02-09-2009 03:27 PM - edited 03-11-2019 07:47 AM
I am able to get some websites to come up, but after a long time loading. Here is my config. What am I missing? I am able to RDP inside to the server named xxx-SQL01 and use ASDM and telnet to manage the firewall. The connection stays up fine, I can ping anywhere from the outside interface of the PIX, but web traffic does not go outbound, if it does it takes several minutes for google.com to pop up (this is outbound web traffic) Any help would be appreciated.
xxx-pix> en
Password: ********
xxx-pix# sh run
: Saved
:
PIX Version 7.2(1)
!
hostname pix
domain-name domain.com
enable password xxxxxxxxxxxxxx encrypted
names
name 999.999.999.122 xxx-APP01-Ext description Outside
name 10.0.0.101 xxx-APP01-Int description Inside
name 999.999.999.123 xxx-SQL01-Ext description Outside
name 10.0.0.51 xxx-SQL01-Int description Inside
!
interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 999.999.999.121 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet2
description Management and Backup
nameif Management
security-level 100
ip address 10.100.100.241 255.255.255.0
!
passwd xxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any host xxx-APP01-Ex 3389
access-list Outside_access_in extended permit tcp any host xxx-SQL01-Ex 3389
pager lines 24
mtu Outside 1500
mtu inside 1500
mtu Management 1500
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
static (inside,Outside) xxx-APP01-Ext xxx-APP01-Int netmask 255.255.255.255
static (inside,Outside) xxx-SQL01-Ext xxx-SQL01-Int netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 999.999.999.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
: end
Thanks!!
02-09-2009 07:19 PM
Hi there,
I think you'll need a NAT statement.
ie
nat (inside) 1 0.0.0.0 0.0.0.0
Assuming you want to allow all hosts to access the Internet through the Outside from the inside.
If you want the management network to be able to access the networks on the Outside interface you can use:
nat (Management) 1 0.0.0.0 0.0.0.0
I hope that helps!
Brad
02-09-2009 07:37 PM
Sorry, let me expand on my question. currently there are only the 2 hosts (internal) listed in the PIX config. Both of them have static NATs, and a Security Policy that allows inbound RDP. I can RDP to these hosts fine, but I cannot surf the web from the hosts. I hope that clears it up. thanks again for all your help in advance.
02-11-2009 06:46 AM
I would be inclined to look at the dns for the hosts on the network. Could be the dns server they are resolving from has been retired and are waiting for timeouts before loading cached pages - google but not getting any new sites.
Andy.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: