Hi! Thanks for your help. I followed the first link but internet did not work on my pc. Here is the pix config

pixfirewall(config)# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skin

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside (my public ip)

ip address inside 10.1.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 (public ip range-public ip range) netmask (net mask)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 public ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

am i missing something like allowing http traffic or something else?

Thanks!

No, when going from higher security level (inside) to outside, the only thing you need in PIX 6.x is NAT.

What are you seeing in the firewall's log?

logging console 7

or

IF telnet:

logging monitor 7

terminal monitor

Regards

Farrukh

When i try to access any website.

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from

That message has nothing to do with internet access, those are just netbios broadcasts.

Regards

Farrukh

I know but then that means the http request is not even reaching pix. What is missing?

Thanks!

I would check the routing, computer's default gateway, can it ping the PIX inside interface?

Do you have DNS properly configured on the end user machines.

Regards

Farrukh

1. access-list outbound permit udp [Inside-LAN-Network] [Inside-Subnet] any eq 53

2. access-group outbound in interface inside

after trying the above internet started working but is it required. I did not find this anywhere on internet or on cisco website.

Thanks!

Are you sure that is the only line you have in your ACL?

There is an implicit deny at the end of every ACL.

Regards

Farrukh

I deleted the deny rule. I think there must be some DNS configuration on PIX outside or inside interface where i should enter my isp DNS Server address. Don't you think so?

Thanks!

No the PIX does not need the DNS information. It just 'relays' the DNS packets/requests (after performing the configured security checks) from the users towards the DNS server on the internet, just like a router.

Regards

Farrukh

Hi!

I left configuring PIX for Internet access. The only thing i need is using PIX to protect my Terminal Server by allowing only Remote Desktop Access to my Terminal Server so that my users can use this server. Does PIX provide maximum security with its default config and how can i configure RDP access from internet to my Terminal Server through PIX?

Thanks!

Technically speaking RDP is not a secure protocol, on Windows you can tunnel it inside 'HTTPS' (check advanced options for the terminal services client). But it needs some extra configuration. Simple RDP can be opened like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Please rate helpful posts.

Farrukh

What can be the other option since i don't have a fixed IP in one of our branches and they are connecting through a wireless internet that can't have fixed ip?

Thanks!