Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
4
Replies

Connect Internet to PIX fail

barney_best
Level 1
Level 1

‎02-20-2007 10:37 AM

Hi

I have a problem trying to put my Cisco PIX 515E firewall in front of my network.

My network configuration right now is: I have the internet connected to my Cisco 3500XL Switch over a crossover cable. All my servers are connected to that switch using straight cables.

I tried to disconnect the internet cable and inserted it into the PIX and have the other NIC connected with the Switch (I am using the PIX in transparent mode).

But it's seemed that I have connection only on the INSIDE network (I am using a straight cable). The OUTSIDE (Internet over a crossover cable) it's look like it is not connected.

I thought that it was because the cable is crossover so I asked the DC to re-patch the cable and make it as a straight one. Now on PIX I have connection to the internet (can ping) but the servers behind the firewall doesn't have the connection.

So can anybody give me an idea what is going on?

I set the access list on permit any so I don't think this is an access-list issue.

Thanks

Cristian

Labels:
0 Helpful
4 Replies 4

barney_best
Level 1
Level 1

‎02-20-2007 10:37 AM

Hi Hoogen

This is the running-config file:

(The list it's a little bit longer (because of the object network definitions) but overall this is it)

: Saved

: Written by enable_15 at 16:50:31.149 UTC Thu Feb 22 2007

!

PIX Version 7.2(2)

!

firewall transparent

hostname xxx

domain-name xxxxx.com

enable password xxxxxx encrypted

names

!

interface Ethernet0

nameif INSIDE

security-level 100

!

interface Ethernet1

speed 100

duplex full

nameif OUTSIDE

security-level 0

!

interface Ethernet2

shutdown

no nameif

no security-level

!

passwd xxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.com

---------------I created here a big list with network objects and service objects and I used those into my access-list

object-group xxx

network-object host 69.x

network-object host 66.x

object-group service ports tcp

---------------------------------

access-list outside_in extended deny ip object-group denied_access any

access-list outside_in extended permit tcp any object-group slinux_ports object-group linux_ports

access-list outside_in extended permit tcp any object-group swindows object-group windows_ports

access-list outside_in extended permit tcp any object-group swindows_vps object-group windows_vps

access-list outside_in extended permit tcp any object-group slinux_vps object-group linux_vps

access-list outside_in extended permit tcp any access-list outside_in extended permit icmp any any echo

access-list outside_in extended permit tcp any host 69.x eq 8082

access-list outside_in extended permit tcp any host 66.x eq 8081

access-list outside_in extended permit tcp any object-group ssql object-group sql_ports

pager lines 24

mtu INSIDE 1500

mtu OUTSIDE 1500

ip address xxxxx

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside_in in interface OUTSIDE

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet x 255.255.255.0 INSIDE

telnet x 255.255.255.255 INSIDE

telnet x 255.255.255.255 OUTSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:****

: end

0 Helpful

zubairjalal
Level 1
Level 1
In response to barney_best

‎02-26-2007 11:59 PM

HI.

I could not see any nat configuration...

you must have the following

nat (inside) 0 0

global (outside)

this will do the trick

--Pls rate if it helps--

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to zubairjalal

‎03-03-2007 05:44 AM

Actually...

It should be

nat (inside) 1 0 0

global (outside) 1 interface

HTH,

-Kanishka

0 Helpful

hoogen_82
Level 4
Level 4

‎02-26-2007 10:32 AM

PIX to a switch is a straight cable. PIX to a router is a cross cable, similarly to PC it is again a cross.

And could you paste you config.

Cheers

Hoogen

0 Helpful
Customers Also Viewed These Support Documents