cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4419
Views
0
Helpful
14
Replies

PIX 515E Not Allowing Access To The Internet

jhaurey
Level 1
Level 1

Hi,

I'm reconfiguring my PIX 515E from scratch and am unable to get out to the internet.  I can ping around my internal network.  I can also ping the outside interface (x.x.148.213 - provided by my ISP) as well as my ISP's next hop (x.x.148.214).  It's been years since I had originally configured the PIX, so stating that I'm "rusty" is an understatement.  Any help would be appreciated.  Thanks in advance.

: Saved
:
PIX Version 6.2(2)117
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
hostname MuniFW
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
name X.X.148.213 MUNI-PIX
access-list outbound permit ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside MUNI-PIX 255.0.0.0
ip address inside 192.168.1.250 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.148.214 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet 192.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:6b7ef7ad954c7f1ac65d8f2d1ee8a77b

: end

MuniFW(config)# show route
        outside 0.0.0.0 0.0.0.0 75.150.148.214 0 OTHER static
        outside 75.0.0.0 255.0.0.0 MUNI-PIX 1 CONNECT static
        inside 192.168.1.0 255.255.255.0 192.168.1.250 1 CONNECT static
MuniFW(config)#

14 Replies 14

HI,

From the PIX itself, can you PING 4.2.2.2 for example?

From the inside network, do you see the translations being built when passing traffic ''sh xlate''?

Federico.

Hi Federico,

Thanks for the quick reply.  I get no response when pinging 4.2.2.2 from the PIX (outside interface).  Following is the result of the "show xlate" command:

MuniFW(config)# show xlate
0 in use, 106 most used
MuniFW(config)#

Thanks again,

Jim

Sorry Federico,

The PIX 515e I'm having trouble setting up is going to replace my existing 515e.  Forgot to point an existing PC's gateway to the 515e in questions. Here's the result of the show xlate" command after pinging around the network (and still no response from 4.2.2.2):

MuniFW(config)# show xlate
12 in use, 106 most used
PAT Global MUNI-PIX(1162) Local 192.168.1.252(1069)
PAT Global MUNI-PIX(1066) Local 192.168.1.252(16400)
PAT Global MUNI-PIX(1067) Local 192.168.1.252(63968)
PAT Global MUNI-PIX(1070) Local 192.168.1.252(37495)
PAT Global MUNI-PIX(1071) Local 192.168.1.252(49312)
PAT Global MUNI-PIX(1068) Local 192.168.1.252(56017)
PAT Global MUNI-PIX(1069) Local 192.168.1.252(22507)
PAT Global MUNI-PIX(1074) Local 192.168.1.252(10290)
PAT Global MUNI-PIX(1075) Local 192.168.1.252(8171)
PAT Global MUNI-PIX(1072) Local 192.168.1.252(26748)
PAT Global MUNI-PIX(1073) Local 192.168.1.252(53511)
PAT Global MUNI-PIX(0) Local 192.168.1.252 ICMP id 512
MuniFW(config)#

Thanks again,

Jim

Try adding

fixup protocol icmp

And see if pings start working.

Make sure you can ping your default gatway from the PIX.

PK

Adding "fixup protocol icmp" results with the following:

MuniFW(config)# fixup protocol icmp
Not enough arguments.
Usage:  [no] fixup protocol [] [-]
MuniFW(config)#

I may be wrong, but I was under the impression ICMP didn't utilize a well-known port?

As for part two of the last suggestion, from within the PIX, I can ping the outside interface (X.X.148.213) as well as the gateway (X.X.148.213).  Both static ip (.213) and gateway (.214) are provided by our ISP.

Thanks,

Jim

James,

If from behind the PIX you can PING outside the PIX, then ICMP is flowing fine through the PIX.

The fixup is to allow PING across the PIX.

So, when you PING 4.2.2.2 or even better a traceroute 4.2.2.2 where does the packet die?

Federico.

Federico,

For all intents and purposes, any pings to the outside world from a PC on the network time out immediately.  From the PC, I can ping the PIX.  From within the PIX, I can't ping the outside world except for the two IP addresses provided by my ISP and listed above previously. I feel like it's something very simple I'm overlooking to allow Internet access.

Thanks again in advance,

Jim

Ok try the following on the PIX:

access-list outside permit icmp any any echo-reply

access-group outside in interface outside

Then try to PING across the PIX (from inside to outside ISP).

If you can PING from behind the PIX to the ISP site, then the PIX is fine and you need to check with your ISP why you cannot PING pass their IP addresses.

Federico.

Federico,

Same result from the ping after adding the access-list/group statements--I can only ping the two IP addresses provided by my ISP.

I don't believe it's an ISP trouble because the PIX 515e I'm trying to configure is to replace an existing PIX 515e currently in my network that is up and running fine with access to the Internet (I can ping 4.2.2.2 OK from the existing pix).  The reason I'm replacing the existing PIX is to troubleshoot a strange problem where we can't access a specific website (http://www.ecode360.com/) that we previously were able to access.  The vendor changed the coding (and server?) that hosts the "new & improved" site and since then we can no longer access the site.  I can access the website from any other network outside of my work network (home, library, etc.).

Disconnecting my work network from my ISP's gateway device and connecting a laptop directly to the ISP's gateway device allows the laptop to access the http://www.ecode360.com/ website OK, hence leading me to believe there's something configured in the existing PIX that doesn't like/agree with the ecode360 website.

My plan was to configure the second PIX bare bones enough to access the internet to test access to the ecode360 site and then, once I verify access to the website, continue to configure the second PIX one at a time with the existing access-lists/groups to see if a list and/or group was causing us to no longer access the ecode360 site.

So, don't know if this all makes sense, or I just wipe the second pix out again and try from scratch?

Thanks again for the help and/or any additional thoughts/concerns you may provide.  I guess I'll keep scouring the net for help too.

Jim

Ok, please post your current configuration to see if there's anything else wrong with the PIX.

Federico.

: Saved

:

PIX Version 6.2(2)117

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXX encrypted

hostname MuniFW

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol sip udp 5060

names

name xxx.xxx.148.213 MUNI-PIX

access-list outbound permit ip any any

access-list outside permit icmp any any echo-reply

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside MUNI-PIX 255.0.0.0

ip address inside 192.168.1.250 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.148.214 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

no sysopt route dnat

telnet 192.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:74ace9427080324da4e224441391e5e0

: end

Thanks,

Jim

Tests:


1. From the PIX PING the default gateway xxx.xxx.148.214
The IP showing here: route outside 0.0.0.0 0.0.0.0 xxx.xxx.148.214 0

2. From the PIX traceroute 4.2.2.2 and check the path to see where the packet dies

3. From behind the PIX (192.168.1.x) try to PING the PIX's default gateway xxx.xxx.148.214

Let me know the results of the above tests please.

Federico.

1. Pings OK -- response received

2. No traceroute command on either PIX -- tried 'traceroute', 'tracert' and 'trace'

    Ran tracert xxx.xxx.148.214 from a PC behind the PIX (WIN XP PRO) -- ran OK over 1 hop ( <1 ms )

3. Was able to ping to PIX's default gateway (xxx.xxx.148.214) OK from PC behind the PIX

Jim

The fact that you're able to PING the default gateway of the PIX from a computer behind the PIX, means traffic is flowing fine.

The PIX only needs a default gateway in terms of routing if the PC is directly connected to the PIX.

There's nothing else to do on the PIX and nothing is blocking traffic.

Can you do a test?

On the port that connects the PIX outside interface, can you connect the computer directly (with the IP of the PIX outside interface) and see if you get internet from there?

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: