Announcement

Collapse
No announcement yet.

cisco pix 515e experts please help..

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco pix 515e experts please help..

    Hey guys,

    Need some help here. I have 2 515e pix firewalls. One is in production and the other is a spare. The one in production has IOS 6.3 and the spare has IOS 7.0. I'm trying to get the spare one to work with the same configuration as the one in production but it doesn't work. I can ping various websites from the spare pix but when I try to access the internet from my workstation, it times out. Any idea? I have my config attached below. Any help is greatly appreciated..


    DEF.B1.515.F# sh config
    : Saved
    : Written by enable_15 at 16:22:25.661 UTC Tue May 12 2009

    PIX Version 7.0(2)
    names
    !
    interface Ethernet0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.224
    !
    interface Ethernet1
    duplex full
    nameif inside
    security-level 100
    ip address 10.16.0.10 255.255.0.0
    !
    enable password encrypted
    passwd encrypted
    hostname pix515
    domain-name rd.com
    ftp mode passive
    access-list internet extended permit tcp host 10.16.18.60 any eq www
    access-list internet extended permit tcp host 10.16.18.74 any eq www
    access-list internet extended deny tcp any any eq www
    access-list internet extended permit ip any any
    access-list internet extended permit tcp host 10.16.18.120 any eq 3101
    access-list acl-out extended permit icmp any any
    access-list acl-out extended permit tcp any any eq https
    access-list acl-out extended permit udp any any eq 443
    access-list acl-out extended permit tcp any any eq 1745
    access-list acl-out extended permit udp any any eq 1745
    access-list acl-out extended permit icmp any any unreachable
    access-list acl-out extended permit icmp any any time-exceeded
    access-list acl-out extended permit esp any any
    access-list acl-out extended permit udp any any eq isakmp
    access-list acl-out extended permit udp any eq isakmp any
    access-list acl-out extended permit tcp any any eq www
    access-list acl-out extended permit tcp any any eq 1863
    access-list acl-out extended permit tcp any host x.x.x.x5 eq pptp
    access-list acl-out extended permit tcp any host x.x.x.x eq 3389
    access-list acl-out extended permit gre any host x.x.x.x
    access-list acl-out extended permit tcp any host x.x.x.x eq ftp
    access-list acl-out extended permit tcp any host x.x.x.x eq smtp
    access-list acl-out extended permit tcp any host x.x.x.x eq www
    access-list acl-out extended permit tcp any host x.x.x.x eq https
    access-list acl-out extended permit tcp any host x.x.x.x eq https
    access-list acl-out extended permit tcp any host x.x.x.x eq imap4
    access-list acl-out extended permit tcp any host x.x.x.x eq 993
    access-list acl-out extended permit tcp any host x.x.x.x eq 3299
    access-list acl-out extended permit udp any host x.x.x.x range 3230 3247
    access-list acl-out extended permit tcp any host x.x.x.x range 3230 3235
    access-list acl-out extended permit udp any host x.x.x.x range 1718 1719
    access-list acl-out extended permit tcp any host x.x.x.x eq h323
    access-list acl-out extended permit tcp any host x.x.x.x eq 1731
    access-list acl-out extended permit tcp any host x.x.x.x eq 1503
    access-list acl-out extended permit tcp any host x.x.x.x eq ldap
    pager lines 24
    logging history notifications
    logging device-id hostname
    logging host inside 10.16.18.130
    mtu outside 1500
    mtu inside 1500
    no failover
    monitor-interface outside
    monitor-interface inside
    asdm image flash:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 x.x.x.x2-x.x.x.x5 netmask 255.255.255.224
    global (outside) 1 x.x.x.x netmask 255.255.255.224
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp x.x.x.xsmtp 10.16.20.60 smtp netmask 255.255.255.255
    static (inside,outside) tcp x.x.x.x https 10.16.18.121 https netmask 255.255.255.255
    static (inside,outside) tcp x.x.x.x www 10.16.18.121 www netmask 255.255.255.255
    static (inside,outside) tcp x.x.x.x 993 10.16.18.121 993 netmask 255.255.255.255
    static (inside,outside) tcp x.x.x.x imap4 10.16.18.121 imap4 netmask 255.255.255.255
    static (inside,outside) tcp x.x.x.x 3299 10.16.60.107 3299 netmask 255.255.255.255
    static (inside,outside) x.x.x.x 10.16.18.16 netmask 255.255.255.255
    static (inside,outside) x.x.x.x 10.16.16.10 netmask 255.255.255.255
    static (inside,outside) x.x.x.x 10.16.62.100 netmask 255.255.255.255
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 10.16.0.0 255.255.0.0 inside
    snmp-server host inside 10.16.16.68 community Thi$!
    snmp-server location B1-NOC
    snmp-server contact Network Administrator
    snmp-server community Thi$!
    snmp-server enable traps snmp
    snmp-server enable traps syslog
    no service password-recovery
    crypto ipsec transform-set slappy esp-3des esp-md5-hmac
    crypto dynamic-map swjayster 1 set transform-set slappy
    crypto map dynmap2jay 66 ipsec-isakmp dynamic swjayster
    crypto map dynmap2jay interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800
    telnet 10.16.0.0 255.255.0.0 inside
    telnet timeout 10
    ssh 70.184.203.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    tunnel-group 24.94.10.17 type ipsec-l2l
    tunnel-group 24.94.10.17 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
    !
    service-policy global_policy global
    Cryptochecksum:4841e254136d1e8f579a240b6ccb2c18
    DEF.B1.515.F#
    Last edited by sinister1; 12th May 2009, 19:17.

  • #2
    Re: cisco pix 515e experts please help..

    Is the spare connected to the internet? If so, how?

    Comment


    • #3
      Re: cisco pix 515e experts please help..

      Originally posted by joeqwerty View Post
      Is the spare connected to the internet? If so, how?
      the spare isn't connected to the internet right now. to test and troubleshoot, i had to disconnect the pix in production and then connect the spare one off hours. once the spare is connected, i'm able to ping to yahoo and google from the pix.

      Comment


      • #4
        Re: cisco pix 515e experts please help..

        When you plug the spare in, does it have the same ip address as the production pix? If not, you'll have to change the gateway address on your workstation.

        Comment


        • #5
          Re: cisco pix 515e experts please help..

          Originally posted by joeqwerty View Post
          When you plug the spare in, does it have the same ip address as the production pix? If not, you'll have to change the gateway address on your workstation.
          Yes same inside and outside ip address as the production pix.

          Comment


          • #6
            Re: cisco pix 515e experts please help..

            When you tested it did you flush the ARP cache on your workstation?

            Comment


            • #7
              Re: cisco pix 515e experts please help..

              Originally posted by joeqwerty View Post
              When you tested it did you flush the ARP cache on your workstation?
              no thats one thing i didn't do. i did fail to mention that we access the internet via proxy server. and i did restart the proxy after swapping the pix firewalls.

              Comment


              • #8
                Re: cisco pix 515e experts please help..

                Try running a tracert from the workstation to Google with the spare in place and see where it goes.

                I'm not a Cisco expert so I'm trying to give you general networking things to look at.

                Comment


                • #9
                  Re: cisco pix 515e experts please help..

                  Originally posted by joeqwerty View Post
                  Try running a tracert from the workstation to Google with the spare in place and see where it goes.

                  I'm not a Cisco expert so I'm trying to give you general networking things to look at.

                  Here is the tracert on my production pix. I don't understand why our mx record for out front end email server is associated with the gateway IP.


                  1 3 ms <1 ms <1 ms 10.16.0.1
                  2 1 ms 2 ms 1 ms def-mx1.remecrds.com [gateway IP]
                  3 2 ms 2 ms 2 ms wsip-98-173-150-45.sd.sd.cox.net [98.173.150.45]

                  Comment


                  • #10
                    Re: cisco pix 515e experts please help..

                    I'm guessing that the proxy server is also an email proxy and that's the DNS A record for the proxy server. As a next step I would put the spare in place, run tracert again, and see if it takes the same path.

                    Comment


                    • #11
                      Re: cisco pix 515e experts please help..

                      i'm also wondering if i should have restarted the switch its hooked up to and the ISP router. I think they hold the current pix's mac address info.

                      Comment


                      • #12
                        Re: cisco pix 515e experts please help..

                        They do, but the ARP cache should "flush" after a period of time. The only other thing I can think of is if one of the devices in the path is acting as a proxy ARP (which firewalls do) then maybe there's a static proxy arp entry that needs to be changed.

                        Comment


                        • #13
                          Re: cisco pix 515e experts please help..

                          Originally posted by joeqwerty View Post
                          They do, but the ARP cache should "flush" after a period of time. The only other thing I can think of is if one of the devices in the path is acting as a proxy ARP (which firewalls do) then maybe there's a static proxy arp entry that needs to be changed.
                          I wonder how long it takes to flush the cache. I only left the spare pix on the production line no more than 30 mins at the most.

                          Comment


                          • #14
                            Re: cisco pix 515e experts please help..

                            30 minutes sounds like more than enough time. Most devices will flush their ARP cache in 10 minutes or less.

                            Also, you might want to see if one of the resident Cisco guru's weigh in on your problem.

                            Comment


                            • #15
                              Re: cisco pix 515e experts please help..

                              No speed it set on the internal interface so it may be auto negotiating and failing maybe?
                              cheers
                              Andy

                              Please read this before you post:


                              Quis custodiet ipsos custodes?

                              Comment

                              Working...
                              X