11-18-2008 05:25 PM - edited 03-06-2019 02:33 AM
Hi--
I have two small offices and recently switched from dsl to cable internet. the two pix501 f/w units worked fine on dsl, but for the life of me I cannot even access the units now from the inside as I was able to do before when on dsl signal. I know I need to change the configuration from PPPoe to DHCP, but I can't get access to do it.
Any suggestions?
I believe I have 6.2 software, but I'm not sure. The Inside address is 10.8.6.1 now.
thanks--jb
12-14-2008 08:55 PM
you should have been able to browse internet as access from inside to outside is permited by default, can you re-confirm connectivity from the pix itself , try ping from the pix 151.203.0.84 as well as 151.202.0.84.
also to ping from inside to outside you need to allow icmp/traceroute .
configure this access list to permit icmp outbound from inside.
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in interface outside
icmp reference have a look here
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
once you make above change try ping from inside to outside the dns servers ip addresses you previously configured in laptop for example, then try ping by name yahoo.
c:\ping www.yahoo.com which is pingable .
let us know the results.
Regards
12-15-2008 05:49 AM
Jorge--
From the Pix console, I was able to ping dns 151.203.0.84 and 151.202.0.84
From the pix console, I was able to ping the yahoo site.
I entered the access-list commands ok.
The "access-group outside_access_in interface outside" failed because pix tole me "not enough arguments" I looked over the syntax requirements and I don't see the problem. What am I missing?
From the laptop I am still unable to ping to the outside.
For reference, here is current data:
pixMDC# show route | inc 0.0.0.0
outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static
pixMDC#
pixMDC#
pixMDC# Show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
hostname pixMDC
domain-name keene.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.8.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.6.0 255.255.255.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.8.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.6.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.6.2-10.8.6.33 inside
dhcpd dns 151.203.0.84 151.202.0.84
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server 10.8.6.0 10.0.0.0
vpnclient mode client-mode
vpnclient vpngroup fnd password ********
vpnclient username fnd password ********
vpnclient enable
terminal width 80
Cryptochecksum:abc03ad913138c14819a5314e35ce837
: end
pixMDC#
Thanks--
Jeffrey
12-15-2008 07:12 AM
Sorry I missed ( in )
access-group outside_access_in in interface outside
please add above statement and try ping from laptop outside dns, make sure you are in laptop have dns servers configure..
try again
12-15-2008 07:29 AM
Thanks Jorge--
That command was accepted.
From laptop I can ping 10.8.6.1 ok
pinging the dns 151.303.0.84 or 151.202.0.84 times out unsuccessfully. yahoo ping also unsuccessful.
Seems there must be some little thing I'm missing.
Jeffrey
12-15-2008 08:30 AM
pixMDC# show route | inc 0.0.0.0
outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static
what is the topology, do you have another router in front of the fw then cable modem? or are you connecting straight from fw to cablemodem? the fw is geting private ip for its default route from upstream isp which should be public ip, can you restart the cable modem and the fw as well.
12-15-2008 11:13 AM
Jorge--
I did have the Pix connected to router, 192 168.1.1 for convenience, so I could still get internet wirelessly without having to do lots of wire unplugging and plugging.
I have since changed to topology of comcast modem connected directly to pix which in turn connects directly to laptop.
In this configuration, laptop pings 10.8.6.1 ok, but pix has no connectivity to comcast.
When laptop connected directly to comcast modem,(ie pix removed) the ipconfig /all from laptop reads the following from comcast:
ip 71.192.7.130
mask 255.255.252.0
DG 72.192.11.1
DHCP server 68 87 71 52
DNS 68 87 71 226 and 68 87 73 242
Response to pix# show route | inc 0.0.0.0 is nothing.
For reference, here is show run
pixMDC# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
hostname pixMDC
domain-name keene.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.8.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.6.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.8.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.6.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.6.2-10.8.6.33 inside
dhcpd dns 151.203.0.84 151.202.0.84
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server 10.8.6.0 10.0.0.0
vpnclient mode client-mode
vpnclient vpngroup fnd password ********
vpnclient username fnd password ********
vpnclient enable
terminal width 80
Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8
: end
pixMDC#
pixMDC#
pixMDC#
pixMDC# ping 71.192.7.130
No route to host 71.192.7.130.
Usage: ping [if_name]
pixMDC#
It appears that the pix is not seeing the comcast dhcp signal and latching onto it.
Thanks,
Jeffrey
12-15-2008 12:56 PM
Jeffrey, the config is good on the firewall, what you need to do is this and try again.
1- Plug in back the fw outside interface directly yo cable model port
power down the firewall
power down the cable modem
power back on the cable modem wait few seconds until fully up
then power back on the firewall
login to firewall and do show route | inc 0.0.0.0 to make sure is getting default route.
post results, if negative results we'll try different approache.
Regards
01-14-2009 01:14 PM
Jorge--
I did the above.
the command show route | inc 0.0.0.0 failed to give a response from the console. when I gave the same command via the https connection I received the response "command sent to firewall" and then nothing further.
from the laptop, I can ping 10.8.6.1 but cannot ping through to the outside.
Maybe a hammer placed smartly between the lcd's would help?
Thanks,
Jeffrey
01-14-2009 02:34 PM
Jeffrey,
Post updated fw config again to see what you have in firewall.
01-15-2009 07:59 AM
Jorge--
Here is the show config data
Result of firewall command: "show config"
: Saved
: Written by enable_15 at 10:21:08.192 UTC Mon Dec 15 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
hostname pixMDC
domain-name keene.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.8.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.6.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.8.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.6.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.6.2-10.8.6.33 inside
dhcpd dns 151.203.0.84 151.202.0.84
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server 10.8.6.0 10.0.0.0
vpnclient mode client-mode
vpnclient vpngroup fnd password ********
vpnclient username fnd password ********
vpnclient enable
terminal width 80
Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8
thanks,
Jeffrey
01-15-2009 08:17 AM
Jefrey,
Assuming you connected the PIX outside interface to cable modem try this to force it, see what happens, you may want to power cycle the cable modem first before you try bellow statement.
pix(config)#ip address outside dhcp setroute retry 10
let me know how it goes.
Regards
01-15-2009 09:10 AM
Jorge--
Laptop connedted to cable modem, confirmed good dhcp signal
Pix connected directly to cable modem, and both re-powered up, lights on pix on and solid,
I accessed the pix via console and entered in
pix(config)#ip address outside dhcp setroute retry 10
there was no response, ie the pix just showed me the command prompt.
What can be the problem?
01-15-2009 12:46 PM
Jefrey,
It is strange .. it should have picked up IP, can you test with your laptop connecting to cable modem to see if you get dhcp from it?
one question, are you sure you are suppose to be dhcp when connecting to the cable modem or static public Ip?
this is the longest thread I ever done ! turning into a book :)
01-15-2009 03:21 PM
Jorge--
when I connect the laptop directly to the cable modem, and make sure the TCP/IP screens are set for "obtain address automatically" the internet comes up fine.
Then when I plug the same cable from modem into the pix, all the right lcds are lit on the pix, but it doesn't play ball. yet from the pix console, i can ping to the outside (yahoo). It's as if the signal doesn't navigate it's way through the pix. Could this have anything to do with EasyVPN that is turned on?
Or should we revert to factory defaults and rebuild the configuration?
Jeffrey
01-22-2009 05:19 PM
Jorge--
Any more thoughts about my PIX? I'm frustrated as I'm sure you are, but something inside the system doesn't seem to be playing according to design.
What to do?
Thanks,
Jeffrey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide