hello - I've just done that but as soon as i do that i get no internet and cannot ping the firewall again!

i plug it into vlan 100 can ping the default gateway 192.168.100.254 and pings fine but cannot ping 192.168.100.250!

This is what i put in:

bmi-515-fw-01(config-if)# no ip address 192.168.1.250 255.255.255.0

bmi-515-fw-01(config-if)# ip address 192.168.100.250 255.255.255.0

bmi-515-fw-01(config-if)# wr mem

bmi-515-fw-01(config-if)# reload

and then i plug the inside into vlan 100 and cannot ping the firewall anymore, can ping dgw though

Hello Hgaed,

After doing that you will need to change the nat statements and the ACLs if you have one on the Inside interface.

It would be the best if you post your configuration =)

Now lets try something

Nat (inside) 1 192.168.100.0

Global (outside) 1 itnerface  BTW I suppose you already have this one.

Can you ping from default gateway to the PIX?  what is the status of the Inside pix interface?

Regards,

Julio

If my machine is within the same vlan 100 as the firewall i can ping it - but no internet, if my machine is not in the same vlan as the firewall i cannot ping the firewall, below is the conf:

bmi-515-fw-01(config-if)# show conf

: Saved

: Written by enable_15 at 22:30:40.534 GMT/BST Thu Dec 1 2011

!

PIX Version 8.0(4)

!

hostname bmi-515-fw-01

domain-name buildmeit.internal

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.10 BMI-XXXX description Proxy Server

name 192.168.1.11 BMI-XXXX description Mail Server

!

interface Ethernet0

nameif outside

security-level 0

ip address 78.XX.XXX.XXX 255.255.240.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.250 255.255.255.0

!

banner exec BMI PIX Firewall

banner login BMI PIX Firewall

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

domain-name buildmeit.internal

dns server-group defaultdns

name-server 208.67.222.222

name-server 208.67.220.220

object-group service RDP tcp

port-object eq 3389

access-list outside_in extended permit tcp any interface outside eq smtp

access-list outside_in extended permit tcp any interface outside eq https

access-list outside_in extended permit tcp any interface outside eq 3389

access-list inside_nat0_outbound extended permit ip any 192.168.1.176 255.255.25

5.240

access-list inside_nat0_outbound extended permit ip any 192.168.1.168 255.255.25

5.248

pager lines 24

logging enable

logging asdm informational

logging from-address

logging recipient-address  level errors

logging recipient-address  level errors

mtu outside 1500

ip local pool VPN 192.168.1.180-192.168.1.190 mask 255.255.255.0

ip local pool BMI 192.168.1.170-192.168.1.175 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-61551.bin

asdm location BMI-XXXX 255.255.255.255 inside

asdm location BMI-XXXXX 255.255.255.255 inside

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.100.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 BMI-ADC1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp BMI-MAIL1 smtp netmask 255.255.255.25

5

static (inside,outside) tcp interface https BMI-MAIL1 https netmask 255.255.255.

255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 78.86.XXX.XX

route inside 192.168.0.0 255.255.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life

time seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life

time kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server BMI-ADC1 source inside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 192.168.1.51 192.168.1.52

vpn-tunnel-protocol l2tp-ipsec

default-domain value buildmeit.internal

username admin password IJxhdNpJDK60IvP6WnrmNA== nt-encrypted privilege 0

username admin attributes

vpn-group-policy DefaultRAGroup_1

username ian.taylor password m2UnovoQSIZFOzt1vA2p1g== nt-encrypted privilege 0

username ian.taylor attributes

vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

address-pool BMI

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 192.168.1.53

prompt hostname context

Cryptochecksum:5123a077b9eea8126de766e889f11b1a

My core is 192.168.1.254

Hello ,

Please remove this:

Nat (inside) 1 192.168.100.0

Hmm you should be able to go out with the configuration you have, can you provide me the following output:

packet-tracer input inside tcp 192.168.100.5 1025 4.2.2.2 80

Then

packet-tracer input inside tcp 192.168.0.5 1025 4.2.2.2 80

Regards,

Julio

Result of the command: "packet-tracer input inside tcp 192.168.100.5 1025 4.2.2.2 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 192.168.100.0 255.255.255.0

  match ip inside 192.168.100.0 255.255.255.0 outside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 11, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "packet-tracer input inside tcp 192.168.0.5 1025 4.2.2.2 80"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 101 (78.86.187.142 [Interface PAT])

    translate_hits = 3106, untranslate_hits = 277

Additional Information:

Dynamic translate 192.168.0.5/1025 to 78.86.187.142/9091 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 101 (78.86.187.142 [Interface PAT])

    translate_hits = 3106, untranslate_hits = 277

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3892, packet dispatched to next module

Phase: 8

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 78.86.176.1 using egress ifc outside

adjacency Active

next-hop mac address 0090.d063.ff1a hits 35694

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hello,

Please add the following:

no  Nat (inside) 1 192.168.100.0

hmmm everything should work.

Can you save the configuration and reload the pix or just clear the xlate and connection tabble.

Clear xlate

Clear conn

Clear local

Regards,

Julio

Hey Guys,

Please see the attached, i've tried all the attached above and still cant get this working, i thought it would be a good idea to post a ss of the traffic - might give an indicator what is going on!

I cannot PING 192.168.100.254 when I am in a different VLAN!!!!!!!!!!!

Help

Hello,

hmm so you cannot ping 192.168.100.254 from a user behind the same interface. by default traffic on the same interface is not allow.

Add the followings commands:

-fixup protocol icmp

-same-security-traffic permit intra-interface

You still not able to access the internet, ok here is what you need to have on your pix in order to have connectivity to the outside so please confirm you ONLY HAVE THIS on your configuration!!!!!!

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0 0

global (outside) 1 interface

static (inside,outside) tcp interface 3389 BMI-ADC1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp BMI-MAIL1 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https BMI-MAIL1 https netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 78.86.XXX.XX

route inside 192.168.0.0 255.255.0.0 192.168.1.254 1

Please confirm if you ONLY have this Nat statements on your configuration, this are the only ones you need. do a clear local-host. clear xlate.

Also I do not know if you are using your own Private DNS, can you use a public one ( 4.2.2.2)  and test the internet connectivity.

Regards,

Please rate helpful posts.

Julio!!!!

Thanks - I'll try soon, in the mean time this is the NAT screen I see:

VLAN Info:

VLAN 1 - 192.168.1.254

VLAN 2 - 192.168.2.254

VLAN 3 - 192.168.3.254

VLAN 4 - 192.168.4.254

VLAN 5 - 192.168.5.254

VLAN 6 - 192.168.6.254

VLAN 7 - 192.168.7.254

VLAN 100 - 192.168.100.254

All VLAN's can ping each gate fine!!

I've jsut checked the config and I have:

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

global (outside) 101 interface

route outside 0.0.0.0 0.0.0.0 78.xx.xxx.x 1

route inside 192.168.0.0 255.255.0.0 192.168.1.254 1

Hello,

The nat is fine.  I want you to access the CLI and create a capture and let me know the result

From a inside user ( on my capture will be 192.168.100.15) I want you to go to xxxxx website ( you will need to have the ip address of the site on my example lets use the www.CCIEtalk.com ip address: 174.37.27.184

access-list capin permit ip host 192.168.100.15 host 174.37.27.184

access-list capin permit ip host 174.37.27.184 host 192.168.100.15

capture capin access-list capin interface inside

access-list capout permit ip host xxxxx (outside interface ip) host 174.37.21.184

access-list capout permit ip host 174.37.21.184 host xxxx (outside interface ip)

capture capout access-list capout interface outside

Then try to start the connection and share the following outputs:

sh capture capin

sh capture capout

Please rate helpful posts

Julio!!!