Route for a small network.

Unanswered Question
Nov 1st, 2009

Hello.

I Have:

ISP

|

Global IP

PIX 501

Local IP (192.168.1.1)

|

XP Workstation

In PIX config

with "sh route" I have:

pixfw(config)# sh route

outside "the network name IP" 255.255.252.0 "My Global IP" 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

I still have no Internet on XP Workstation - is it routing issue?

Thank you in advance.

Mr. Brooks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hani-molani Sun, 11/01/2009 - 02:29

Dear Mr.Brooks

its not only route issue for internet connectivity you must have NAT configured

please send me your nat config

other wise I can give you some instruction for nat

rate if helps

MUXAHMUXAH2 Sun, 11/01/2009 - 03:29

Ok,

pixfw(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfw

domain-name MYDOMAIN

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network LAN

description Allow this inside networks acess to theinternet

network-object 192.168.1.0 255.255.255.0

access-list WWW remark Regulate access to Internet

access-list WWW permit ip object-group LAN any

access-list outside-in permit icmp any any

access-list outside-in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside MY_GLOBAL_IP 255.255.252.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 access-list WWW 0 0

access-group outside-in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns 192.168.248.21

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain MYDOMAIN

dhcpd enable inside

terminal width 80

Cryptochecksum:a4443b7af4e53ba2467850e8a8a3bfb2

: end

Richard Burts Sun, 11/01/2009 - 19:14

Mr. Brooks

The config that you have posted does show that NAT (or more acccurately PAT) is configured. So this is not the problem.

The problem is that your PIX has no default route (and no other routes to any Internet destination) configured. You would need to configure a default route pointing to the next hop address on the Internet connection to get this PIX to work.

HTH

Rick

Jon Marshall Mon, 11/02/2009 - 04:14

What Rick means is that the pix does not know where to route Internet bound traffic to because it does not have a default route. So on your pix

pix(config)# route outside 0.0.0.0 0.0.0.0

next-hop address will be the ISP internet address that is on the same subnet as your outside interface on the pix ie.

ip address outside MY_GLOBAL_IP 255.255.252.0

the next-hop address needs to be from the same subnet as above.

Jon

MUXAHMUXAH2 Mon, 11/02/2009 - 11:39

Ok, done.

But with no effect:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfw

domain-name mydomain

clock timezone MSK/MSD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network LAN

description Allow this inside networks acess to theinternet

network-object 192.168.1.0 255.255.255.0

access-list WWW remark Regulate access to Internet

access-list WWW permit ip object-group LAN any

access-list outside-in permit icmp any any

access-list outside-in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.208.149.44 255.255.252.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 10.208.148.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns 192.168.248.21

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain

dhcpd enable inside

terminal width 80

Cryptochecksum:f36c86efac4137bcdc490669102579e7

: end

sh route says:

pixfw(config)# sh route

outside 0.0.0.0 0.0.0.0 10.208.148.1 1 OTHER static

outside 10.208.148.0 255.255.252.0 10.208.149.44 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

And it still does not work...

Any ideas?

PS. (something suspicious about 10.208.148.0 - is this correct subnet?)

Jon Marshall Tue, 11/03/2009 - 03:57

10.208.148.0 255.255.252.0 will cover both your IP address on the outside interface of your pix ie. 10.208.149.44 and the default gateway - 10.208.148.1.

However these addresses are not routable on the Internet so i'm assuming your ISP is Natting your traffic - can you confirm this is the case ?

Jon

MUXAHMUXAH2 Tue, 11/03/2009 - 07:44

That's right - my ISP gives me 10.208.149.44

and then he translates it to real external IP whitch is actually routable. I guess it is PAT.

But it does not play any role in this case.

reichenb Tue, 11/03/2009 - 04:21

Are you sure, that you have entered a valid DNS-Server:

dhcpd dns 192.168.248.21 ?

Jon Marshall Tue, 11/03/2009 - 11:49

What are you using to test the connection from the XP workstation ie. ping or a web browser.

Can you try accessing a web site using an IP address rather than the URL.

Jon

MUXAHMUXAH2 Tue, 11/03/2009 - 12:27

Great question.

I use ping on xp machine, but more often I use ping outside IP address on PIX.

BTW Pix cannot ping gateway - 10.208.148.1

Actions

This Discussion