08-13-2010 06:04 AM - edited 03-11-2019 11:25 AM
Here is my situation. I am new to the pix and cant get to the outside world from my workstation. I can ping through to the outside world from the PIX. I can ping the pix from the router. I can ping the pix from the worksation. So I think the issue is in my config. here is my config.
thank you in advance
XX-PIX# sh run
: Saved
:
PIX Version 8.0(4)32
!
hostname xx-PIX
enable password
passwd
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.20.x.2 255.255.255.252
!
banner login ****** W A R N I N G ******
banner login THIS IS A PRIVATE COMPUTER SYSTEM: UNAUTHORIZED ACCESS IS FORBIDDEN
banner login AND WILL BE PROSECUTED BY LAW.
banner login By accessing this system, you agree that your actions may be monitored. This
banner login computer system, including all related equipment, network devices, specifically
banner login including Internet access, are provided only for authorized use. All computer
banner login systems may be monitored for all lawful purposes, including to ensunore that their
banner login use is authorized, to manage the system, to facilitate protection against
banner login unauthorized access, and to verify security procedures, survivability and opera-
banner login tional security. Monitoring includes active attacks by authorized personnel and
banner login their entities to test or verify the security of the system. During monitoring,
banner login information may be examined, recorded, copied and used for authorized purposes.
banner login All information including personal information, placed on or sent over this
banner login system may be monitored. Uses of this system, authorized or unauthorized,
banner login constitutes consent to monitoring of this system. Unauthorized use may subject
banner login you to criminal prosecution. Evidence of any such unauthorized use collected
banner login during monitoring may be used for administrative, criminal or other adverse
banner login action. Use of this system constitutes consent to monitoring for these purposes.
banner login ****** W A R N I N G ******
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
route inside x.x.x.x 255.255.255.0 xx.xx.xx.1 1
route inside x.x.x.x 255.255.0.0 xxx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) vendor websense host x.x.x.x timeout 30 protocol TCP version 4 connections 5
filter url except 0.0.0.0 0.0.0.0 x.x.x.x 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet xxx.xxx.xxx.x 255.255.255.255 inside
telnet xxx.xxx.xxx.x 255.255.255.255 inside
telnet timeout 5
ssh xxx.xxx.xxx.1 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
url-block url-mempool 1500
url-block url-size 4
url-block block 128
ntp server 192.43.244.18
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:51b1e54629f0808871df4327be9321e0
: end
Solved! Go to Solution.
08-13-2010 06:26 AM
Dear Mike,
You firewall outside interface address and your default route is pointing to the same IP address.
Regards
Balajirajah P B
08-13-2010 06:11 AM
Hello,
You are missing the global NAT pool configuration. Please configure the
following line:
global (outside) 1 interface
Hope this helps.
Regards,
NT
08-13-2010 06:29 AM
this did not fix it.
08-13-2010 06:33 AM
Hello,
Did you enter "global (outside) 1 interface" command?
Regards,
NT
08-13-2010 06:11 AM
Dear Mike Snow,
I just reviewed your config your outside insterface and your default route is same where you want to route your traffic ??????
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
Regards
Balajirajah P B
08-13-2010 06:23 AM
the default route is set to goto the dls router. Is that what you are asking...
Mike
08-13-2010 06:26 AM
Dear Mike,
You firewall outside interface address and your default route is pointing to the same IP address.
Regards
Balajirajah P B
08-13-2010 06:34 AM
Here is my logical setup....
router-->Pix-->dsl router---outside world
Mike
08-13-2010 06:39 AM
Hello,
Ok. Lets first work on the connectivity part. Please configure the
following:
on the PIX:
int ethernet 0
ip address 192.168.1.10 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
This should let you get basic connectivity. Once that happens, then we can
work on making other configurations.
Hope this helps.
Regards,
NT
08-13-2010 06:32 AM
Hello,
Is your DSL router configured in routed mode? Typically, DSL modems also
have a setting where they will act in bridge mode and assign the firewall
the public IP address. Can you please configure that? Or you can just set
the DSL mode such that it assigns a public IP to your firewall. Also, the
default gateway should be the DSL modem's IP (typically 192.168.1.1).
Hope this helps.
Regards,
NT
08-13-2010 06:38 AM
currently it is in router mode. I will have to order a static IP right now. will let you know if that works.. Thanks for the fast replys...
Mike
08-13-2010 06:47 AM
08-13-2010 07:45 AM
Thank you all for that quick replys. I got it up and running correctly. i set the interface: ip address outside dhcp setroute and it started working.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide