.9.6, 00:00:14, Serial2/0
              [120/1] via 192.168.9.2, 00:00:00, Serial2/1
              R 192.168.43.0/24 [120/2] via 192.168.9.6, 00:00:14, Serial2/0
              [120/2] via 192.168.9.2, 00:00:00, Serial2/1
              192.168.9.0/24 is variably subnetted, 4 subnets, 2 masks
              C 192.168.9.0/30 is directly connected, Serial2/1
              C 192.168.9.2/32 is directly connected, Serial2/1
              C 192.168.9.4/30 is directly connected, Serial2/0
              C 192.168.9.6/32 is directly connected, Serial2/0
              207.xxx.xxx.0/32 is subnetted, 1 subnets
              R 207.xxx.xxx.26 [120/1] via 192.168.100.1, 00:00:11, Ethernet2/0
              R 192.168.10.0/24 [120/1] via 192.168.11.2, 00:00:07, Serial0/0
              66.0.0.0/30 is subnetted, 1 subnets
              R 66.xxx.xxx.88 [120/2] via 192.168.9.6, 00:00:14, Serial2/0
              [120/2] via 192.168.9.2, 00:00:00, Serial2/1
              S 199.xxx.xx3.0/24 [1/0] via 192.168.101.1
              C 192.168.11.0/24 is directly connected, Serial0/0
              R 192.168.41.0/24 [120/2] via 192.168.9.6, 00:00:14, Serial2/0
              [120/2] via 192.168.9.2, 00:00:00, Serial2/1
              209.xxx.xxx.0/30 is subnetted, 1 subnets
              R 209.xxx.xxx.60 [120/1] via 192.168.100.1, 00:00:11, Ethernet2/0
              R 192.168.4.0/24 [120/1] via 192.168.5.2, 00:00:06, Serial1/1
              C 192.168.5.0/24 is directly connected, Serial1/1
              10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
              R 10.10.1.0/24 [120/1] via 192.168.100.1, 00:00:11, Ethernet2/0
              R 10.1.1.2/32 [120/1] via 192.168.100.3, 00:00:29, Ethernet2/0
              R 10.1.1.0/24 [120/1] via 192.168.100.3, 00:00:29, Ethernet2/0
              R 192.168.6.0/24 [120/1] via 192.168.7.2, 00:00:28, Serial1/2
              C 192.168.7.0/24 is directly connected, Serial1/2
              166.xxx.xxx.0/27 is subnetted, 1 subnets
              R 166.xxx.xxx.32 [120/2] via 192.168.100.3, 00:00:29, Ethernet2/0
              R 166.xxx.xxx.0/16 [120/2] via 192.168.100.3, 00:00:29, Ethernet2/0
              R 167.xxx.xxx.0/16 [120/1] via 192.168.100.1, 00:00:11, Ethernet2/0
              R 192.168.1.0/24 [120/2] via 192.168.100.3, 00:00:29, Ethernet2/0
              C 192.168.100.0/24 is directly connected, Ethernet2/0
              R 192.168.18.0/24 [120/2] via 192.168.100.3, 00:00:29, Ethernet2/0
              C 192.168.101.0/24 is directly connected, FastEthernet0/0
              S* 0.0.0.0/0 [1/0] via 192.168.100.1

              Comment


              • #8
                Re: Cisco PIX 515E Config issue

                Originally posted by AndyJG247 View Post
                Sorry for the delay in this, the good lady has decided I spend too much time on this forum.....
                And people wonder why I'm single
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Cisco PIX 515E Config issue

                  Can a 192. host access this port on the 199 host?
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Cisco PIX 515E Config issue

                    Well the current production server (192) can access the 10.10.1.10. Plus the 192 can access a 199. Could one of the implicit rules be blocking this port?

                    Comment


                    • #11
                      Re: Cisco PIX 515E Config issue

                      192. to 10. should be fine as the pix allows more to less secure (assuming there is a route).
                      10. to 199 is less secure to more secure so needs acls etc. I realise you know this by the way.

                      You have

                      Code:
                      static (DMZ,OutsideATT) 199.xxx.xx4.10 10.10.1.10 netmask 255.255.255.255
                      but the diagrams imply this should be

                      Code:
                      static (DMZ,Inside) 199.xxx.xx4.10 10.10.1.10 netmask 255.255.255.255
                      ?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Cisco PIX 515E Config issue

                        I changed the ports that app is using to 8098 so i can display the log.

                        Deny tcp src DMZ:10.10.1.10/2404 dst inside:SLTCOMMPLUS/8098 by access-group "DMZ_access_in" [0x0, 0x0]

                        Comment


                        • #13
                          Re: Cisco PIX 515E Config issue

                          I got the static wrong I think
                          shouldn't it be
                          Code:
                          static (inside,dmz) 10.10.1.10 199.xxx.xx4.10
                          ?
                          because the 199 hosts are on the inside network

                          You can move rule around by deleting them and using the line command as part of it so, if you want to make sure, you can remove and re-add the
                          Code:
                          access-list DMZ_access_in extended permit tcp host 10.10.1.10 any object-group DM_INLINE_TCP_3
                          line and add it earlier.

                          I'm not sure what else to suggest.
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment


                          • #14
                            Re: Cisco PIX 515E Config issue

                            I had a Cisco firewall tech look at the config and after setting up a packet capture he determined that the packets are making it to sltcommplus but when it reaches its destination the server resets the link and looses connection. So now the problem might be pointing to the Cisco 3640 router which resides on the same VLAN as the PIX.

                            Comment


                            • #15
                              Re: Cisco PIX 515E Config issue

                              Ok. I'm still confused with the static but if it works then great. Please let us know how you get on. cheers
                              cheers
                              Andy

                              Please read this before you post:


                              Quis custodiet ipsos custodes?

                              Comment

                              Working...
                              X