02-20-2007 10:37 AM
Hi
I have a problem trying to put my Cisco PIX 515E firewall in front of my network.
My network configuration right now is: I have the internet connected to my Cisco 3500XL Switch over a crossover cable. All my servers are connected to that switch using straight cables.
I tried to disconnect the internet cable and inserted it into the PIX and have the other NIC connected with the Switch (I am using the PIX in transparent mode).
But it's seemed that I have connection only on the INSIDE network (I am using a straight cable). The OUTSIDE (Internet over a crossover cable) it's look like it is not connected.
I thought that it was because the cable is crossover so I asked the DC to re-patch the cable and make it as a straight one. Now on PIX I have connection to the internet (can ping) but the servers behind the firewall doesn't have the connection.
So can anybody give me an idea what is going on?
I set the access list on permit any so I don't think this is an access-list issue.
Thanks
Cristian
02-20-2007 10:37 AM
Hi Hoogen
This is the running-config file:
(The list it's a little bit longer (because of the object network definitions) but overall this is it)
: Saved
: Written by enable_15 at 16:50:31.149 UTC Thu Feb 22 2007
!
PIX Version 7.2(2)
!
firewall transparent
hostname xxx
domain-name xxxxx.com
enable password xxxxxx encrypted
names
!
interface Ethernet0
nameif INSIDE
security-level 100
!
interface Ethernet1
speed 100
duplex full
nameif OUTSIDE
security-level 0
!
interface Ethernet2
shutdown
no nameif
no security-level
!
passwd xxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.com
---------------I created here a big list with network objects and service objects and I used those into my access-list
object-group xxx
network-object host 69.x
network-object host 66.x
object-group service ports tcp
---------------------------------
access-list outside_in extended deny ip object-group denied_access any
access-list outside_in extended permit tcp any object-group slinux_ports object-group linux_ports
access-list outside_in extended permit tcp any object-group swindows object-group windows_ports
access-list outside_in extended permit tcp any object-group swindows_vps object-group windows_vps
access-list outside_in extended permit tcp any object-group slinux_vps object-group linux_vps
access-list outside_in extended permit tcp any access-list outside_in extended permit icmp any any echo
access-list outside_in extended permit tcp any host 69.x eq 8082
access-list outside_in extended permit tcp any host 66.x eq 8081
access-list outside_in extended permit tcp any object-group ssql object-group sql_ports
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
ip address xxxxx
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface OUTSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet x 255.255.255.0 INSIDE
telnet x 255.255.255.255 INSIDE
telnet x 255.255.255.255 OUTSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:****
: end
02-26-2007 11:59 PM
HI.
I could not see any nat configuration...
you must have the following
nat (inside) 0 0
global (outside)
this will do the trick
--Pls rate if it helps--
03-03-2007 05:44 AM
Actually...
It should be
nat (inside) 1 0 0
global (outside) 1 interface
HTH,
-Kanishka
02-26-2007 10:32 AM
PIX to a switch is a straight cable. PIX to a router is a cross cable, similarly to PC it is again a cross.
And could you paste you config.
Cheers
Hoogen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide