Cisco PIX 515e basic configuration

Answered Question
Jan 4th, 2008
User Badges:

Was wondering if anyone might know why I cant establish basic connectivity from LAN to WAN interface on this machine? I've been trying very hard to get it and I guess its beyond me, very frustrating. Here is a post of the configuration:


Result of PIX command: "show config"

: Saved

: Written by admin at 09:58:27.057 UTC Fri Jan 4 2008

PIX Version 6.2(1)

nameif ethernet0 t1 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx

encrypted

passwd xxxxxxx encrypted

hostname xxxxxxxx

domain-name xxxxxxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging trap informational

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit any echo-reply t1

icmp permit any echo t1

icmp permit any echo-reply inside

icmp permit any echo inside

mtu t1 1500

mtu inside 1500

mtu intf2 1500

ip address t1 x.x.x.124 255.255.255.248

ip address inside 172.20.206.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.248 inside

pdm location 172.20.206.254 255.255.255.255 inside

pdm location x.x.x.124 255.255.255.255 t1

pdm location 172.20.206.0 255.255.255.248 inside

pdm history enable

arp timeout 14400

global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

global (t1) 1 interface

global (t1) 2 x.x.x.124

global (t1) 3 x.x.x.122

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route t1 x.x.x.124 255.255.255.255 x.x.x.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 172.20.206.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

telnet 172.20.206.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn enable inside

username xxxxx password xxxxxxxx encrypted privilege 2

username xxxxxx password xxxxxxxxxxxprivilege 2

terminal width 80

Cryptochecksum:xxxxxxxxxx



It would be a relief if my company didn't have to scrap our nice Cisco stuff because we just cant figure it out. Any help would be appreciated!!! Thanks

Correct Answer by adam.sellhorn about 9 years 3 months ago

First off, I would get rid of the unused global PAT entries:


no global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

no global (t1) 2 x.x.x.124

no global (t1) 3 x.x.x.122


Then your route statement seems to be wrong:


no route t1 x.x.x.124 255.255.255.255 x.x.x.121 1


Use:


route t1 0.0.0.0 0.0.0.0 x.x.x.121


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
adam.sellhorn Fri, 01/04/2008 - 14:55
User Badges:

First off, I would get rid of the unused global PAT entries:


no global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

no global (t1) 2 x.x.x.124

no global (t1) 3 x.x.x.122


Then your route statement seems to be wrong:


no route t1 x.x.x.124 255.255.255.255 x.x.x.121 1


Use:


route t1 0.0.0.0 0.0.0.0 x.x.x.121


attrib7575 Mon, 01/07/2008 - 09:09
User Badges:

Wow that worked!! thank you so much! I think I was getting caught up in trying to change the interface IP addressees too much. Possibly that's where the incorrect global NAT's were accumulating. I was confused on what IP address to assign the WAN interface. Apparently you give it one of your static addresses, its not the same address as your wan gateway (in this case, the csu/dsu to the t1). Also, the global route is a confusing syntax. I'll have to look at that more. Whatever I typed in seems to work now. Thanks again!!!!

tkuzma1022 Mon, 01/07/2008 - 13:28
User Badges:

try changing your route t1 x.x.x.124 255.255.255.255 x.x.x.121 1 to

route t1 0.0.0.0 0.0.0.0 x.x.x.121 1


To me it appears you are only trying to route x.x.x.124 to the outside (t1) interface.

attrib7575 Tue, 01/08/2008 - 09:56
User Badges:

That may be possible. But, since this configuration works and I've spent so long trying to figure it out. I'm not going to change a thing if I dont absolutely have to. Does anyone know how to permit an incoming Microsoft PPTP client? I have set access rules to permit PPTP and GRE, as well as static NAT to the VPN server on the LAN. IT isnt working, however. I can VPN the server from inside the LAN, so I know that its set up correctly. Its something to do with the firewall.

mark.j.hodge Wed, 01/09/2008 - 08:53
User Badges:
  • Bronze, 100 points or more

You need to setup a static mapping from an unused IP address from your CIDR range, to your VPN server. Then allow the appropriate traffic inbound to the mapped address on your t1 interface.


** please rate posts if helpfull **

attrib7575 Wed, 01/09/2008 - 11:42
User Badges:

Yeah, thanks. As I mentioned above, the connection works, as well as RDP now. I have taken up the VPN in another topic. THanks everyone!

Actions

This Discussion