cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
0
Helpful
12
Replies

pix 515E help needed bad

martentransport
Level 1
Level 1

Here is my situation.  I am new to the pix and cant get to the outside world from my workstation.  I can ping through to the outside world from the PIX.  I can ping the pix from the router.  I can ping the pix from the worksation.  So I think the issue is in my config.  here is my config.

thank you in advance

XX-PIX# sh run
: Saved
:
PIX Version 8.0(4)32
!
hostname xx-PIX
enable password
passwd
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.20.x.2 255.255.255.252
!
banner login                          ****** W A R N I N G ******
banner login      THIS IS A PRIVATE COMPUTER SYSTEM: UNAUTHORIZED ACCESS IS FORBIDDEN
banner login                          AND WILL BE PROSECUTED BY LAW.
banner login   By accessing this system, you agree that your actions may be monitored. This
banner login computer system, including all related equipment, network devices, specifically
banner login including Internet access, are provided only for authorized use.  All computer
banner login systems may be monitored for all lawful purposes, including to ensunore that their
banner login use is authorized, to manage the system, to facilitate protection against
banner login unauthorized access, and to verify security procedures, survivability and opera-
banner login tional security. Monitoring includes active attacks by authorized personnel and
banner login their entities to test or verify the security of the system. During monitoring,
banner login information may be examined, recorded, copied and used for authorized purposes.
banner login    All information including personal information, placed on or sent over this
banner login system may be monitored. Uses of this system, authorized or unauthorized,
banner login constitutes consent to monitoring of this system. Unauthorized use may subject
banner login you to criminal prosecution. Evidence of any such unauthorized use collected
banner login during monitoring may be used for administrative, criminal or other adverse
banner login action. Use of this system constitutes consent to monitoring for these purposes.
banner login                          ****** W A R N I N G ******
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
route inside x.x.x.x 255.255.255.0 xx.xx.xx.1 1
route inside x.x.x.x 255.255.0.0 xxx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) vendor websense host x.x.x.x timeout 30 protocol TCP version 4 connections 5
filter url except 0.0.0.0 0.0.0.0 x.x.x.x 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet xxx.xxx.xxx.x 255.255.255.255 inside
telnet xxx.xxx.xxx.x 255.255.255.255 inside
telnet timeout 5
ssh xxx.xxx.xxx.1 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
url-block url-mempool 1500
url-block url-size 4
url-block block 128
ntp server 192.43.244.18
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:51b1e54629f0808871df4327be9321e0
: end

1 Accepted Solution

Accepted Solutions

Dear Mike,

You firewall outside interface address and your default route is pointing to the same IP address.

Regards

Balajirajah P B

View solution in original post

12 Replies 12

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You are missing the global NAT pool configuration. Please configure the

following line:

global (outside) 1 interface

Hope this helps.

Regards,

NT

this did not fix it.

Hello,

Did you enter "global (outside) 1 interface" command?

Regards,

NT

balajirajahpb
Level 1
Level 1

Dear Mike Snow,

I just reviewed your config your outside insterface and your default route is same  where you want to route your traffic ??????

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

Regards

Balajirajah P B

the default route is set to goto the dls router.  Is that what you are asking...

Mike

Dear Mike,

You firewall outside interface address and your default route is pointing to the same IP address.

Regards

Balajirajah P B

Here is my logical setup....

router-->Pix-->dsl router---outside world

Mike

Hello,

Ok. Lets first work on the connectivity part. Please configure the

following:

on the PIX:

int ethernet 0

ip address 192.168.1.10 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

This should let you get basic connectivity. Once that happens, then we can

work on making other configurations.

Hope this helps.

Regards,

NT

Hello,

Is your DSL router configured in routed mode? Typically, DSL modems also

have a setting where they will act in bridge mode and assign the firewall

the public IP address. Can you please configure that? Or you can just set

the DSL mode such that it assigns a public IP to your firewall. Also, the

default gateway should be the DSL modem's IP (typically 192.168.1.1).

Hope this helps.

Regards,

NT

currently it is in router mode.  I will have to order a static IP right now.  will let you know if that works.. Thanks for the fast replys...

Mike

Hello,

You do not need a static IP. It can still forward the IP it got from the ISP

to the firewall. If you look at the configuration page I have attached, it

has an option to assign the public IP to the inside device. You can

configure similarly.

Hope this helps.

Regards,

NT

martentransport
Level 1
Level 1

Thank you all for that quick replys.  I got it up and running correctly.  i set the interface:  ip address outside dhcp setroute  and it started working.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: