Internet Access

darren.wilson · ‎03-24-2004

I ave a PIX 515E that I am trying to pass all of my LAN traffic to the Internet through. On the Outside of the PIX, I have 2 routers configured with HSRP and can ping with the PIX. On the inside of the PIX, I have 2 routers configured with HSRP, can ping withthe PIX, the PIX see's everything. Here lies my problem, I cannot see anything past the inside PIX addreess with my inside router, or any other peice of gear on the inside.

Here is my PIX config

: Saved

: Written by enable_15 at 23:27:22.897 UTC Wed Mar 24 2004

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

hostname KCFire01

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name A.B.C.0 OutsideClassC

name A.B.C.2 OutsideRouter2

name A.B.C.13 HSRPGateway

name A.B.C.1 OutsideRouter1

access-list outside_cryptomap_20 remark Southport, CT Remote VPN Connection

access-list outside_cryptomap_20 permit ip interface outside host Southport

access-list inside_access_in permit ip 192.168.5.0 255.255.255.0 any

access-list inside_access_in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside A.B.C.3 255.255.255.240

ip address inside 192.168.5.247 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_client 192.168.3.201-192.168.3.230

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.3.0 255.255.255.0 0 0

nat (inside) 10 192.168.5.0 255.255.255.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 A.B.C.3 1

route inside 192.168.0.0 255.255.0.0 192.168.5.247 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.3.20 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

vpngroup AKDest address-pool vpn_client

vpngroup AKDest dns-server 192.168.3.2

vpngroup AKDest default-domain clink-clonk.com

vpngroup AKDest idle-time 1800

vpngroup AKDest password private

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcprelay enable inside

dhcprelay setroute inside

terminal width 80

Cryptochecksum:ff2de0e5b7cc836f7f5bff9635dd216b

: end

nkhawaja · ‎03-24-2004

What happens if you are not using HSRP? is there any way you can bypass it?

SYSLOG may give more idea on what is wrong!

Config seems to be fine.

BTW ping is not allowd through access-list from outside, so cant test using ICMP.

Did you test with HTTP? Do you see any translations buildup?

Thanks

Nadeem

l.mourits · ‎03-26-2004

ICMP is not statefully inspected on the PIX, so ICMP response traffic is not allowed untill you allow this on the access-list bound to your outside interface.

Kind regards,

Leo