weird issue with Pix 501

weird issue with Pix 501: Posted by Michael Williams on October 23rd, 2004; While I was out of town (anotherwords, nothing changed) we can no longer
ping any address, yet the name resolves. I am thinking the issue is the Pix.

Running 6.3(4) and PDm 3.0(2).

Here is our configuration:

Windows 2003 Native DC's
Windows 2003 Member Servers
Windows XP SP2 clients running Office 2003
Cisco Pix 501 firewall

If you drop to a command line and try to tracert or ping any domain or ip,
it resolves (DNS is fine) but we can not ping anything off our network. As a
result, we can get to the internet sites, but mail (sending mail out via
POP3 to our ISP no longer works. We can get mail, but not send mail.

I have brought in a machine imaged from a different company than ours, same
thing, not able to ping. You can not ping from any dc, member server or
desktop. It I log in to the firewall, I can ping out.

I know this sounds like a firewall issue, but nothing has changed in the PIX
config in over 6 months. Also, there is a rule allowing for outbound icmp.

The Pix config is below. We have been without mail
now for 2 days (sending mail out that is.)

Help

Thanks in advance,

Todd

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblahblah encrypted
passwd blahblahblah encrypted
hostname pixfirewall
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service ms_terminal_services tcp
description Microsoft Terminal Services
port-object range 3389 3389
object-group service ftp tcp
port-object eq ftp
access-list inbound permit tcp any any eq 3389
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.14 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.0.14 3389 netmask
255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 128.138.140.44 source outside
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname blahblahblah
vpdn group pppoe_group ppp authentication pap
vpdn username blahblahblah password blahblahblah
dhcpd lease 300
dhcpd ping_timeout 100
terminal width 80
Cryptochecksum:5d823bb026fc9f5792000d3568123ef3
: end; Posted by PES on October 23rd, 2004; "Michael Williams" <mwilliams@advantexmail.net> wrote in message
news:10nl72vkllpgq01@corp.supernews.com...
You cannot send mail via pop3, it requires smtp. SMTP is not dependent on
ICMP. Therefore, just becuase you cannot ping something doesn't mean that
smtp will not work. Your pix is not configured to permit echo replies,
there for pings to the outside will not work and should have never worked
(and I would bet this is the case). My assumption would be that your pix is
forwarding traffic properly (dns, pop3 and http are working). You need to
troubleshoot the smtp connection. Are you not even getting a three way
handshake at the tcp level? Or are you getting something like a 550 error
or something? Are you talking to a mail server at your isp, or somewhere
else. If the latter, I'll bet the ISP is filtering port 25. In either
case, I would contact the isp.

I think that your email has broken or been broken by something. As a
result, you attempted the ping and found it failed. Then began
troubleshooting the problem assuming that you had a firewall issue.
However, based on your description smtp is the only issue.

<-----snip------>

I don't think this is an issue with the pix, but there is at least one item
in the config that doesn't make sense.

If you want to permit all icmp you would need to add the line below. This
would not be recommended on one to one nat, but since you only have pat,
shouldn't creat too much risk

access-list inbound permit icmp any any

If you only wanted pings originating from the inside to work you could
instead use something like
access-list inbound permit icmp any any echo-reply

I have no idea what the global (inside) 2 interface line is all about. I'm
willing to bet it was a mistake. I would remove it.

Similar Posts

Weird video display issue (Microsoft Windows) by icebeing
Weird video display issue (Help and Support) by icebeing
Weird network issue with XP rollout (Setup & Deployment) by BMN
Weird AP-350 issue (Routers) by Al Blake
Agh... Very, VERY weird AS5200 / PIX issue (Routers) by Jeff