Tracert fails from inside a PIX firewall: misconfiguration? - Network

This is a discussion on Tracert fails from inside a PIX firewall: misconfiguration? - Network ; Hi, We have a problem reaching the web server of one of our bussiness partner. The server can be reached from PCs located outside our Cisco PIX firewall, but can not be reached from computers inside the firewall. It is ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Tracert fails from inside a PIX firewall: misconfiguration?

  1. Tracert fails from inside a PIX firewall: misconfiguration?

    Hi,

    We have a problem reaching the web server of one of our bussiness partner.
    The server can be reached from PCs located outside our Cisco PIX firewall,
    but can not be reached from computers inside the firewall. It is not the
    case we are blocking outbound connections. In fact we are doing that but it
    occurs also for nonblocked IPs. I tested tracert from both inside and
    outside PCs. The results are showed below. I also attached the PIX
    configuration.
    It looks like the problem began after the PIX software was updated to a new
    version 6.3(5). Before we had the 4.x.x version.
    What can be wrong?

    Any hint is welcomed.
    Thanks in advance
    Sammy

    PD: I wonder we started to detect problem after the PIX was upgraded just
    because it was configured a virtual private network to an IP
    (200.57.135.113) that is 'near' the last hop that responds to the trace
    (200.57.144.11)
    PPD: A similar problem arises from tracing to www.telmex.com

    Successful TRACERT from outside firewall:
    tracert www.porcelanite.com
    1 <1 ms <1 ms <1 ms host6.mydomain [xxx.xxx.xxx.xxx]
    2 6 ms 6 ms 6 ms inet-ver-lerdo-1-s1-1-3-12.uninet.net.mx
    [148.223.214.30]
    3 36 ms 47 ms 36 ms inet-ver-lerdo-6-g0-0.uninet.net.mx
    [148.233.191.169]
    4 36 ms 36 ms 36 ms bb-pue-fuertes-5-pos4-1.uninet.net.mx
    [200.38.132.166]
    5 37 ms 37 ms 37 ms bup-mex-vallejo-11-pos2-0.uninet.net.mx
    [200.38.132.102]
    6 37 ms 37 ms 37 ms bb-mex-vallejo-21-g0-0.uninet.net.mx
    [200.38.132.241]
    7 35 ms 35 ms 35 ms bb-nvl-revolucion-pos-10-0.uninet.net.mx
    [200.38.150.189]
    8 33 ms 33 ms 33 ms inet-nvl-triara-2-pos13-0.uninet.net.mx
    [200.38.132.225]
    9 33 ms 33 ms 32 ms apnetrrev-triara-g6-0-0.uninet-ide.com.mx
    [201.134.32.88]
    10 33 ms 33 ms 33 ms cust-200-57-144-11.triara.com
    [200.57.144.11]
    11 * * * Tiempo de espera agotado para esta
    solicitud.
    12 * * * Tiempo de espera agotado para esta
    solicitud.
    13 35 ms 34 ms 33 ms cust-200-57-146-146.triara.com
    [200.57.146.147]

    Unsuccessful TRACERT from inside the firewall:
    1 1 ms 1 ms 1 ms host6.mydomain [xxx.xxx.xxx.xxx]
    2 8 ms 8 ms 7 ms inet-ver-lerdo-1-s1-1-3-12.uninet.net.mx
    [148.223.214.30]
    3 39 ms 38 ms 39 ms inet-ver-lerdo-6-g0-0.uninet.net.mx
    [148.233.191.169]
    4 39 ms 38 ms 38 ms bb-pue-fuertes-5-pos3-0.uninet.net.mx
    [200.38.209.126]
    5 38 ms 37 ms 38 ms bup-mex-vallejo-11-pos2-0.uninet.net.mx
    [200.38.132.102]
    6 39 ms 38 ms 38 ms bb-mex-vallejo-21-g0-0.uninet.net.mx
    [200.38.132.241]
    7 178 ms 275 ms 437 ms bb-nvl-revolucion-pos-10-0.uninet.net.mx
    [200.38.150.189]
    8 34 ms 41 ms 34 ms inet-nvl-triara-2-pos13-0.uninet.net.mx
    [200.38.132.225]
    9 34 ms 34 ms 34 ms apnetrrev-triara-g6-0-0.uninet-ide.com.mx
    [201.134.32.88]
    10 45 ms 34 ms 34 ms cust-200-57-144-11.triara.com
    [200.57.144.11]
    11 * * * Tiempo de espera agotado para esta
    solicitud.
    12 * * * Tiempo de espera agotado para esta
    solicitud.
    13 * * * Tiempo de espera agotado para esta
    solicitud.
    14 * * * Tiempo de espera agotado para esta
    solicitud.
    15 * * * Tiempo de espera agotado para esta
    solicitud.
    16 * * * Tiempo de espera agotado para esta
    solicitud.
    17 * * * Tiempo de espera agotado para esta
    solicitud.
    18 * * * Tiempo de espera agotado para esta
    solicitud.
    19 * * * Tiempo de espera agotado para esta
    solicitud.
    20 * * * Tiempo de espera agotado para esta
    solicitud.
    21 * * * Tiempo de espera agotado para esta
    solicitud.
    22 * * * Tiempo de espera agotado para esta
    solicitud.
    23 * * * Tiempo de espera agotado para esta
    solicitud.
    24 * * * Tiempo de espera agotado para esta
    solicitud.
    25 * * * Tiempo de espera agotado para esta
    solicitud.
    26 * * * Tiempo de espera agotado para esta
    solicitud.
    27 * * * Tiempo de espera agotado para esta
    solicitud.
    28 * * * Tiempo de espera agotado para esta
    solicitud.
    29 * * * Tiempo de espera agotado para esta
    solicitud.
    30 * * * Tiempo de espera agotado para esta
    solicitud.

    After reaching the 10th hop it fails.
    The configuration of the pix firewall is the following:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password nqfWSn3UNobR6H2P encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    pager lines 20
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.xxx 255.255.255.240
    ip address inside 10.10.10.178 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask 255.255.255.240
    global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.240
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.2 netmask 255.255.255.255 0
    0
    static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.4 netmask 255.255.255.255 0
    0
    static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.77 netmask 255.255.255.255
    0 0
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit icmp any any
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq ftp any
    conduit permit tcp host xxx.xxx.xxx.xxx eq ftp-data any
    conduit permit udp host xxx.xxx.xxx.xxx eq 20 any
    conduit permit udp host xxx.xxx.xxx.xxx eq 21 any
    conduit permit tcp host xxx.xxx.xxx.xxx eq www any
    conduit permit tcp host xxx.xxx.xxx.xxx eq telnet any
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host xxx.xxx.xxx.xxx
    conduit permit tcp host xxx.xxx.xxx.xxx eq 1432 host xxx.xxx.xxx.xxx
    outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp
    outbound 1 deny 0.0.0.0 0.0.0.0 0 udp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 110 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 25 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 80 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 443 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 3389 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 110 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 25 tcp
    outbound 1 except 148.233.250.132 255.255.255.255 1-65535 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 53 udp
    outbound 1 except 65.77.208.229 255.255.255.255 1-65535 tcp
    outbound 1 except 65.77.209.226 255.255.255.255 1-65535 tcp
    outbound 1 except 200.57.136.14 255.255.255.255 1-65535 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 1-65535 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 1-65535 udp
    outbound 1 except 216.66.18.0 255.255.255.0 1-65535 tcp
    outbound 1 except 200.57.136.14 255.255.255.255 80 tcp
    outbound 1 except 200.57.136.29 255.255.255.255 80 tcp
    outbound 1 except 64.94.110.0 255.255.255.0 80 tcp
    outbound 1 except 12.158.80.0 255.255.255.0 80 tcp
    outbound 1 except 216.104.208.0 255.255.240.0 80 tcp
    outbound 1 except 204.157.9.184 255.255.255.255 1-65535 tcp
    outbound 1 except 67.43.1.165 255.255.255.255 1-65535 tcp
    outbound 1 except 207.58.165.0 255.255.255.0 1-65535 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 20 tcp
    outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 21 tcp
    outbound 1 except 65.98.0.0 255.255.128.0 1-65535 tcp
    outbound 1 except 200.57.135.113 255.255.255.255 1-65535 tcp
    outbound 2 permit 10.10.10.1 255.255.255.255 1-65535 tcp
    outbound 2 permit 10.10.10.1 255.255.255.255 1-65535 udp
    outbound 2 permit 10.10.10.4 255.255.255.255 1-65535 tcp
    outbound 2 permit 10.10.10.4 255.255.255.255 1-65535 udp
    outbound 2 permit 10.10.10.152 255.255.255.255 1-65535 tcp
    outbound 2 permit 10.10.10.152 255.255.255.255 1-65535 udp
    outbound 2 permit 10.10.102.230 255.255.255.255 1-65535 tcp
    outbound 2 permit 10.10.102.230 255.255.255.255 1-65535 udp
    apply (inside) 1 outgoing_src
    apply (inside) 2 outgoing_src
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    route inside 10.0.0.0 255.0.0.0 10.10.10.254 1
    route inside 10.10.102.0 255.255.255.0 10.10.10.143 1
    route inside 10.10.119.0 255.255.255.0 10.10.10.210 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    service resetinbound
    crypto ipsec transform-set aptset esp-des esp-md5-hmac
    crypto map ozmap 10 ipsec-isakmp
    crypto map ozmap 10 match address encrypt-acl
    crypto map ozmap 10 set peer 200.57.128.41
    crypto map ozmap 10 set transform-set aptset
    crypto map ozmap interface outside
    isakmp enable outside
    isakmp key ******** address 200.57.128.41 netmask 255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet 10.10.10.254 255.255.255.255 inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx




  2. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    > Successful TRACERT from outside firewall:
    > Unsuccessful TRACERT from inside the firewall:


    What are the traceroute client platforms? More specifically, are they
    both using the same traceroute protocol?

    > The configuration of the pix firewall is the following:


    > fixup protocol dns maximum-length 512


    This breaks EDNS0.

  3. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    In article <43a9d488$0$37350$892e7fe2@authen.yellow.readfreene ws.net>,
    Dom wrote:

    >> The configuration of the pix firewall is the following:


    >> fixup protocol dns maximum-length 512


    >This breaks EDNS0.


    No it doesn't. RFC 2671 section 4.5.1 specifically allows for this
    behaviour:

    4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP
    reassembly buffer. Choosing 1280 on an Ethernet connected
    requestor would be reasonable. The consequence of choosing too
    large a value may be an ICMP message from an intermediate
    gateway, or even a silent drop of the response message.

    Thus as far as RFC 2671 is concerned, if you advertise that you
    can receive more than 512 bytes of payload and you cannot really
    do so because of something inbetween (e.g., your PIX configuration),
    then the fault is yours for having advertised that larger payload.

    You are free to use EDNS0 with an advertisement of 512 bytes as
    your maximum size, thus gaining whatever other benefits there are
    to EDNS0 but retaining compatability with traditional DNS length
    restrictions.

    --
    All is vanity. -- Ecclesiastes

  4. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    >>>fixup protocol dns maximum-length 512
    >
    >>This breaks EDNS0.


    Allow me to qualify my statement, then. This is a common cause of
    resolution failure due to the blocking of edns0 traffic. It will most
    likely break edns0 in any default edns0 implementation.

  5. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    > Thus as far as RFC 2671 is concerned, if you advertise that you
    > can receive more than 512 bytes of payload and you cannot really
    > do so because of something inbetween (e.g., your PIX configuration),
    > then the fault is yours for having advertised that larger payload.


    Not necessarily true. The sender may be unaware of a need for edns0
    compatibility and block outgoing responses larger than 512.

  6. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    In article <43a9f368$0$93403$892e7fe2@authen.yellow.readfreene ws.net>,
    Dom wrote:
    >> Thus as far as RFC 2671 is concerned, if you advertise that you
    >> can receive more than 512 bytes of payload and you cannot really
    >> do so because of something inbetween (e.g., your PIX configuration),
    >> then the fault is yours for having advertised that larger payload.


    >Not necessarily true. The sender may be unaware of a need for edns0
    >compatibility and block outgoing responses larger than 512.


    If the sender is unaware of the need for edns0 compatability, then
    the packets sent back will not be in edns0 format and hence will not
    be larger than 512 bytes.

    It is true, though, that it is possible for a DNS server to be
    configured for EDNS0 without the DNS admins or network admins realizing
    it is there, so the outgoing firewall could end up blocking longer
    packets without humans knowing what is going on.

    Blocked large DNS packets are noted in the PIX logs (as one of the IDS
    signatures), but it is unfortunately common for people not to pay
    attention to their firewall logs until some substantial problem comes
    to their attention... if they thought to turn on logging in the first
    place...

    --
    Programming is what happens while you're busy making other plans.

  7. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    The PIX has no effect on anything after the first hop. It is the way
    routing works,...each device along the way only determines what the "next
    hop" is and that is all. If a hop is failing,...then it is the caused by
    the last router it passed through trying to send the packet to another
    "gateway" that cannot, or will not receive the connection.

    You need to explain the situation better. Pasting in tracerts into the
    message probably isn't going to do anything other than make the post
    impossible to read.

    How does the VPN "fit in" to the picture? How does it (or even does it)
    relate to the target website?

    Are then any situations where the Internal AD Domain Name is the same as the
    External Public Domain Name?

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/IS...cessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/t...dance/2004.asp
    http://www.microsoft.com/isaserver/t...dance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/pro...isaserver.mspx
    -----------------------------------------------------




    "SammyBar" wrote in message
    news:43a98ad4$0$84682$892e7fe2@authen.yellow.readf reenews.net...
    > Hi,
    >
    > We have a problem reaching the web server of one of our bussiness partner.
    > The server can be reached from PCs located outside our Cisco PIX firewall,
    > but can not be reached from computers inside the firewall. It is not the
    > case we are blocking outbound connections. In fact we are doing that but

    it
    > occurs also for nonblocked IPs. I tested tracert from both inside and
    > outside PCs. The results are showed below. I also attached the PIX
    > configuration.
    > It looks like the problem began after the PIX software was updated to a

    new
    > version 6.3(5). Before we had the 4.x.x version.
    > What can be wrong?
    >
    > Any hint is welcomed.
    > Thanks in advance
    > Sammy
    >
    > PD: I wonder we started to detect problem after the PIX was upgraded just
    > because it was configured a virtual private network to an IP
    > (200.57.135.113) that is 'near' the last hop that responds to the trace
    > (200.57.144.11)
    > PPD: A similar problem arises from tracing to www.telmex.com
    >
    > Successful TRACERT from outside firewall:
    > tracert www.porcelanite.com
    > 1 <1 ms <1 ms <1 ms host6.mydomain [xxx.xxx.xxx.xxx]
    > 2 6 ms 6 ms 6 ms inet-ver-lerdo-1-s1-1-3-12.uninet.net.mx
    > [148.223.214.30]
    > 3 36 ms 47 ms 36 ms inet-ver-lerdo-6-g0-0.uninet.net.mx
    > [148.233.191.169]
    > 4 36 ms 36 ms 36 ms bb-pue-fuertes-5-pos4-1.uninet.net.mx
    > [200.38.132.166]
    > 5 37 ms 37 ms 37 ms bup-mex-vallejo-11-pos2-0.uninet.net.mx
    > [200.38.132.102]
    > 6 37 ms 37 ms 37 ms bb-mex-vallejo-21-g0-0.uninet.net.mx
    > [200.38.132.241]
    > 7 35 ms 35 ms 35 ms bb-nvl-revolucion-pos-10-0.uninet.net.mx
    > [200.38.150.189]
    > 8 33 ms 33 ms 33 ms inet-nvl-triara-2-pos13-0.uninet.net.mx
    > [200.38.132.225]
    > 9 33 ms 33 ms 32 ms apnetrrev-triara-g6-0-0.uninet-ide.com.mx
    > [201.134.32.88]
    > 10 33 ms 33 ms 33 ms cust-200-57-144-11.triara.com
    > [200.57.144.11]
    > 11 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 12 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 13 35 ms 34 ms 33 ms cust-200-57-146-146.triara.com
    > [200.57.146.147]
    >
    > Unsuccessful TRACERT from inside the firewall:
    > 1 1 ms 1 ms 1 ms host6.mydomain [xxx.xxx.xxx.xxx]
    > 2 8 ms 8 ms 7 ms inet-ver-lerdo-1-s1-1-3-12.uninet.net.mx
    > [148.223.214.30]
    > 3 39 ms 38 ms 39 ms inet-ver-lerdo-6-g0-0.uninet.net.mx
    > [148.233.191.169]
    > 4 39 ms 38 ms 38 ms bb-pue-fuertes-5-pos3-0.uninet.net.mx
    > [200.38.209.126]
    > 5 38 ms 37 ms 38 ms bup-mex-vallejo-11-pos2-0.uninet.net.mx
    > [200.38.132.102]
    > 6 39 ms 38 ms 38 ms bb-mex-vallejo-21-g0-0.uninet.net.mx
    > [200.38.132.241]
    > 7 178 ms 275 ms 437 ms bb-nvl-revolucion-pos-10-0.uninet.net.mx
    > [200.38.150.189]
    > 8 34 ms 41 ms 34 ms inet-nvl-triara-2-pos13-0.uninet.net.mx
    > [200.38.132.225]
    > 9 34 ms 34 ms 34 ms apnetrrev-triara-g6-0-0.uninet-ide.com.mx
    > [201.134.32.88]
    > 10 45 ms 34 ms 34 ms cust-200-57-144-11.triara.com
    > [200.57.144.11]
    > 11 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 12 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 13 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 14 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 15 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 16 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 17 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 18 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 19 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 20 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 21 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 22 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 23 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 24 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 25 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 26 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 27 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 28 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 29 * * * Tiempo de espera agotado para esta
    > solicitud.
    > 30 * * * Tiempo de espera agotado para esta
    > solicitud.
    >
    > After reaching the 10th hop it fails.
    > The configuration of the pix firewall is the following:
    >
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password nqfWSn3UNobR6H2P encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    > access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    > access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    > access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    > pager lines 20
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xxx.xxx.xxx.xxx 255.255.255.240
    > ip address inside 10.10.10.178 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask 255.255.255.240
    > global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.240
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.2 netmask 255.255.255.255

    0
    > 0
    > static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.4 netmask 255.255.255.255

    0
    > 0
    > static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.77 netmask

    255.255.255.255
    > 0 0
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit icmp any any
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq ftp any
    > conduit permit tcp host xxx.xxx.xxx.xxx eq ftp-data any
    > conduit permit udp host xxx.xxx.xxx.xxx eq 20 any
    > conduit permit udp host xxx.xxx.xxx.xxx eq 21 any
    > conduit permit tcp host xxx.xxx.xxx.xxx eq www any
    > conduit permit tcp host xxx.xxx.xxx.xxx eq telnet any
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1433 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx eq 135 host xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit udp host xxx.xxx.xxx.xxx range 5000 5020 host

    xxx.xxx.xxx.xxx
    > conduit permit tcp host xxx.xxx.xxx.xxx eq 1432 host xxx.xxx.xxx.xxx
    > outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp
    > outbound 1 deny 0.0.0.0 0.0.0.0 0 udp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 110 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 25 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 80 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 443 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 3389 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 110 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 25 tcp
    > outbound 1 except 148.233.250.132 255.255.255.255 1-65535 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 53 udp
    > outbound 1 except 65.77.208.229 255.255.255.255 1-65535 tcp
    > outbound 1 except 65.77.209.226 255.255.255.255 1-65535 tcp
    > outbound 1 except 200.57.136.14 255.255.255.255 1-65535 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 1-65535 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.255 1-65535 udp
    > outbound 1 except 216.66.18.0 255.255.255.0 1-65535 tcp
    > outbound 1 except 200.57.136.14 255.255.255.255 80 tcp
    > outbound 1 except 200.57.136.29 255.255.255.255 80 tcp
    > outbound 1 except 64.94.110.0 255.255.255.0 80 tcp
    > outbound 1 except 12.158.80.0 255.255.255.0 80 tcp
    > outbound 1 except 216.104.208.0 255.255.240.0 80 tcp
    > outbound 1 except 204.157.9.184 255.255.255.255 1-65535 tcp
    > outbound 1 except 67.43.1.165 255.255.255.255 1-65535 tcp
    > outbound 1 except 207.58.165.0 255.255.255.0 1-65535 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 20 tcp
    > outbound 1 except xxx.xxx.xxx.xxx 255.255.255.240 21 tcp
    > outbound 1 except 65.98.0.0 255.255.128.0 1-65535 tcp
    > outbound 1 except 200.57.135.113 255.255.255.255 1-65535 tcp
    > outbound 2 permit 10.10.10.1 255.255.255.255 1-65535 tcp
    > outbound 2 permit 10.10.10.1 255.255.255.255 1-65535 udp
    > outbound 2 permit 10.10.10.4 255.255.255.255 1-65535 tcp
    > outbound 2 permit 10.10.10.4 255.255.255.255 1-65535 udp
    > outbound 2 permit 10.10.10.152 255.255.255.255 1-65535 tcp
    > outbound 2 permit 10.10.10.152 255.255.255.255 1-65535 udp
    > outbound 2 permit 10.10.102.230 255.255.255.255 1-65535 tcp
    > outbound 2 permit 10.10.102.230 255.255.255.255 1-65535 udp
    > apply (inside) 1 outgoing_src
    > apply (inside) 2 outgoing_src
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    > route inside 10.0.0.0 255.0.0.0 10.10.10.254 1
    > route inside 10.10.102.0 255.255.255.0 10.10.10.143 1
    > route inside 10.10.119.0 255.255.255.0 10.10.10.210 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > service resetinbound
    > crypto ipsec transform-set aptset esp-des esp-md5-hmac
    > crypto map ozmap 10 ipsec-isakmp
    > crypto map ozmap 10 match address encrypt-acl
    > crypto map ozmap 10 set peer 200.57.128.41
    > crypto map ozmap 10 set transform-set aptset
    > crypto map ozmap interface outside
    > isakmp enable outside
    > isakmp key ******** address 200.57.128.41 netmask 255.255.255.255
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 1
    > isakmp policy 10 lifetime 86400
    > telnet 10.10.10.254 255.255.255.255 inside
    > telnet timeout 60
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >
    >
    >




  8. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    In article <43a98ad4$0$84682$892e7fe2@authen.yellow.readfreene ws.net>,
    SammyBar wrote:
    >We have a problem reaching the web server of one of our bussiness partner.
    >The server can be reached from PCs located outside our Cisco PIX firewall,
    >but can not be reached from computers inside the firewall.


    >It looks like the problem began after the PIX software was updated to a new
    >version 6.3(5). Before we had the 4.x.x version.


    That was a pretty big version jump!

    >PIX Version 6.3(5)


    >access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    >access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    >access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113
    >access-list encrypt-acl permit ip host xxx.xxx.xxx.xxx host 200.57.135.113


    >ip address outside xxx.xxx.xxx.xxx 255.255.255.240
    >ip address inside 10.10.10.178 255.255.255.0


    >global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask 255.255.255.240
    >global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.240


    In this statement, is xxx.xxx.xxx.xxx the same as the IP of your
    outside interface? If so, then replace the IP address with the
    word "interface", as in

    global (outside) 1 interface

    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    >static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.2 netmask 255.255.255.255 0 0
    >static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.4 netmask 255.255.255.255 0 0
    >static (inside,outside) xxx.xxx.xxx.xxx 10.10.10.77 netmask 255.255.255.255 0 0


    >route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    >route inside 10.0.0.0 255.0.0.0 10.10.10.254 1


    What is the purpose of that route statement?

    You are not going to be getting any 10/8 destinations converted from
    outside traffic, as none of your 'static' statements map to anything
    other than 10.10.10/24 .

    You are not going to be getting any 10/8 traffic from the VPN tunnel,
    as your encrypt-acl does not permit 10/8 and you do not have any
    "reverse nat" statements that might nat the 200.57.135.113 traffic into
    10/8 IPs.

    You are not going to be getting any 10/8 traffic from inside that will
    be routed back to the inside interface, as PIX before 7.0 always
    discards traffic that comes in on an interface and is destined for the
    same interface.

    Therefore, no traffic can flow that would be routed by that statement
    that would not already be routed by the 10.10.10/24 routing that the
    PIX is going to add automatically as the "connected" route based on the
    "ip address inside" statement.

    >route inside 10.10.102.0 255.255.255.0 10.10.10.143 1
    >route inside 10.10.119.0 255.255.255.0 10.10.10.210 1


    The same reasoning is true for those two route statements.

    >crypto map ozmap 10 ipsec-isakmp
    >crypto map ozmap 10 match address encrypt-acl
    >crypto map ozmap 10 set peer 200.57.128.41
    >crypto map ozmap 10 set transform-set aptset
    >crypto map ozmap interface outside



    There might be a few other subtle IP address problems, but in order
    to tell, I would need to see the configuration with unique munging of
    each IP address: as you have used xxx.xxx.xxx.xxx to represent
    several different IP addresses, I cannot tell whether there are
    conflicts.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers

  9. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    > What are the traceroute client platforms? More specifically, are they
    > both using the same traceroute protocol?

    Yes, both are tracert command for Windows XP SP2



  10. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    >>> Thus as far as RFC 2671 is concerned, if you advertise that you
    >>> can receive more than 512 bytes of payload and you cannot really
    >>> do so because of something inbetween (e.g., your PIX configuration),
    >>> then the fault is yours for having advertised that larger payload.

    >
    >>Not necessarily true. The sender may be unaware of a need for edns0
    >>compatibility and block outgoing responses larger than 512.

    >
    > If the sender is unaware of the need for edns0 compatability, then
    > the packets sent back will not be in edns0 format and hence will not
    > be larger than 512 bytes.
    >
    > It is true, though, that it is possible for a DNS server to be
    > configured for EDNS0 without the DNS admins or network admins realizing
    > it is there, so the outgoing firewall could end up blocking longer
    > packets without humans knowing what is going on.
    >
    > Blocked large DNS packets are noted in the PIX logs (as one of the IDS
    > signatures), but it is unfortunately common for people not to pay
    > attention to their firewall logs until some substantial problem comes
    > to their attention... if they thought to turn on logging in the first
    > place...


    Ok, may be it is a coincidence, but since tuesday I had troubles with the
    DNS server. It stopped resolving names. DNS server is located outside the
    firewall. I have another DNS server inside the firewall for the Windows 2000
    domain but it is configured to forward all the requests to the outsider
    server. But it was impossible to resolve names from both inside and outside
    networks. I had to configure the outside server to forward the requests to
    another DNS server administrated by my ISP.
    Do you think I should delete the line "fixup protocol dns maximum-length
    512" from the PIX configuration?

    Thanks for your hints
    Sammy



  11. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    > How does the VPN "fit in" to the picture? How does it (or even does it)
    > relate to the target website?

    Well, may be it is a coincidence but the remote node of the VPN, both
    unreachable web sites and the last hop that answers to the traceroute
    command, all they are on the same subnet 200.57.128/19.

    > Are then any situations where the Internal AD Domain Name is the same as
    > the
    > External Public Domain Name?

    Pre windows 2000 domain names are the same for the internal and external
    domains. Lets name it "mydomain". The full internal domain name is
    mydomain.net. The full external public domain is mydomain.com.mx. But the
    short domain name is mydomain for both. It is working in this configuration
    for +3 years without any problems.

    Thanks
    Sammy



  12. Re: Tracert fails from inside a PIX firewall: misconfiguration?

    "SammyBar" wrote in message
    news:43ac9495$0$43709$892e7fe2@authen.yellow.readf reenews.net...
    > Pre windows 2000 domain names are the same for the internal and external
    > domains. Lets name it "mydomain". The full internal domain name is
    > mydomain.net. The full external public domain is mydomain.com.mx. But the
    > short domain name is mydomain for both.


    Then they aren't the same. There is technically no such thing as a "short
    name". What you really have is the DNS based name (long) and the Netbios
    name (short) and they live in two different worlds. The Netbios names
    (short) do not "exist" on the external because the external is purely DNS
    only which is based on the FQDN (long) and since one ends with ".net" and
    the other ".com.mx",....they are therefore different.
    >It is working in this configuration for +3 years without any problems.


    But it isn't now.

    I think your problem is that Hosts on the internal side are using a
    different DNS then what Hosts on the external side are using (that part is
    normal) and your internal DNS arrangement is not resolving the Site to the
    proper IP# that can be porperly reached by the LAN's routing setup. Your
    VPN may or may not be involved because there is just *way* too many things
    about your LAN that have not been clearly explained. Remember that I have no
    background knowledge of your LAN and I cannot "see" it in person for myself.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/IS...cessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/t...dance/2004.asp
    http://www.microsoft.com/isaserver/t...dance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/pro...isaserver.mspx
    -----------------------------------------------------






+ Reply to Thread