07-15-2008 04:41 AM - edited 03-12-2019 05:57 PM
I'm at job configuring a Cisco PIX 506E, and I have a problem.
The outside interface can't reach the router wich bring the local net to the internet. I don't want anything by now but to reach the internet and do some port forwarding for some local servers. I don't care about any other aspect of the PIX as a firewall because it's a spare and we want it only to replace an old router. Then we want to do IPSEC tunneling but that's another history. By now I only want the PIX to do the same function as the old router. It could be interesting to erase everything and start from scratch . . . this is my configuration data on the old router:
ROUTER IP ADDRESS: 192.169.7.100 netmask 255.255.255.0 ( 192.169.7.0 is the local subnet )
INTERNET IP ADDRESS: 213.x.x.202 netmask 255.0.0.0
GATEWAY: 213.x.178.29
Ok. This is my actual PIX configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name work.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 80-88
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping-acl remark allow pings on the outside
access-list ping-acl permit icmp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list permit_icmp permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.x.x.202 255.0.0.0
ip address inside 192.169.7.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.169.7.0 255.255.255.0 0 0
access-group permit_icmp in interface outside
conduit permit tcp host 0.0.0.0 eq 81 host 192.169.7.2
route outside 0.0.0.0 0.0.0.0 213.229.178.29 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.169.1.0 255.255.255.0 inside
ssh 192.169.7.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
So I can reach the PIX but I can't get out of it to the inet. I don't know why, If you can answer this one, then it would be interesting to know how to make 1 port forwarding from the inet to an specific server of the local subnet on port, for example 8080. Thank you so much.
Solved! Go to Solution.
07-15-2008 09:43 AM
Are you using the interface IP or a separate public IP? Also do you have the port open in your ACL?
07-15-2008 05:29 AM
You need a NAT translation,
static (inside,outside) tcp [public IP] 8080 [private IP] 8080
don't forget to add the port & protocol in your outside ACL too.
Hope that helps.
07-15-2008 05:35 AM
Thank you for the NAT translation hint, but I need to know why I can't access the internet with this configuration. Thanks.
07-15-2008 05:36 AM
Can you ping the ISP router? If yes, can you ping an internet address (4.2.2.2)?
07-15-2008 05:43 AM
Hello, no . . I can't ping the ISP router. That's the main problem. I think I must connect the inside iface with the external iface ???
OUTPUT:
pixfirewall# ping 213.229.178.29
213.229.178.29 NO response received -- 1000ms
213.229.178.29 NO response received -- 1000ms
213.229.178.29 NO response received -- 1000ms
pixfirewall# ping 4.2.2.2
4.2.2.2 NO response received -- 1000ms
4.2.2.2 NO response received -- 1000ms
4.2.2.2 NO response received -- 1000ms
Thanks !
EDIT: ( BOTH INTERFACES ARE UP )
07-15-2008 05:37 AM
Hi,
Try to access some website on the Internet and then, issue this command on the PIX, to see whether NAT is happening or not.
"show xlate"
Then do " clear xlate" and again try to access.
-------------------------------
Now suppose you want to forward connections on the Outside IP of PIX on port 8080 to the server inside(suppose 192.169.7.100) on 8080 from Internet :
static(inside,outside) tcp interface 8080 192.169.7.100 8080 netmask 255.255.255.255
access-list out-in permit tcp any interface outside eq 8080
07-15-2008 05:43 AM
Hi thank you for your help ! No, this is the output for the show xlate:
pixfirewall# show xlate
55 in use, 177 most used
PAT Global 213.27.252.202(1576) Local 192.169.7.240(36315)
PAT Global 213.27.252.202(1577) Local 192.169.7.240(47101)
PAT Global 213.27.252.202(1578) Local 192.169.7.240(56852)
PAT Global 213.27.252.202(1579) Local 192.169.7.4(49151)
PAT Global 213.27.252.202(1580) Local 192.169.7.240(45379)
PAT Global 213.27.252.202(1581) Local 192.169.7.240(53988)
PAT Global 213.27.252.202(1582) Local 192.169.7.1(34708)
PAT Global 213.27.252.202(1583) Local 192.169.7.240(55006)
PAT Global 213.27.252.202(1568) Local 192.169.7.240(53147)
PAT Global 213.27.252.202(1569) Local 192.169.7.4(49147)
PAT Global 213.27.252.202(1570) Local 192.169.7.240(54975)
PAT Global 213.27.252.202(1571) Local 192.169.7.4(49149)
PAT Global 213.27.252.202(1572) Local 192.169.7.240(35676)
PAT Global 213.27.252.202(1573) Local 192.169.7.240(33532)
PAT Global 213.27.252.202(1574) Local 192.169.7.4(49150)
PAT Global 213.27.252.202(1575) Local 192.169.7.240(34880)
PAT Global 213.27.252.202(1592) Local 192.169.7.240(49059)
PAT Global 213.27.252.202(1593) Local 192.169.7.4(49155)
PAT Global 213.27.252.202(1594) Local 192.169.7.240(46846)
PAT Global 213.27.252.202(1595) Local 192.169.7.4(49156)
PAT Global 213.27.252.202(1584) Local 192.169.7.4(49152)
PAT Global 213.27.252.202(1585) Local 192.169.7.240(42149)
PAT Global 213.27.252.202(1586) Local 192.169.7.1(34709)
PAT Global 213.27.252.202(1587) Local 192.169.7.4(49153)
PAT Global 213.27.252.202(1588) Local 192.169.7.240(53754)
PAT Global 213.27.252.202(1589) Local 192.169.7.4(49154)
PAT Global 213.27.252.202(1590) Local 192.169.7.1(34710)
PAT Global 213.27.252.202(1591) Local 192.169.7.240(38344)
PAT Global 213.27.252.202(1544) Local 192.169.7.4(49140)
PAT Global 213.27.252.202(1545) Local 192.169.7.4(49141)
PAT Global 213.27.252.202(1546) Local 192.169.7.240(38441)
PAT Global 213.27.252.202(1547) Local 192.169.7.240(43015)
PAT Global 213.27.252.202(1548) Local 192.169.7.240(46285)
PAT Global 213.27.252.202(1549) Local 192.169.7.240(53807)
PAT Global 213.27.252.202(1550) Local 192.169.7.240(50523)
PAT Global 213.27.252.202(1551) Local 192.169.7.240(59858)
PAT Global 213.27.252.202(1543) Local 192.169.7.1(34707)
PAT Global 213.27.252.202(1560) Local 192.169.7.240(60751)
PAT Global 213.27.252.202(1561) Local 192.169.7.240(39161)
PAT Global 213.27.252.202(1562) Local 192.169.7.4(49144)
PAT Global 213.27.252.202(1563) Local 192.169.7.240(33474)
PAT Global 213.27.252.202(1564) Local 192.169.7.240(56606)
PAT Global 213.27.252.202(1565) Local 192.169.7.240(37736)
PAT Global 213.27.252.202(1566) Local 192.169.7.4(49146)
PAT Global 213.27.252.202(1567) Local 192.169.7.240(43717)
PAT Global 213.27.252.202(1552) Local 192.169.7.4(49142)
PAT Global 213.27.252.202(1553) Local 192.169.7.240(46145)
PAT Global 213.27.252.202(1554) Local 192.169.7.240(46275)
PAT Global 213.27.252.202(1555) Local 192.169.7.240(44372)
PAT Global 213.27.252.202(1556) Local 192.169.7.240(35713)
PAT Global 213.27.252.202(1557) Local 192.169.7.240(49242)
PAT Global 213.27.252.202(1558) Local 192.169.7.240(42007)
PAT Global 213.27.252.202(1559) Local 192.169.7.4(49143)
PAT Global 213.27.252.202(1085) Local 192.169.7.2(45939)
PAT Global 213.27.252.202(1086) Local 192.169.7.240(38588)
07-15-2008 05:54 AM
what type of cable do you have connected from the port of the PIX to the ISP router? is it cross-over or straight through??
Also, I would clear up your PIX configuration, to be honest I would start from scratch - you can set the PIX to its factory default configuration - if your box is running version 6.2 or above.
Let us know...
07-15-2008 06:07 AM
is your setup like this ?
((ISP))---z---(Internet-Router)----<
If , yes then what Jay has said could be a point... check the connectivity between the PIX and the Internet Router.
07-15-2008 06:13 AM
From my side the setup is like this:
LAN-------PIX-----ISP ( a router probably )
so: Inside-> 192.169.7.100
Outside-> 213.27.252.202
Default route (ispgateway)->213.229.178.29
07-15-2008 06:10 AM
The cable it's crossover, but I changed it to a plain one nad the results are the same.
Can you tell me how to wipe out the config ?
Thanks.
07-15-2008 06:20 AM
Ok... keep the cross-over cable and ask your ISP to clear the router ARP cache for you. You can reset the PIX to factory default configuration by issuing (in config mode)..
configure factory-default
After the reset - rebuild your configuration but this time with no ACLs just the basics i.e. outside IP address with correct mask address and inside ip address and correct mask plus corret default gateway to the ISP router.
We can then troubleshoot the problem further and build your PIX configuration up further.
But I am little confused as you mention 'router probably on your post' is it a router or modem??
Speak soon...
07-15-2008 06:23 AM
Thanks for your help ! I'm sure the ISP device it's a router. I'm at a datacenter and I'm sure there are no modem connections for the costumers. Ok right now I'm wiping the config. I'll post again some minutes later.
Thanks.
07-15-2008 06:46 AM
Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?
EDIT: Ok I'm sorry I only needed to do write mem to visualize the changes made. Now it's clear.
07-15-2008 06:51 AM
Which version is on your 506 is it above 6.2 code? Did you issue write mem??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide