Jorge--

From the Pix console, I was able to ping dns 151.203.0.84 and 151.202.0.84

From the pix console, I was able to ping the yahoo site.

I entered the access-list commands ok.

The "access-group outside_access_in interface outside" failed because pix tole me "not enough arguments" I looked over the syntax requirements and I don't see the problem. What am I missing?

From the laptop I am still unable to ping to the outside.

For reference, here is current data:

pixMDC# show route | inc 0.0.0.0

outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static

pixMDC#

pixMDC#

pixMDC# Show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:abc03ad913138c14819a5314e35ce837

: end

pixMDC#

Thanks--

Jeffrey

Sorry I missed ( in )

access-group outside_access_in in interface outside

please add above statement and try ping from laptop outside dns, make sure you are in laptop have dns servers configure..

try again

Thanks Jorge--

That command was accepted.

From laptop I can ping 10.8.6.1 ok

pinging the dns 151.303.0.84 or 151.202.0.84 times out unsuccessfully. yahoo ping also unsuccessful.

Seems there must be some little thing I'm missing.

Jeffrey

pixMDC# show route | inc 0.0.0.0

outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static

what is the topology, do you have another router in front of the fw then cable modem? or are you connecting straight from fw to cablemodem? the fw is geting private ip for its default route from upstream isp which should be public ip, can you restart the cable modem and the fw as well.

Jorge--

I did have the Pix connected to router, 192 168.1.1 for convenience, so I could still get internet wirelessly without having to do lots of wire unplugging and plugging.

I have since changed to topology of comcast modem connected directly to pix which in turn connects directly to laptop.

In this configuration, laptop pings 10.8.6.1 ok, but pix has no connectivity to comcast.

When laptop connected directly to comcast modem,(ie pix removed) the ipconfig /all from laptop reads the following from comcast:

ip 71.192.7.130

mask 255.255.252.0

DG 72.192.11.1

DHCP server 68 87 71 52

DNS 68 87 71 226 and 68 87 73 242

Response to pix# show route | inc 0.0.0.0 is nothing.

For reference, here is show run

pixMDC# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8

: end

pixMDC#

pixMDC#

pixMDC#

pixMDC# ping 71.192.7.130

No route to host 71.192.7.130.

Usage: ping [if_name]

pixMDC#

It appears that the pix is not seeing the comcast dhcp signal and latching onto it.

Thanks,

Jeffrey

Jeffrey, the config is good on the firewall, what you need to do is this and try again.

1- Plug in back the fw outside interface directly yo cable model port

power down the firewall

power down the cable modem

power back on the cable modem wait few seconds until fully up

then power back on the firewall

login to firewall and do show route | inc 0.0.0.0 to make sure is getting default route.

post results, if negative results we'll try different approache.

Regards

Jorge--

I did the above.

the command show route | inc 0.0.0.0 failed to give a response from the console. when I gave the same command via the https connection I received the response "command sent to firewall" and then nothing further.

from the laptop, I can ping 10.8.6.1 but cannot ping through to the outside.

Maybe a hammer placed smartly between the lcd's would help?

Thanks,

Jeffrey

Jeffrey,

Post updated fw config again to see what you have in firewall.

Jorge--

Here is the show config data

Result of firewall command: "show config"

: Saved

: Written by enable_15 at 10:21:08.192 UTC Mon Dec 15 2008

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8

thanks,

Jeffrey

Jefrey,

Assuming you connected the PIX outside interface to cable modem try this to force it, see what happens, you may want to power cycle the cable modem first before you try bellow statement.

pix(config)#ip address outside dhcp setroute retry 10

let me know how it goes.

Regards

Jorge--

Laptop connedted to cable modem, confirmed good dhcp signal

Pix connected directly to cable modem, and both re-powered up, lights on pix on and solid,

I accessed the pix via console and entered in

pix(config)#ip address outside dhcp setroute retry 10

there was no response, ie the pix just showed me the command prompt.

What can be the problem?

Jefrey,

It is strange .. it should have picked up IP, can you test with your laptop connecting to cable modem to see if you get dhcp from it?

one question, are you sure you are suppose to be dhcp when connecting to the cable modem or static public Ip?

this is the longest thread I ever done ! turning into a book :)

Jorge--

when I connect the laptop directly to the cable modem, and make sure the TCP/IP screens are set for "obtain address automatically" the internet comes up fine.

Then when I plug the same cable from modem into the pix, all the right lcds are lit on the pix, but it doesn't play ball. yet from the pix console, i can ping to the outside (yahoo). It's as if the signal doesn't navigate it's way through the pix. Could this have anything to do with EasyVPN that is turned on?

Or should we revert to factory defaults and rebuild the configuration?

Jeffrey

Jorge--

Any more thoughts about my PIX? I'm frustrated as I'm sure you are, but something inside the system doesn't seem to be playing according to design.

What to do?

Thanks,

Jeffrey