Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX 515e basic configuration

Was wondering if anyone might know why I cant establish basic connectivity from LAN to WAN interface on this machine? I've been trying very hard to get it and I guess its beyond me, very frustrating. Here is a post of the configuration:

Result of PIX command: "show config"

: Saved

: Written by admin at 09:58:27.057 UTC Fri Jan 4 2008

PIX Version 6.2(1)

nameif ethernet0 t1 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx

encrypted

passwd xxxxxxx encrypted

hostname xxxxxxxx

domain-name xxxxxxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging trap informational

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit any echo-reply t1

icmp permit any echo t1

icmp permit any echo-reply inside

icmp permit any echo inside

mtu t1 1500

mtu inside 1500

mtu intf2 1500

ip address t1 x.x.x.124 255.255.255.248

ip address inside 172.20.206.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.248 inside

pdm location 172.20.206.254 255.255.255.255 inside

pdm location x.x.x.124 255.255.255.255 t1

pdm location 172.20.206.0 255.255.255.248 inside

pdm history enable

arp timeout 14400

global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

global (t1) 1 interface

global (t1) 2 x.x.x.124

global (t1) 3 x.x.x.122

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route t1 x.x.x.124 255.255.255.255 x.x.x.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 172.20.206.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

telnet 172.20.206.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn enable inside

username xxxxx password xxxxxxxx encrypted privilege 2

username xxxxxx password xxxxxxxxxxxprivilege 2

terminal width 80

Cryptochecksum:xxxxxxxxxx

It would be a relief if my company didn't have to scrap our nice Cisco stuff because we just cant figure it out. Any help would be appreciated!!! Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Cisco PIX 515e basic configuration

First off, I would get rid of the unused global PAT entries:

no global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

no global (t1) 2 x.x.x.124

no global (t1) 3 x.x.x.122

Then your route statement seems to be wrong:

no route t1 x.x.x.124 255.255.255.255 x.x.x.121 1

Use:

route t1 0.0.0.0 0.0.0.0 x.x.x.121

7 REPLIES
New Member

Re: Cisco PIX 515e basic configuration

First off, I would get rid of the unused global PAT entries:

no global (t1) 4 x.x.x.125-x.x.x.127 netmask 255.255.255.248

no global (t1) 2 x.x.x.124

no global (t1) 3 x.x.x.122

Then your route statement seems to be wrong:

no route t1 x.x.x.124 255.255.255.255 x.x.x.121 1

Use:

route t1 0.0.0.0 0.0.0.0 x.x.x.121

New Member

Re: Cisco PIX 515e basic configuration

Ok thanks, I'll try that

New Member

Re: Cisco PIX 515e basic configuration

Wow that worked!! thank you so much! I think I was getting caught up in trying to change the interface IP addressees too much. Possibly that's where the incorrect global NAT's were accumulating. I was confused on what IP address to assign the WAN interface. Apparently you give it one of your static addresses, its not the same address as your wan gateway (in this case, the csu/dsu to the t1). Also, the global route is a confusing syntax. I'll have to look at that more. Whatever I typed in seems to work now. Thanks again!!!!

New Member

Re: Cisco PIX 515e basic configuration

try changing your route t1 x.x.x.124 255.255.255.255 x.x.x.121 1 to

route t1 0.0.0.0 0.0.0.0 x.x.x.121 1

To me it appears you are only trying to route x.x.x.124 to the outside (t1) interface.

New Member

Re: Cisco PIX 515e basic configuration

That may be possible. But, since this configuration works and I've spent so long trying to figure it out. I'm not going to change a thing if I dont absolutely have to. Does anyone know how to permit an incoming Microsoft PPTP client? I have set access rules to permit PPTP and GRE, as well as static NAT to the VPN server on the LAN. IT isnt working, however. I can VPN the server from inside the LAN, so I know that its set up correctly. Its something to do with the firewall.

Re: Cisco PIX 515e basic configuration

You need to setup a static mapping from an unused IP address from your CIDR range, to your VPN server. Then allow the appropriate traffic inbound to the mapped address on your t1 interface.

** please rate posts if helpfull **

New Member

Re: Cisco PIX 515e basic configuration

Yeah, thanks. As I mentioned above, the connection works, as well as RDP now. I have taken up the VPN in another topic. THanks everyone!

254
Views
0
Helpful
7
Replies