Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix 501 with adsl

Hello

I am hoping that someone can help me a little.

I know this may be a tall order but here goes.

I have new cisco 501 pix that I bought to learn with. I want to use it with my home dsl for a while. I have dsl with a modem in bridge mode. I have accessed the cisco via the pdm software and console. I setup the cisco with pppoe and successfully obtained a wan ip on the pix unit.

I also have dhcp setup and my pcs are getting an inside address and dns from the pix unit. For some reason I still cannot ping past the pix unit. I know that some packets are getting out because when I ping a dns name it will resolve but no packets are returned.

I was hoping to get a little guidance on this.

Thanks

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any

access-list inbound permit tcp any any

access-list inbound permit udp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname xxx@bellsouth.net

vpdn group pppoe_group ppp authentication pap

vpdn username xxx@bellsouth.net password *********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

4 REPLIES
New Member

Re: pix 501 with adsl

I am on the net!

Now I need to forward http to 192.168.1.200

I have dyndns setup so I am good on that.

Here is what I changed but it is not working

access-list inbound permit icmp any any

acess-list inbound permit tcp any any eq www

access-group inbound in interface outside

static (inside,outside) tcp interface www 192.168.1.200 www netmask 255.255.255.255

This is not working..below is current config

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.200 www netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname xx@bellsouth.net

vpdn group pppoe_group ppp authentication pap

vpdn username xxx@bellsouth.net password *********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

Silver

Re: pix 501 with adsl

How are you testing the www forwarding? Have you tried it from a device outside your network (say a friend on the internet)?

I cannot spot anything wrong with your configuration.

New Member

Re: pix 501 with adsl

You were right it worked from outside the network. What I need now to complete my task is to limit access to this webserver from a specific single public ip address. Can you tell me how to do that either from a console session or the pdm.

Thanks!

BTW I am confused as to why I could access my webserver from within my network using my linksys but not this pix

Silver

Re: pix 501 with adsl

To restrict access to a single public IP modifiy your access-list as follows:

access-list inbound permit tcp host any eq www

To restrict access to a single public IP modifiy your access-list as follows:

access-list inbound permit tcp host any eq www

For your problem of not being able to access the inside webserver from your inside hosts using the fully qualified domain name, try modifying the static nat to:

static (inside,outside) tcp interface www 192.168.1.200 www netmask 255.255.255.255 dns

136
Views
0
Helpful
4
Replies