Connect Internet to PIX fail

Unanswered Question
Feb 26th, 2007

Hi

I have a problem trying to put my Cisco PIX 515E firewall in front of my network.

My network configuration right now is: I have the internet connected to my Cisco 3500XL Switch over a crossover cable. All my servers are connected to that switch using straight cables.

I tried to disconnect the internet cable and inserted it into the PIX and have the other NIC connected with the Switch (I am using the PIX in transparent mode).

But it's seemed that I have connection only on the INSIDE network (I am using a straight cable). The OUTSIDE (Internet over a crossover cable) it's look like it is not connected.

I thought that it was because the cable is crossover so I asked the DC to re-patch the cable and make it as a straight one. Now on PIX I have connection to the internet (can ping) but the servers behind the firewall doesn't have the connection.

So can anybody give me an idea what is going on?

I set the access list on permit any so I don't think this is an access-list issue.

Thanks

Cristian

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
barney_best Tue, 02/20/2007 - 10:37

Hi Hoogen

This is the running-config file:

(The list it's a little bit longer (because of the object network definitions) but overall this is it)

: Saved

: Written by enable_15 at 16:50:31.149 UTC Thu Feb 22 2007

!

PIX Version 7.2(2)

!

firewall transparent

hostname xxx

domain-name xxxxx.com

enable password xxxxxx encrypted

names

!

interface Ethernet0

nameif INSIDE

security-level 100

!

interface Ethernet1

speed 100

duplex full

nameif OUTSIDE

security-level 0

!

interface Ethernet2

shutdown

no nameif

no security-level

!

passwd xxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.com

---------------I created here a big list with network objects and service objects and I used those into my access-list

object-group xxx

network-object host 69.x

network-object host 66.x

object-group service ports tcp

---------------------------------

access-list outside_in extended deny ip object-group denied_access any

access-list outside_in extended permit tcp any object-group slinux_ports object-group linux_ports

access-list outside_in extended permit tcp any object-group swindows object-group windows_ports

access-list outside_in extended permit tcp any object-group swindows_vps object-group windows_vps

access-list outside_in extended permit tcp any object-group slinux_vps object-group linux_vps

access-list outside_in extended permit tcp any access-list outside_in extended permit icmp any any echo

access-list outside_in extended permit tcp any host 69.x eq 8082

access-list outside_in extended permit tcp any host 66.x eq 8081

access-list outside_in extended permit tcp any object-group ssql object-group sql_ports

pager lines 24

mtu INSIDE 1500

mtu OUTSIDE 1500

ip address xxxxx

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside_in in interface OUTSIDE

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet x 255.255.255.0 INSIDE

telnet x 255.255.255.255 INSIDE

telnet x 255.255.255.255 OUTSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:****

: end

zubairjalal Mon, 02/26/2007 - 23:59

HI.

I could not see any nat configuration...

you must have the following

nat (inside) 0 0

global (outside)

this will do the trick

--Pls rate if it helps--

kaachary Sat, 03/03/2007 - 05:44

Actually...

It should be

nat (inside) 1 0 0

global (outside) 1 interface

HTH,

-Kanishka

hoogen_82 Mon, 02/26/2007 - 10:32

PIX to a switch is a straight cable. PIX to a router is a cross cable, similarly to PC it is again a cross.

And could you paste you config.

Cheers

Hoogen

Actions

This Discussion