Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with config - can not access internet

I can ping from Machine 192.168.40.8 to PIX and vice versa. I can not ping from either Machine or PIX to the outside Internet.

Can someone look at my config and see what I am missing. Also I am prohibiting machine 192.168.40.10 to browse internet.

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname lab

domain-name LAB

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outthere permit icmp any any echo-reply

access-list outthere permit icmp any any unreachable

access-list outthere permit icmp any any time-exceeded

access-list inthere permit icmp any any

access-list inthere deny tcp host 192.168.40.10 any eq www

access-list inthere permit tcp any any eq www

access-list inthere permit tcp any any eq https

access-list inthere permit ip any any

access-list inthere permit tcp any any eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 37.x.x.10 255.255.255.248

ip address inside 192.168.40.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 37.139.239.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Thanks in advance.

JT

21 REPLIES
Silver

Re: Help with config - can not access internet

Please apply following commands-

access-group outthere in interface outside

access-group inthere in interface inside

You had access-lists created but they are not effective unless tied to a interface. Now things should work.

Hope that helps.

Regards,

Vibhor.

New Member

Re: Help with config - can not access internet

I could have sworn I had those lines in there. I think when I cleared my access-list, it must have wiped those lines out. I'll give that a try to see what happens. Thanks.

New Member

Re: Help with config - can not access internet

I added the access-group lines, but I still can not get to the internet. I'm not sure what is wrong. I am attaching the config again along with some other outputs.

PIX Version 6.3(1)

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname lab

domain-name LAB

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outthere permit icmp any any echo-reply

access-list outthere permit icmp any any unreachable

access-list outthere permit icmp any any time-exceeded

access-list inthere permit icmp any any

access-list inthere deny tcp host 192.168.40.10 any eq www

access-list inthere permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 37.x.x.10 255.255.255.248

ip address inside 192.168.40.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outthere in interface outside

access-group inthere in interface inside

route outside 0.0.0.0 0.0.0.0 37.139.239.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

lab# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bdc8.9868

IP address 37.x.x.10 , subnet mask 255.255.255.248

MTU 1500 bytes, BW 10000 Kbit full duplex

84 packets input, 5040 bytes, 0 no buffer

Received 84 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

91 packets output, 5460 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bdc8.9869

IP address 192.168.40.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

77 packets input, 5867 bytes, 0 no buffer

Received 11 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

5 packets output, 306 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

lab# sh access-group

access-group outthere in interface outside

access-group inthere in interface inside

Green

Re: Help with config - can not access internet

Off the subject, but you could get rid of 3 three lines in your acl...

access-list inthere permit tcp any any eq www

access-list inthere permit tcp any any eq https

access-list inthere permit tcp any any eq domain

as you have...

access-list inthere permit ip any any

New Member

Re: Help with config - can not access internet

Thanks. I didn't know that. But it makes sense.

New Member

Re: Help with config - can not access internet

add a 'deny any any log' to the end of your acls, and set up a syslog (kiwi syslogd) server on the inside machine. then set up your firewall to use that machine as the syslog server. (another option is to view debug inside firewall). This way you can see what traffic is actually getting denied.

Also is your outside route correct? Can you ping your next hop on the outside?

New Member

Re: Help with config - can not access internet

i can't ping anything on the outside of PIX.

New Member

Re: Help with config - can not access internet

try to auto-negotiate the OUTSIDE speed/duplex instead of setting 10full.

New Member

Re: Help with config - can not access internet

The autonegotiate for some reason does not work. And my connection outside is 10baseT. This is why I manually configured it.

New Member

Re: Help with config - can not access internet

What's the errors you get when you autonegotiate... Try 10 half duplex.

New Member

Re: Help with config - can not access internet

Is the route outside 37.139.239.6 one of your devices or ISP's? Can you ping your PIX from 37.139.239.6. If it's not yours, call your ISP and have them reprovision the circuit.

New Member

Re: Help with config - can not access internet

the route outside to 37.139.239.6 is my gateway. This is a DSL line. I'll try to ping from the internet to my PIX to see what I get.

Green

Re: Help with config - can not access internet

You won't be able to ping outside of pix with your current config, just ping from pix to gateway.

New Member

Re: Help with config - can not access internet

if I can't ping anything on the internet, I won't be able to ping anything outside the pix. thanks. I just rebooted the modem, firewall, and PC and still nothing.

when the PIX came up, it came up on monitor> mode. I reloaded again and it came up with the normal prompt. Not sure what happened there.

Green

Re: Help with config - can not access internet

What I said was you will not be able to ping the outside interface of the pix. (37.139.239.10). I did not mean you won't be able to ping out from the pix, sorry you misunderstood.

The logical test would be to ping your isp gateway from the pix, this would prove your internet connection was there and the problem is something on your inside clients or the pix, not your connection.

New Member

Re: Help with config - can not access internet

I think where the PIX boots from depends on your config register setting.

New Member

Re: Help with config - can not access internet

So is this a DSL modem with the .6 IP? What is the device before the PIX? router? dsl modem?

If so, then change the PIX outside ip to .6 (same as the DSL modem) and then the route outside on the PIX will have to be an IP address that you can get from your ISP.

Green

Re: Help with config - can not access internet

dsl modems don't typically have ip addresses. dsl routers do.

New Member

Re: Help with config - can not access internet

I ended up doing a write erase and started from scratch. I redid the config, and now it works. I checked the config and it looks the same to me as it did before... oh well, it works, that is all that matters.

thanks for your help.

New Member

Re: Help with config - can not access internet

weird!

New Member

Re: Help with config - can not access internet

Set to 10Mb auto.

216
Views
9
Helpful
21
Replies
CreatePlease to create content