Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515e config

Hello,my network is modem -> switch -> pix -> inside network.

see my config below. No computer from the inside network is able to browse. They are reeive DHCP addresses and obviously can ping the pix. Any ideas?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

icmp permit 10.204.224.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside publicIP.42 255.x.x.248

ip address inside 10.204.224.1 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 publicIP.44

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

routing interface outside

rip outside default version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 publicIP.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

http 10.204.224.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 10.204.224.150-10.204.224.200 inside

dhcpd dns dnsfromISP

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Thanks

Daniel.

8 REPLIES
Green

Re: PIX 515e config

Can you ping publicIP.41 from the pix?

New Member

Re: PIX 515e config

Yes i can ping publicIP.41 from the pix. I can even ping outside DNS's, yahoo,etc. I can ping out from the pix.

Green

Re: PIX 515e config

Add..

access-list outside_in permit icmp any any

access-group outside_in in interface outside

Can inside hosts ping out as well?

New Member

Re: PIX 515e config

i think it is your routing interface command that is wrong? Try removing that and see how you go

New Member

Re: PIX 515e config

So the command that reads 'routing interface outside'

remove that and you should be right

New Member

Re: PIX 515e config

Hey guys,here's the latest config. Still no way. Help

By the way, how do i return the pix to factory default. Can one send a message from pix to a computer/user?

D

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit tcp any any

access-list outside_in permit icmp any any

pager lines 24

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside publicIP.42 255.255.255.248

ip address inside 10.204.224.1 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 publicIP.44

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_in in interface outside

access-group inside_access_in in interface inside

rip outside default version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 publicIP.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.204.224.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 10.204.224.150-10.204.224.200 inside

dhcpd dns DNSISP1 DNSISP2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

New Member

Re: PIX 515e config

Hi,

So, if I understand your problem, your goal is to provide HTTP access to inside hosts?

- Check if your ACL are corrects:

try to replace this line:

"access-list inside_access_in permit tcp any any "

by

"access-list inside_access_in permit ip any any"

-try to replace this line :

global (outside) 1 publicIP.44

by

global (outside) 1 interface

If that solves your problem, check if that in your outside network, publicIP.44 address is not already used. If it's not the case, and you still want inside hosts be NATed in the publicIP.44 address,

add in your configuration this line:

no sysopt noproxyarp outside

Please let me know if that helps

Khay

New Member

Re: PIX 515e config

Thanks a lot Khay, the "no sysopt noproxyarp outside" did the trick. Got to learn more about the sysopt command.

Thanks bro.

186
Views
5
Helpful
8
Replies
CreatePlease to create content