Solved: Re: PIX 515e and 1841 Router - need help with setup - Page 2

smbtest12 · ‎02-10-2009

Hi

We have an 1841 Router with a Lease Line coming through on it. We have been advised to use a Firewall between the 1841 and our LAN, so we are using a 515e which we have in the office.

The scenario up until now has been with regards to our 515e, that on the Internal port, we have our entire IP range i.e. abc.def.ghi.0/24 (not a private IP range) and on the External port, we have a single public IP address of a different range.

Now we have a new public IP range, i.e. jkl.mno.pqr.0/24 (coming from the Lease Line through the 1841) but dont have a single public IP address for the External port.

Can we use an IP address from the jkl.mno.pqr.0/24 and single it out for the External port ? will this work ? If not, then what is the workaround or solution for this please ?

Unfortunately, we dont have access to the 1841, but we do to the PIX.

We really appreciate any help on this and a million thanks in advance.

Regards,

Ali

Tshi M · ‎02-11-2009

not really since it is showing most outside attempts.

Did you remove the inside acl for troubleshooting?

Try a telnet session to a web site on port 80 and take a look at your log. Having a real time log viewer might be helpful. this is a pretty simple setup and should work as is.

smbtest12 · ‎02-11-2009

Yes we removed the inside rules.

It seems like after trying your telnet suggestion, that there is some sort of connectivity, but the following implicit rule is blocking access

access-list inside_access_in extended deny ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

this rule was inbuilt and does not actually appear in sh running-config, but the logs from the telnet session clearly point to this

we had a few earlier logs pointing to this too but we wrote a rule to override it as follows, but it doesnt seem to have any effect

access-list inside_access_in extended permit ip 192.168.7.0 255.255.255.0 192.168.7.0 255.255.255.0 time-range Never_End

thanks a lot

Ali

smbtest12 · ‎02-11-2009

Sorry Etienne, forgot to ask you if you have any ideas about getting round this.

Thanks a lot

Ali

Tshi M · ‎02-11-2009

sorry. Not sure but have you tried removing that line from your configuration? Do you really need an inside ACL? If you really need an inside ACL, create a new one and apply it to the inside interface. I think that will be the best shortcut to take.

rgds,

smbtest12 · ‎02-11-2009

Thanks, but its an implicit rule which is hard wired into the OS of the PIX. I have been trying to remove it, but in ASDM there is no option to delete and in Command Line it just doesnt appear.

thanks

Tshi M · ‎02-11-2009

Hi Tahir,

If you really need an inside ACL, create a new ACL and apply it to the inside interface. I also don't understand that it is an implicit rule. I thought deny at the end of an ACL statement was the implicit rule.

In any case, just create a new one (with a new name :-) and apply it to the inside Interface. You can always clean up the config later.

smbtest12 · ‎02-12-2009

Etienne,

Sorry couldnt get back earlier. Your idea of removing the inside rules worked a treat. they were interfering with the connection, the implicit rule needs to be left as is (as far as i could figure out).

Thank you so much for your help. I may have other queries later on today as we are soon to finalise a new setup.

I really appreciate your help. Will rate your posts just now.

Regards

Ali

Tshi M · ‎02-12-2009

Thanks much and I am happy that I was able to assist.