configuring pix 501 to access the internet

Unanswered Question
Feb 13th, 2008
User Badges:

Hi,

I need your help.. I have configured my pix501 outside and inside ip address... I think everything is in place but I still cannot access the internet. I am attaching my present configuration.. Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hareskhan Wed, 02/13/2008 - 10:59
User Badges:

I find the statement "nat (inside) 1 192.168.43.0 255.255.255.0 0 0" when you already have "nat (inside) 1 0.0.0.0 0.0.0.0 0 0". Though this should not be a problem, you don't need it. Have you tried to ping 203.131.103.177? Source your ping from the outside interface. Configuration looks correct and it looks like a connectivity problem between your PIX and ISP router.

felcaruana Wed, 02/13/2008 - 11:35
User Badges:

Yes I have ping 203.131.103.177 and its not replying. I dont think its the connectivity because I can connect to the internet without the pix in the network.

Jon Marshall Wed, 02/13/2008 - 11:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Why do you have this statement


static (inside,outside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0 0 0


This says not to NAT any of the 192.168.43.0 address as they go from inside to outside and takes precedence over your nat/global statements.


Remove that statement, do a "clear xlate" and try again.


Jon

JORGE RODRIGUEZ Wed, 02/13/2008 - 11:50
User Badges:
  • Green, 3000 points or more

Nice catch Jon, I was looking at that too I think this is his problem.

felcaruana Wed, 02/13/2008 - 11:55
User Badges:

Thanks Jon.. How can I delete this entry? what is the exact command?

Jon Marshall Wed, 02/13/2008 - 11:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


pix(config)# no static (inside,outside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0


Don't forget you then need to clear the xlate translations


pix# clear xlate


Be aware that the "clear xlate" will remove all existing connections through your firewall but it sounds like this is not a problem at the moment.


Jon

felcaruana Wed, 02/13/2008 - 13:23
User Badges:

Hi Jon, I did everything you said but I still can't connect to the internet... I cannot ping the outside ip but I can ping the inside ip...

JORGE RODRIGUEZ Wed, 02/13/2008 - 13:45
User Badges:
  • Green, 3000 points or more

can you post the interface status of your outside interface, to where is the outside onnected to , a switch ? if a switch make sure outside interface is in same vlan as ISP router, if you have outside interface directly connected to a router that is not magageable by you I would recommend your interface outside be autodetect for speed transmission.


e.g


show interface ethernet0

felcaruana Wed, 02/13/2008 - 14:01
User Badges:

Here it is.. but as of now it is disconnected from the network ..

AOSMANPIX(config)# show interface 0

interface ethernet0 "outside" is up, line protocol is down

Hardware is i82559 ethernet, address is 000b.5f37.bc48

IP address 203.131.103.176, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

felcaruana Wed, 02/13/2008 - 14:06
User Badges:

here is it buddy. Thanks..


AOSMANPIX(config)# show interface 0

interface ethernet0 "outside" is up, line protocol is down

Hardware is i82559 ethernet, address is 000b.5f37.bc48

IP address 203.131.103.176, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Jon Marshall Wed, 02/13/2008 - 14:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, after typing that rather long post :) Jorge has hit the nail on the head. Your outside interface is showing down. You need to check the physical connectivity as suggested by Jorge.


Jon

felcaruana Wed, 02/13/2008 - 14:23
User Badges:

Jon, is pix 501 a firewall and a router all in one?...

felcaruana Thu, 02/14/2008 - 06:50
User Badges:

Thanks... The outside is connected directly to the dsl modem

felcaruana Wed, 02/13/2008 - 13:57
User Badges:

Hi Jon, I did everything you said but I still can't connect to the internet... I cannot ping the outside ip but I can ping the inside ip...


Jon Marshall Wed, 02/13/2008 - 14:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


In addition to Jorge's suggestions which you need to check can you ping the ISP router IP address 203.131.103.177 from the firewall.


To test this you may need to temporarily add an extra line to the config


pix(config)# icmp permit 203.131.103.177 255.255.255.255 outside


You will not be able to ping the pix outside interface IP address from a machine on the inside network - 192.168.43.x. So you need to check connectivity in other ways.


If you can ping the ISP router then


1) try pinging a host on the Internet by IP address from the firewall

2) If 1) works try pinging from an inside host - 192.168.43.x. Again you need to ping the IP address at first.


If you can't ping your ISP router then you need to start checking physical connectivity and any switch config as suggested by Jorge.


The other thing you can do with pix v6.x is debugging the packets.


So


If you can ping the ISP router address from the firewall but you cannot from an inside address try on the firewall


pix# debug packet inside dst 203.131.103.177

pix# debug packet inside src 203.131.103.177


This will show you the packets arriving and leaving on the inside interface destined or coming from the ISP address.


You can also run these on the outside interface ie.


pix# debug packet outside dst 203.131.103.177

pix# debug packet outside src 203.131.103.177



Be careful with debugging on a live system - you should be okay if you specify the source or destination as above.


To turn off debugging


pix# no debug all


Jon


Actions

This Discussion