cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
0
Helpful
10
Replies

Not able to access the internet Help please

Mark Bracking
Level 1
Level 1

I am installing PIX 515e through the PDM.

Looks like I have entered all the required information correctly but still not able to access the internet.

: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password XJX9T/MNG54uoaTm encrypted
passwd XJX9T/MNG54uoaTm encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 10.0.1.2 255.255.255.0
ip address dmz 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.100.100
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.100-10.0.1.108 inside
dhcpd dns 205.171.3.25 192.168.100.1
dhcpd wins 209.165.201.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sbssrv.com
dhcpd enable inside
terminal width 80
banner login Enter your password to log in

With all the configurations done I am still not able to browse the internet.

What rules do I need to set on the firewall box?

Could someone help me?

Regards

Mark

1 Accepted Solution

Accepted Solutions

Hello,

Can you ping the 192.168.100.1 from your internal clients? Please put the

following two lines in the configuration and see if it makes any difference:

access-list outside_access_in permit icmp any any echo-reply

access-group outside_access_in in interface outside

Once you put the above lines in the configuration and removed the line I had

suggested earlier, try pinging 192.168.100.1 from your inside LAN

(10.x.x.x). If the ping is successful, then the issue could be at your DSL

modem configuration. If you are not able to ping the 192.168.100.1 from

inside LAN, then try to ping that IP from the firewall itself. That should

tell us what is going on.

Regards,

NT

View solution in original post

10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please remove the following line from your configuration:

global (outside) 1 192.168.100.100

Also, I do not see a route to 192.168.100.0 network on the firewall. Please

include a route.

route inside 192.168.100.0 255.255.255.0 "next hop IP"

That should fix the issue.

Regards,

NT

I tried adding this route inside 192.168.100.0 255.255.255.0 174.21.215.27  but recieved a  message that the Route already exists

Problem not resolved

thanks for the help

Hello,

Can you post the output of "show route" command?

Regards,

NT

Here is the show route and the show Ip out put

PIX(config)# sho route
        outside 0.0.0.0 0.0.0.0 192.168.100.1 1 DHCP static
        inside 10.0.1.0 255.255.255.0 10.0.1.2 1 CONNECT static
        dmz 172.16.2.0 255.255.255.0 172.16.2.1 1 CONNECT static
        dmz 192.168.42.0 255.255.255.0 192.168.1.5 1 OTHER static
        outside 192.168.100.0 255.255.255.0 192.168.100.4 1 CONNECT static

PIX(config)# sho ip
System IP Addresses:
        ip address outside 192.168.100.4 255.255.255.0
        ip address inside 10.0.1.2 255.255.255.0
        ip address dmz 172.16.2.1 255.255.255.0
Current IP Addresses:
        ip address outside 192.168.100.4 255.255.255.0
        ip address inside 10.0.1.2 255.255.255.0
        ip address dmz 172.16.2.1 255.255.255.0

thank you for your help

Hello,

Thanks for the outputs. Do you have another device that is doing NAT from

private address to public address? The firewall configuration looks correct.

Can you please tell us what is the next hop device?

Regards,

NT

Do you have another device that is doing NAT from private address to public address?

No I don't have NAT on the DMZ i thought I would fix the DMZ once I fix this problem.

Can you please tell us what is the next hop device  is a Qwest Actio0ntec DSL Modem with a ip of 174.21.215.27

thanks

Mark

Hello,

Is the DSL modem in the routed mode? Is it providing the DHCP address to

your firewall? Can you configure the DSL modem such that it passes on the

public IP it got on the DSL side to the ASA?

Regards,

NT

Is the DSL modem in the routed mode? Yes it is in routed mode the gateway ip address is 63.210.10.242. Is it providing the DHCP address to

your firewall? Yes it is providing DHCP to the firewall ip address 192.168.100.4.    Can you configure the DSL modem such that it passes on the

public IP it got on the DSL side to the ASA? no i don't think so.

Hello,

Can you ping the 192.168.100.1 from your internal clients? Please put the

following two lines in the configuration and see if it makes any difference:

access-list outside_access_in permit icmp any any echo-reply

access-group outside_access_in in interface outside

Once you put the above lines in the configuration and removed the line I had

suggested earlier, try pinging 192.168.100.1 from your inside LAN

(10.x.x.x). If the ping is successful, then the issue could be at your DSL

modem configuration. If you are not able to ping the 192.168.100.1 from

inside LAN, then try to ping that IP from the firewall itself. That should

tell us what is going on.

Regards,

NT

NT by adding the two line you just gave me made the firewall

work so this half of the problem is fixed.

I well start a new post for the DMZ  problem.

thank you for all your help

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: