Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

506E not able to go on the Internet. Help!!

I setup this PIX last week, tested it and worked fine. Now, when I plug it in everything on my internal network works fine. PIX is setup for dhcp, ok. When trying to access the internet, nothing.

I looked at the lights on the PIX (LINK is green, ACT is blinking on both interfaces) I am not sure what to do.

I am posting my config in case there is something I am not seeing.

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password Kgj8H0CArY1EQe85 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX506E

domain-name XXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

<--- More --->

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.10 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 216.73.XXX.XXX

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 216.39.XXX.XXX

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.10 255.255.255.255 inside

snmp-server location

snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

<--- More --->

no sysopt route dnat

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.0.10 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.0.11-192.168.0.254 inside

dhcpd dns 216.73.XXX.XXX 216.73.XXX.XXX

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain inside

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:9be90af8f61c9d18b9e300237be8ef24

PIX506E#

I would appreciate any help that I can get..

Thanks,

Eduardo

7 REPLIES
Cisco Employee

Re: 506E not able to go on the Internet. Help!!

How are you trying to access the internet? Are you trying to ping? According to your configuration pings won't work, you need to allow icmp echo-replies specifically. Can you try browsing?

Hope this helps,

-Nairi

New Member

Re: 506E not able to go on the Internet. Help!!

Hi Nairi,

I am just trying to browse. I dont want to ping. I tried this a few days ago and it worked just fine.

Any ideas would be greatly appreciated.

Eduardo

Re: 506E not able to go on the Internet. Help!!

As a test can you change (ie remove your current global and then add the following) your global to:

global (outside) 1 interface

Then do a "clear xlate".

Does it work now?

Do a show log (as a side note add a syslog server to help you), show xlate, sh conn local/for x.x.x.x and see if anything is getting blocked and/or translated.

When the user tries to connect to a site, does DNS resolve the IP (if yes we can eliminate DNS)? Can the PIX ping any site, can the PIX ping the local hosts?

Hope it helps.

Steve

New Member

Re: 506E not able to go on the Internet. Help!!

Steve,

You are a life saver... I tried what you told me and worked. What was wrong with what I had before???

Thanks again,

Eduardo

Re: 506E not able to go on the Internet. Help!!

Glad it works. Your global IP (216.73.x.x) was different from your outside interfaces's subnet (216.39.x.x - based on your default route I assume that it is 216.39). So if you sent packets out with that IP, the return packets were not being routed to you as you don't own 216.73.x.x. As a side note I have noticed also that if you specify your outside IP in the global command it doesn't work, only using the keyword "interface" works.

Steve

New Member

Re: 506E not able to go on the Internet. Help!!

Hi Eduardo,

Just some hints:

- I don't see the internal IP address apply to ethernet1

- Your default gateway is 216.39.x.y & your global is at 216.73.x.y which isn't in the same subnet ??? Generally, they are.

Ben

Re: 506E not able to go on the Internet. Help!!

Hi Eduardo,

I can't find the "ip address" commands for you internal and external interface. You have to provide an ip for both the interfaces with the "ip address" command.

Kind Regards,

Tom

110
Views
0
Helpful
7
Replies
CreatePlease login to create content