Question : Veritas Backup Exec & PIX 515

We are running a PIX 515E firewall, OS version 7.0(2). This has been up and running for many months now. Recently I started trying to configure Veritas Backup Exec version 9.1 rev. 4691 to backup all our servers in the LAN and in the DMZ. I have opened ports on the firewall per documentation found online, but I am still unable to push the Remote Agent from the Backup Exec Media server (which is in the LAN) to any server in the DMZ. From the Backup Exec Media server, I can however see DMZ servers by the way of \\IP.ADDRESS\SHARE.NAME from Run. But, when I try to manually push the Remote Agent, I receive the error message that the user name / password are not correct. Suggestions, save the user name / password actually being incorrect? All servers in question are Windows 2000 or 2003 Server. Below is my redacted PIX config. Thanks.

: Saved
:
PIX Version 7.0(2)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.248.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name default.domain.invalid
ftp mode passive
dns retries 2
dns timeout 2
dns domain-lookup outside
dns name-server XXX.XXX.XXX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DMZ_ALL
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_HTTP
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_HTTPS
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_ORACLE
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_ORACLEFAC
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_POP3
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_SMTP
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_SSH
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
network-object host XXX.XXX.XXX.XXX
object-group network DMZ_MACADMIN
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
object-group network DMZ_HTTP_real
network-object 10.0.0.131 255.255.255.255
network-object 10.0.0.132 255.255.255.255
network-object 10.0.0.133 255.255.255.255
network-object 10.0.0.134 255.255.255.255
network-object 10.0.0.135 255.255.255.255
network-object 10.0.0.136 255.255.255.255
network-object 10.0.0.137 255.255.255.255
network-object 10.0.0.138 255.255.255.255
network-object 10.0.0.139 255.255.255.255
network-object 10.0.0.141 255.255.255.255
network-object 10.0.0.142 255.255.255.255
network-object 10.0.0.143 255.255.255.255
network-object 10.0.0.144 255.255.255.255
network-object 10.0.0.145 255.255.255.255
network-object 10.0.0.147 255.255.255.255
network-object 10.0.0.149 255.255.255.255
network-object 10.0.0.150 255.255.255.255
network-object 10.0.0.151 255.255.255.255
object-group network DMZ_HTTPS_real
network-object 10.0.0.131 255.255.255.255
network-object 10.0.0.132 255.255.255.255
network-object 10.0.0.133 255.255.255.255
network-object 10.0.0.134 255.255.255.255
network-object 10.0.0.135 255.255.255.255
network-object 10.0.0.136 255.255.255.255
network-object 10.0.0.137 255.255.255.255
network-object 10.0.0.138 255.255.255.255
network-object 10.0.0.139 255.255.255.255
network-object 10.0.0.141 255.255.255.255
network-object 10.0.0.142 255.255.255.255
network-object 10.0.0.144 255.255.255.255
network-object 10.0.0.145 255.255.255.255
network-object 10.0.0.147 255.255.255.255
network-object 10.0.0.149 255.255.255.255
network-object 10.0.0.150 255.255.255.255
network-object 10.0.0.151 255.255.255.255
object-group network DMZ_ORACLE_real
network-object 10.0.0.137 255.255.255.255
network-object 10.0.0.138 255.255.255.255
network-object 10.0.0.139 255.255.255.255
object-group network DMZ_ORACLEFAC_real
network-object 10.0.0.141 255.255.255.255
network-object 10.0.0.142 255.255.255.255
object-group network DMZ_POP3_real
network-object 10.0.0.132 255.255.255.255
object-group network DMZ_SSH_real
network-object 10.0.0.137 255.255.255.255
network-object 10.0.0.138 255.255.255.255
network-object 10.0.0.139 255.255.255.255
network-object 10.0.0.141 255.255.255.255
network-object 10.0.0.142 255.255.255.255
network-object 10.0.0.143 255.255.255.255
network-object 10.0.0.131 255.255.255.255
network-object 10.0.0.144 255.255.255.255
network-object 10.0.0.145 255.255.255.255
network-object 10.0.0.149 255.255.255.255
object-group network DMZ_MACADMIN_real
network-object 10.0.0.131 255.255.255.255
network-object 10.0.0.141 255.255.255.255
network-object 10.0.0.142 255.255.255.255
object-group service FileShareTCP tcp
port-object eq netbios-ssn
port-object eq 445
object-group service FileShareUDP udp
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq 445
object-group network InsideLan
network-object 192.168.1.0 255.255.255.0
access-list ToDmz extended permit tcp any object-group DMZ_HTTP eq www
access-list ToDmz extended permit tcp any object-group DMZ_HTTPS eq https
access-list ToDmz extended permit tcp any object-group DMZ_ORACLE eq 8432
access-list ToDmz extended permit tcp any object-group DMZ_ORACLEFAC eq 5464
access-list ToDmz extended permit tcp any object-group DMZ_POP3 eq pop3
access-list ToDmz extended permit tcp any object-group DMZ_SMTP eq smtp
access-list ToDmz extended permit udp any object-group DMZ_SMTP eq 25
access-list ToDmz extended permit tcp any object-group DMZ_SSH eq ssh
access-list ToDmz extended permit icmp any any
access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 311
access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 625
access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 5900
access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 5988
access-list ToDmz extended permit udp any object-group DMZ_MACADMIN eq 3283
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list FromDmzToLan extended permit icmp any any
access-list InsideToDmz extended permit udp object-group InsideLan object-group DMZ_ALL object-group FileShareUDP
access-list DmzToInside extended permit tcp object-group DMZ_ALL object-group InsideLan range 10051 10075
access-list DmzToInside extended permit tcp object-group DMZ_ALL object-group InsideLan eq 10000
access-list DmzToInside extended permit udp object-group DMZ_ALL object-group InsideLan range 10051 10075
access-list DmzToInside extended permit udp object-group DMZ_ALL object-group InsideLan eq 10000
pager lines 20
logging trap debugging
logging asdm informational
logging host inside 192.168.1.XXX
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool stlvpn-pool 192.168.1.120-192.168.1.140
monitor-interface outside
monitor-interface inside
monitor-interface dmz
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.131 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.132 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.133 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.134 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.135 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.136 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.137 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.138 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.139 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.141 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.142 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.143 netmask 255.255.255.255
static (dmz,inside) XXX.XXX.XXX.XXX 10.0.0.141 netmask 255.255.255.255
static (dmz,inside) XXX.XXX.XXX.XXX 10.0.0.142 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.144 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.145 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.147 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.149 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.150 netmask 255.255.255.255
static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.151 netmask 255.255.255.255
access-group ToDmz in interface outside
access-group DmzToInside out interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpntest protocol nt
aaa-server vpntest host 192.168.1.5
nt-auth-domain-controller XXXXXX
group-policy vpnPolicy internal
group-policy vpnPolicy attributes
dns-server value 192.168.1.5
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ra-tunnel
default-domain value XXX.XXX.XXX.XXX
split-dns value XXX.XXX.XXX.XXX
username xxxxxx password /xxxxxxxxxxxxx encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set stl-ra-set esp-3des esp-md5-hmac
crypto dynamic-map stl1-ra-map 15 set transform-set stl-ra-set
crypto map pix1map 99 ipsec-isakmp dynamic stl1-ra-map
crypto map pix1map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp nat-traversal 20
telnet 192.168.1.XXX 255.255.255.255 inside
telnet 192.168.1.XXX 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd dns XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
tunnel-group stl-remote type ipsec-ra
tunnel-group stl-remote general-attributes
address-pool stlvpn-pool
authentication-server-group vpntest
default-group-policy vpnPolicy
tunnel-group stl-remote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end

Answer : Veritas Backup Exec & PIX 515

So, it appears you already have a syslog destination configured. Now just enable logging and look in the logs for "106023" - that should point you to the blocked ports.

Random Solutions

How to join two networks?

Ethernet card has no physical address ?

DNS registration "lock down"

Concurrent NetBios (SMB) requests over a NAT Firewall?

Public IP address change can no longer send external email

Can not connect to remote exchange server

HP Printer ethernet connectivity service creates a lag at startup

SMTP Helo commands not recognised