03-20-2007 05:59 PM - edited 03-11-2019 02:49 AM
I can ping from Machine 192.168.40.8 to PIX and vice versa. I can not ping from either Machine or PIX to the outside Internet.
Can someone look at my config and see what I am missing. Also I am prohibiting machine 192.168.40.10 to browse internet.
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname lab
domain-name LAB
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outthere permit icmp any any echo-reply
access-list outthere permit icmp any any unreachable
access-list outthere permit icmp any any time-exceeded
access-list inthere permit icmp any any
access-list inthere deny tcp host 192.168.40.10 any eq www
access-list inthere permit tcp any any eq www
access-list inthere permit tcp any any eq https
access-list inthere permit ip any any
access-list inthere permit tcp any any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 37.x.x.10 255.255.255.248
ip address inside 192.168.40.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 37.139.239.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Thanks in advance.
JT
03-20-2007 06:06 PM
Please apply following commands-
access-group outthere in interface outside
access-group inthere in interface inside
You had access-lists created but they are not effective unless tied to a interface. Now things should work.
Hope that helps.
Regards,
Vibhor.
03-21-2007 08:49 AM
I could have sworn I had those lines in there. I think when I cleared my access-list, it must have wiped those lines out. I'll give that a try to see what happens. Thanks.
03-21-2007 09:28 AM
I added the access-group lines, but I still can not get to the internet. I'm not sure what is wrong. I am attaching the config again along with some other outputs.
PIX Version 6.3(1)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname lab
domain-name LAB
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outthere permit icmp any any echo-reply
access-list outthere permit icmp any any unreachable
access-list outthere permit icmp any any time-exceeded
access-list inthere permit icmp any any
access-list inthere deny tcp host 192.168.40.10 any eq www
access-list inthere permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 37.x.x.10 255.255.255.248
ip address inside 192.168.40.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outthere in interface outside
access-group inthere in interface inside
route outside 0.0.0.0 0.0.0.0 37.139.239.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
lab# sh int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000d.bdc8.9868
IP address 37.x.x.10 , subnet mask 255.255.255.248
MTU 1500 bytes, BW 10000 Kbit full duplex
84 packets input, 5040 bytes, 0 no buffer
Received 84 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
91 packets output, 5460 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000d.bdc8.9869
IP address 192.168.40.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
77 packets input, 5867 bytes, 0 no buffer
Received 11 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 306 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
lab# sh access-group
access-group outthere in interface outside
access-group inthere in interface inside
03-20-2007 06:30 PM
Off the subject, but you could get rid of 3 three lines in your acl...
access-list inthere permit tcp any any eq www
access-list inthere permit tcp any any eq https
access-list inthere permit tcp any any eq domain
as you have...
access-list inthere permit ip any any
03-21-2007 08:48 AM
Thanks. I didn't know that. But it makes sense.
03-21-2007 09:56 AM
add a 'deny any any log' to the end of your acls, and set up a syslog (kiwi syslogd) server on the inside machine. then set up your firewall to use that machine as the syslog server. (another option is to view debug inside firewall). This way you can see what traffic is actually getting denied.
Also is your outside route correct? Can you ping your next hop on the outside?
03-21-2007 10:41 AM
i can't ping anything on the outside of PIX.
03-21-2007 11:03 AM
try to auto-negotiate the OUTSIDE speed/duplex instead of setting 10full.
03-21-2007 11:10 AM
The autonegotiate for some reason does not work. And my connection outside is 10baseT. This is why I manually configured it.
03-21-2007 11:12 AM
What's the errors you get when you autonegotiate... Try 10 half duplex.
03-21-2007 11:10 AM
Is the route outside 37.139.239.6 one of your devices or ISP's? Can you ping your PIX from 37.139.239.6. If it's not yours, call your ISP and have them reprovision the circuit.
03-21-2007 11:47 AM
the route outside to 37.139.239.6 is my gateway. This is a DSL line. I'll try to ping from the internet to my PIX to see what I get.
03-21-2007 11:50 AM
You won't be able to ping outside of pix with your current config, just ping from pix to gateway.
03-21-2007 12:17 PM
if I can't ping anything on the internet, I won't be able to ping anything outside the pix. thanks. I just rebooted the modem, firewall, and PC and still nothing.
when the PIX came up, it came up on monitor> mode. I reloaded again and it came up with the normal prompt. Not sure what happened there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide