Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

configuring pix 501 to access the internet

Hi,

I need your help.. I have configured my pix501 outside and inside ip address... I think everything is in place but I still cannot access the internet. I am attaching my present configuration.. Thanks

15 REPLIES
New Member

Re: configuring pix 501 to access the internet

I find the statement "nat (inside) 1 192.168.43.0 255.255.255.0 0 0" when you already have "nat (inside) 1 0.0.0.0 0.0.0.0 0 0". Though this should not be a problem, you don't need it. Have you tried to ping 203.131.103.177? Source your ping from the outside interface. Configuration looks correct and it looks like a connectivity problem between your PIX and ISP router.

New Member

Re: configuring pix 501 to access the internet

Yes I have ping 203.131.103.177 and its not replying. I dont think its the connectivity because I can connect to the internet without the pix in the network.

Hall of Fame Super Blue

Re: configuring pix 501 to access the internet

Hi

Why do you have this statement

static (inside,outside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0 0 0

This says not to NAT any of the 192.168.43.0 address as they go from inside to outside and takes precedence over your nat/global statements.

Remove that statement, do a "clear xlate" and try again.

Jon

Re: configuring pix 501 to access the internet

Nice catch Jon, I was looking at that too I think this is his problem.

New Member

Re: configuring pix 501 to access the internet

Thanks Jon.. How can I delete this entry? what is the exact command?

Hall of Fame Super Blue

Re: configuring pix 501 to access the internet

pix(config)# no static (inside,outside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0

Don't forget you then need to clear the xlate translations

pix# clear xlate

Be aware that the "clear xlate" will remove all existing connections through your firewall but it sounds like this is not a problem at the moment.

Jon

New Member

Re: configuring pix 501 to access the internet

Hi Jon, I did everything you said but I still can't connect to the internet... I cannot ping the outside ip but I can ping the inside ip...

Re: configuring pix 501 to access the internet

can you post the interface status of your outside interface, to where is the outside onnected to , a switch ? if a switch make sure outside interface is in same vlan as ISP router, if you have outside interface directly connected to a router that is not magageable by you I would recommend your interface outside be autodetect for speed transmission.

e.g

show interface ethernet0

New Member

Re: configuring pix 501 to access the internet

Here it is.. but as of now it is disconnected from the network ..

AOSMANPIX(config)# show interface 0

interface ethernet0 "outside" is up, line protocol is down

Hardware is i82559 ethernet, address is 000b.5f37.bc48

IP address 203.131.103.176, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

New Member

Re: configuring pix 501 to access the internet

here is it buddy. Thanks..

AOSMANPIX(config)# show interface 0

interface ethernet0 "outside" is up, line protocol is down

Hardware is i82559 ethernet, address is 000b.5f37.bc48

IP address 203.131.103.176, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Hall of Fame Super Blue

Re: configuring pix 501 to access the internet

Okay, after typing that rather long post :) Jorge has hit the nail on the head. Your outside interface is showing down. You need to check the physical connectivity as suggested by Jorge.

Jon

New Member

Re: configuring pix 501 to access the internet

Jon, is pix 501 a firewall and a router all in one?...

New Member

Re: configuring pix 501 to access the internet

Thanks... The outside is connected directly to the dsl modem

New Member

Re: configuring pix 501 to access the internet

Hi Jon, I did everything you said but I still can't connect to the internet... I cannot ping the outside ip but I can ping the inside ip...

Hall of Fame Super Blue

Re: configuring pix 501 to access the internet

Hi

In addition to Jorge's suggestions which you need to check can you ping the ISP router IP address 203.131.103.177 from the firewall.

To test this you may need to temporarily add an extra line to the config

pix(config)# icmp permit 203.131.103.177 255.255.255.255 outside

You will not be able to ping the pix outside interface IP address from a machine on the inside network - 192.168.43.x. So you need to check connectivity in other ways.

If you can ping the ISP router then

1) try pinging a host on the Internet by IP address from the firewall

2) If 1) works try pinging from an inside host - 192.168.43.x. Again you need to ping the IP address at first.

If you can't ping your ISP router then you need to start checking physical connectivity and any switch config as suggested by Jorge.

The other thing you can do with pix v6.x is debugging the packets.

So

If you can ping the ISP router address from the firewall but you cannot from an inside address try on the firewall

pix# debug packet inside dst 203.131.103.177

pix# debug packet inside src 203.131.103.177

This will show you the packets arriving and leaving on the inside interface destined or coming from the ISP address.

You can also run these on the outside interface ie.

pix# debug packet outside dst 203.131.103.177

pix# debug packet outside src 203.131.103.177

Be careful with debugging on a live system - you should be okay if you specify the source or destination as above.

To turn off debugging

pix# no debug all

Jon

186
Views
0
Helpful
15
Replies