11-01-2009 02:15 AM - edited 03-04-2019 06:34 AM
Hello.
I Have:
ISP
|
Global IP
PIX 501
Local IP (192.168.1.1)
|
XP Workstation
In PIX config
with "sh route" I have:
pixfw(config)# sh route
outside "the network name IP" 255.255.252.0 "My Global IP" 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
I still have no Internet on XP Workstation - is it routing issue?
Thank you in advance.
Mr. Brooks
11-01-2009 02:29 AM
Dear Mr.Brooks
its not only route issue for internet connectivity you must have NAT configured
please send me your nat config
other wise I can give you some instruction for nat
rate if helps
11-01-2009 03:29 AM
Ok,
pixfw(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfw
domain-name MYDOMAIN
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network LAN
description Allow this inside networks acess to theinternet
network-object 192.168.1.0 255.255.255.0
access-list WWW remark Regulate access to Internet
access-list WWW permit ip object-group LAN any
access-list outside-in permit icmp any any
access-list outside-in permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside MY_GLOBAL_IP 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 access-list WWW 0 0
access-group outside-in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.248.21
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain MYDOMAIN
dhcpd enable inside
terminal width 80
Cryptochecksum:a4443b7af4e53ba2467850e8a8a3bfb2
: end
11-01-2009 07:14 PM
Mr. Brooks
The config that you have posted does show that NAT (or more acccurately PAT) is configured. So this is not the problem.
The problem is that your PIX has no default route (and no other routes to any Internet destination) configured. You would need to configure a default route pointing to the next hop address on the Internet connection to get this PIX to work.
HTH
Rick
11-02-2009 12:02 AM
You mean
traffic from inside translate to gateway of my ISP?
11-02-2009 04:14 AM
What Rick means is that the pix does not know where to route Internet bound traffic to because it does not have a default route. So on your pix
pix(config)# route outside 0.0.0.0 0.0.0.0
next-hop address will be the ISP internet address that is on the same subnet as your outside interface on the pix ie.
ip address outside MY_GLOBAL_IP 255.255.252.0
the next-hop address needs to be from the same subnet as above.
Jon
11-02-2009 11:39 AM
Ok, done.
But with no effect:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfw
domain-name mydomain
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network LAN
description Allow this inside networks acess to theinternet
network-object 192.168.1.0 255.255.255.0
access-list WWW remark Regulate access to Internet
access-list WWW permit ip object-group LAN any
access-list outside-in permit icmp any any
access-list outside-in permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.208.149.44 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.208.148.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.248.21
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mydomain
dhcpd enable inside
terminal width 80
Cryptochecksum:f36c86efac4137bcdc490669102579e7
: end
sh route says:
pixfw(config)# sh route
outside 0.0.0.0 0.0.0.0 10.208.148.1 1 OTHER static
outside 10.208.148.0 255.255.252.0 10.208.149.44 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
And it still does not work...
Any ideas?
PS. (something suspicious about 10.208.148.0 - is this correct subnet?)
11-03-2009 03:57 AM
10.208.148.0 255.255.252.0 will cover both your IP address on the outside interface of your pix ie. 10.208.149.44 and the default gateway - 10.208.148.1.
However these addresses are not routable on the Internet so i'm assuming your ISP is Natting your traffic - can you confirm this is the case ?
Jon
11-03-2009 07:44 AM
That's right - my ISP gives me 10.208.149.44
and then he translates it to real external IP whitch is actually routable. I guess it is PAT.
But it does not play any role in this case.
11-03-2009 04:21 AM
Are you sure, that you have entered a valid DNS-Server:
dhcpd dns 192.168.248.21 ?
11-03-2009 11:43 AM
Yes. that's dns my isp gave me.
11-03-2009 11:49 AM
What are you using to test the connection from the XP workstation ie. ping or a web browser.
Can you try accessing a web site using an IP address rather than the URL.
Jon
11-03-2009 12:27 PM
Great question.
I use ping on xp machine, but more often I use ping outside IP address on PIX.
BTW Pix cannot ping gateway - 10.208.148.1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: