Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 501 Help....asap.

Ok so here is my config...

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53

access-list inbound permit udp any host 78.xxx.xxx.15 eq 53

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.14 eq www

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.15 netmask 255.255.255.255 0 0

Basically I have 2 servers running behind my PIX with the external IP addresses of 78.xxx.xxx.15 and 78.xxx.xxx.14. I can ping the inside interfaces but I can not ping the outside interface of the PIX, let alone the gateway which is at 78.xxx.xxx.18. I need to have this up and running ASAP, so any suggestions would be great!

Thanks!

29 REPLIES
Gold

Re: PIX 501 Help....asap.

you can't ping the outside interface from the inside, and vice versa...

you need to add the following to permit icmp replies from the gw....

access-list inbound permit icmp any any echo-reply

or

access-list inbound permit icmp host 78.x.x.18 any echo-reply

you get the idea...

Community Member

Re: PIX 501 Help....asap.

Thanks for the repay srue. I guess I should have elaborated a little further... I am not even able to access the internet, that is my main goal. Any advice?

Green

Re: PIX 501 Help....asap.

Can you ping the gateway from the pix?

Community Member

Re: PIX 501 Help....asap.

What is understand for the problem it seems like you are trying the ping the outside interface from the inside,If i am understanding correctly ..

By design you will not be able to ping the outside interface ..and if you are trying to ping the outside interface from the outside world then please check if its getting denied by ICMP command ..

show ICMP

Community Member

Re: PIX 501 Help....asap.

Let us know if you are able to ping the gateway ip address and also let me know if you are trying to access internet from these 2 servers only..But if you are trying to access from other workstations then you need the make the use of nat and global command..

nat (inside) 1 0 0

global (outside) 1 interface

Community Member

Re: PIX 501 Help....asap.

Please post the full config of your firewall then we can help easily

Cheers,

MM

P.S. Don't forget to rate replies ;)

Community Member

Re: PIX 501 Help....asap.

Here is the running config of the pix...

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

It is just the two servers accessing the internet, and yes I found that I can ping the gateway. I'm still stumped with this whole thing so keep the help come'n guys...

Thanks!

Community Member

Re: PIX 501 Help....asap.

ok you don't do a global and then a static nat that way. All you need to define is a global for the other clients behind the gateway to the interface of your PIX, and then statics for the servers. changes as follows:

Remove these:

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

Add this:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

also create an access list for outbound access and put deny ip any any log at the end of boths lists for monitoring purposes etc

Cheers,

MM

Community Member

Re: PIX 501 Help....asap.

sorry that nat (inside) command should read:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

Community Member

Re: PIX 501 Help....asap.

mightymouse2045, thanks for the quick responce.

Okay so I changed the config, but now I'm beginning to think I have something with the internal IP addresses wrong. I should have been more clear about what I said before... I can ping the gateway from the PIX, but not from the server. I'm thinking it has something to do with the netmask, my internal is 255.0.0.0 and my external is 255.255.255.248. Although I thought that nat was soposto take care of that?

Thanks!

Community Member

Re: PIX 501 Help....asap.

If this helps clarify things:

Gateway - 78.xxx.xxx.18

PIX internal - 10.xxx.xxx.81

PIX external - 78.xxx.xxx.16

Server 1 internal - 10.xxx.xxx.83

Server 2 internal - 10.xxx.xxx.85

Server 1 external - 78.xxx.xxx.15

Server 2 external - 78.xxx.xxx.14

Thanks!

Community Member

Re: PIX 501 Help....asap.

by default pings are not allowed through PIX's so you have to enable that by adding in the permit ICMP into your access lists:

So add this into your inbound\outbound access lists:

access-list name permit icmp any any

Once you've added these in try and ping and let me know how you go. Also to restrict the ping on the outside interface you should only really add in specific ping responses like echo-reply, time-out etc do a help on the command for possible responses

Community Member

Re: PIX 501 Help....asap.

Okay I just added those access-lists and I and still not able to ping the gateway. But this time I do get a 'Request timed out' as a responce...

Community Member

Re: PIX 501 Help....asap.

ok can you try pinging www.google.com and see if you can resolve it and ping it - if yes then you know your working.

If not I'll have another browse through your config - can you post the updated config again too

Community Member

Re: PIX 501 Help....asap.

Okay I can ping google's IP address (64.233.161.104) from the PIX, but not from the server. Once again here are all of the IP addresses I am using:

Gateway - 78.xxx.xxx.18

PIX internal - 10.xxx.xxx.81

PIX external - 78.xxx.xxx.16

Server 1 internal - 10.xxx.xxx.83

Server 2 internal - 10.xxx.xxx.85

Server 1 external - 78.xxx.xxx.15

Server 2 external - 78.xxx.xxx.14

These are web servers, so server 1 has to have the external IP of .15 and server 2 has to have the external IP of .14.

Thanks again for your help!

Community Member

Re: PIX 501 Help....asap.

yep which was achieved with the other commands i told you to add in.

Can you post your updated config as it appears now?

Community Member

Re: PIX 501 Help....asap.

Hey I actually entered in one of the commands wrong that you gave me, I corrected it any am now able to ping google's IP. I am still having a DNS issue though, I cannot ping www.google.com, just the IP. Also here is my updated config... and suggestions for security?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list outbound permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again 2040!

Community Member

Re: PIX 501 Help....asap.

ok you need to apply the outbound access list to the inside interface:

access-group outbound in interface inside

Also where are your DNS servers? Are you running DNS on your internal servers, or you have your internal clients\servers all pointing to your external DNS servers?

Let me know which one and I'll tell you the rules to add in to allow the DNS traffic. Also what access do you want internal servers\clients to have to the internet - or is it purely to allow external clients to access web services and pptp on the internal servers?

Cheers,

MM

Community Member

Re: PIX 501 Help....asap.

Okay the DNS servers are currently external, but once everything is configured I will be running them on the internal servers. As far as access is concern, I would like everything to be as secure as possible, the internal servers must be able to access the internet, infact I really have no need to restrict anything on them. Outside should only be able to view the web data on the servers. I have the pptp ports open to configure the servers remotely.

Thanks!

Community Member

Re: PIX 501 Help....asap.

ok so probably just best to add in:

access-list outbound permit ip 10.0.0.0 0.255.255.255 any

You already have the inbound access list setup correctly so that should be about it.

So once you add in that permit any command try DNS resolution again - if it's not working check you have the correct DNS servers setup and try pinging them.

If they are setup correctly and you can ping them - then add a deny ip any any log to the end of each access list and set logging to 7 and monitor the output on the console as you are doing nslookups and see if anything is being blocked

Cheers,

MM

P.S don't forget to rate the responses ;)

Community Member

Re: PIX 501 Help....asap.

Ok so I entered the access list in, and was able to ping the DNS servers, but I am still not able to ping www.google.com or bring up a website. I set the logging monitor to 7 and tried to open a website, but when I went to view the logging it says '0 messages logged'... any idea?

Thanks!

Community Member

Re: PIX 501 Help....asap.

sorry to be a pain but can you post in the config as it looks now :)

Community Member

Re: PIX 501 Help....asap.

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list outbound permit icmp any any

access-list outbound permit ip host 10.0.0.0 any

access-list out deny ip any any log

access-list in deny ip any any log

pager lines 24

logging on

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group outbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Community Member

Re: PIX 501 Help....asap.

ok do this:

1. Remove these lines:

access-list out deny ip any any log

access-list in deny ip any any log

access-list outbound permit ip host 10.0.0.0 any

2. add these lines:

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

access-list inbound deny ip any any log

access-group inbound in interface inside

3. Also are you sure your subnet mask for the external interface is correct? Because .16 address is the network address for the range .16 to .23 with .17 to .22 being usable.

The IP you have setup with .15 is actually the broadcast address of the subnet below .16, and .14 is the last usable in that subnet range.

Who assigned the IP addresses for you and what range and other details did they give to you?

Cheers,

MM

Community Member

Re: PIX 501 Help....asap.

Yes they are correct, I changed the external addresses because I'm posting on a public forum. The subnets are correct, just not the IPs.

I entered the updates, and I'm still getting the same thing. '0 messages logged' and I'm still at the same point with the DNS.

Here is the updates config...

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list inbound deny ip any any log

access-list outbound permit icmp any any

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

pager lines 24

logging on

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group outbound in interface outside

access-group inbound in interface inside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again!

Community Member

Re: PIX 501 Help....asap.

ok you have these around the wrong way:

access-group outbound in interface outside

access-group inbound in interface inside

Remove them and add them as:

access-group outbound in interface inside

access-group inbound in interface outside

Community Member

Re: PIX 501 Help....asap.

Okay that didn't work. Here is exactly what I'm entering into the PIX, maybe this will help:

hostname xxxxxxxxxx

ena password xxxxxxxxxxxxx

password xxxxxxxxxxxx

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-list inbound permit icmp any any

access-list outbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53

access-list inbound permit udp any host 78.xxx.xxx.15 eq 53

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 1723

access-list inbound permit tcp any host 78.xxx.xxx.14 eq 1723

access-group outbound in interface inside

access-group inbound in interface outside

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

access-list inbound deny ip any any log

access-group inbound in interface inside

logging on

logging monitor 7

Thanks mightymouse !

Community Member

Re: PIX 501 Help....asap.

you've got the access-group inbound stated again down the bottom to the wrong interface again.

Save the config (wr mem) and have a look at it on the pix - does it come up with:

access-group outbound in interface inside

access-group inbound in interface outside

The best way to edit in bulk is to save the config on the device then copy it to a tftp server (copy start tftp) edit the config file in notepad (word wrap turned off), save it and then copy it back to the startup-config on the pix via tftp (copy tftp start) and restart the pix.

Cheers,

MM

Community Member

Re: PIX 501 Help....asap.

Okay well I'm at a loss... I'll keep looking around to see what I can find, but I'm still in the same situation. Thanks for getting me to where I'm at!

175
Views
38
Helpful
29
Replies
CreatePlease to create content