PIX 515E

Unanswered Question
Mar 3rd, 2009

I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic.

The unit is being used to secure one network from the rest of our company network.

Inside interface is 10.50.241.1/24

The PIX will be the gateway on this network.

Outside interface is 10.48.16.2/20

Gateway on the outside network is a Cisco 6500 MSFC 10.48.16.10 which connects to the rest of the company.

Thanks, Dave

I have included a show run:

PIX Version 7.2(2)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 10.48.0.0 GAC

name 10.48.16.0 Plant

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.48.16.2 255.255.240.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.50.241.1 255.255.255.0

!

interface Ethernet2

shutdown

nameif intf2

security-level 4

no ip address

!

passwd 0aywtm/YUv1U3jNB encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list ping_acl extended permit icmp Plant 255.255.240.0 any

access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0

access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu intf2 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 10.50.241.0 255.255.255.0

access-group ping_acl in interface outside

route outside 0.0.0.0 0.0.0.0 10.48.16.10 1

!

router rip

network 10.0.0.0

version 2

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.50.241.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet Plant 255.255.240.0 outside

telnet GAC 255.255.240.0 outside

telnet 10.50.241.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

ssh version 1

console timeout 0

dhcpd dns 10.50.1.46 171.74.105.58

dhcpd wins 171.74.162.21 171.74.105.58

dhcpd ping_timeout 750

dhcpd auto_config outside

!

dhcpd address 10.50.241.101-10.50.241.199 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d8ad1ad3a52aec150a71ccd959a2681a

: end

asdm image flash:/asdm-524.bin

asdm location GAC 255.255.240.0 inside

asdm history enable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
isagonza Tue, 03/03/2009 - 09:39

Hello,

Try changing your PAT:

Enter these commands:

no global (outside) 1 interface

no nat (inside) 0 10.50.241.0 255.255.255.0

nat (inside) 1 10.50.241.0 255.255.255.0

global (outside) 1 interface

clear xlate

About acls: access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0

access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0

You are trying to ping your hosts in the inside from Plant and GAC (located in the outside), you will not be able to do this since you are USING PAT, hence hiding your inside network, so whenever you try to ping any host in 10.50.241.0 you will not reach it from the outside.

Try entering

access-list outside_access_in extended permit icmp any any

so you can test pinging from any host in the inside to anything in the outside, but you won't be able to ping from the outside to the inside

And one last observation:

telnet Plant 255.255.240.0 outside

telnet GAC 255.255.240.0 outside

You will not be able to telnet to the outside interface unless you use IPSec, this is because telnet will send everything in clear text, and doing this in the outside interface will be insane!!

dklewe Tue, 03/03/2009 - 15:09

Thanks for the advice.

I found a routing issue as well. Things were getting out and not able to come back.

It's up and working now.

Thanks again, Dave

Actions

This Discussion