Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

No Internet From Inside

Hello - I have just had to replace a dead (finally) PIX 520. Untill my company can afford it, I am using a PIX 501. The outside interface is connected to a Verizon DSL router, and the inside through a 2950 and an old 1600 series router. Problem is ever since I went to the 501, no one behind the firewall can get to the internet. I can ping internet sites from the 501 itself, but nothing from behind it. I know it must be something simple, but I can't figure it out. I am attaching the configs for the router and firewall

1 ACCEPTED SOLUTION

Accepted Solutions

Re: No Internet From Inside

Try this configuration.

no global (outside) 1 XX.XX.XX.XX netmask 255.255.255.255

global (outside) 1 interface

If your xx.xx.xx.xx in the global configuration is the outside interface address then you should use the keyword interface for PAT instead of address.

HTH

Sundar

7 REPLIES
New Member

Re: No Internet From Inside

Hey,

I would start by doing a traceroute from a machine that's not able to access the internet and see where that gets stuck. That will hopefully tell you which device has the problem and narrow things down.

I'm not sure off my head what happens with that version if you have no access-list associated with the inside interface of your PIX. It might allow everything through, but I can't remember and if it were me I'd just allow everything through using the access-list/access-group commands as per what you have for the outside -- just as a test.

HTH

Anthony

New Member

Re: No Internet From Inside

Hi Anthony - thats the weird part, I can ping the inside interface of the firewall from any client, but a trace to any internet IP from that same client goes nowhere, doesn't even know what its first hop is.

New Member

Re: No Internet From Inside

If I do a sho xlate while I am tracing from the workstation, I see this:

PAT Global xx.xx.xx.11(2) Local 192.168.100.35 ICMP id 512

So it is reaching the firewall...it must be something on the DSL modem?

New Member

Re: No Internet From Inside

But you said that from the FW itself you could get to external addresses no? If that's the case the routing from the FW to the DSL and out would seem to be working ok.

You have the statics and outside addresses blanked out (understandably!) - I'm presuming you have one address for the outside interface, another two that you're using in the statics and then another that you have for your global? Is that right?

Also, what do you see in the logs, anything? Look for any denies on either side, non-translations etc that might give some clue. Probably best to turn the logging to warning or debugging and watch while you try from one of those machines.

Re: No Internet From Inside

Try this configuration.

no global (outside) 1 XX.XX.XX.XX netmask 255.255.255.255

global (outside) 1 interface

If your xx.xx.xx.xx in the global configuration is the outside interface address then you should use the keyword interface for PAT instead of address.

HTH

Sundar

New Member

Re: No Internet From Inside

That did it. Why would that work and not the global statement I had in there before? Thanks!!

Re: No Internet From Inside

Glad it works now. Thanks for the rating!

It's one of those things - where the OS doesn't like the address to be used when that address is assigned to the interface (outside). Instead, it expects the word 'interface' to be used in the global command for that address to be used.

HTH

Sundar

149
Views
0
Helpful
7
Replies
CreatePlease to create content