12-16-2002 10:53 AM - edited 03-09-2019 01:24 AM
I feel like a n00b here, but I'm having troubles with something that should be basic, so note the following question as one asked with a sheepish grin...
Problem: I have a 515e setup to authenticate to a DSL modem that supplies me with one public IP over the ethernet0 of the 515e. From the 515e I can ping the outside world.
I have ethernet1 seeing an internal network 192.168.50.0, pingable from the 515e as well.
Computers on the inside of the 515e cannot see through to the outside, ping, or anything.
I am assuming I have setup my nat or global wrong, but from the documentation i've been reading, they all assume you have more than one outside IP address to work with. I just need to take all the users on the inside and get them using the one IP on the outside interface. I am also going to be setting up several VPN's over that interface, is it unwise to use only one for everything?
Here's my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password ********** encrypted
passwd ************ encrypted
hostname YRPCI
domain-name yearroundpool.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.x.x Bluff_Outside
access-list acl_out permit tcp 192.168.50.0 255.255.255.0 any
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_in permit icmp any any
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Bluff_Outside
access-list outside_cryptomap_9 permit ip 192.168.50.0 255.255.255.0 host Bluff_Outside
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.255 inside
pdm location Bluff_Outside 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 100 192.168.50.8-192.168.50.254
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323:05:00
ip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 9 ipsec-isakmp
crypto map outside_map 9 match address outside_cryptomap_9
crypto map outside_map 9 set peer 64.53.71.8
crypto map outside_map 9 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname ************
vpdn group pppoex ppp authentication pap
vpdn username *********** password *********
Thank you for your time in advance.
Dave
Solved! Go to Solution.
12-16-2002 12:32 PM
Hi,
indeed there is something wrong with your nat/global config:
remove those lines:
global (outside) 200 interface
global (inside) 100 192.168.50.8-192.168.50.254
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
and replace with those lines:
global (outside) 200 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 0.0.0.0 0.0.0.0 0 0
The "nat (inside) 0" is part of the VPN configuration.
What is important now are the "nat (outside) 200" and "global (outside) 200" commands.
You should always have a nat/global pair with the same id (=200 in this case). All addresses on the inside (0.0.0.0 0.0.0.0) will be translate to ip address of the outside pix interface.
This will allow all outside access initiated from inside addresses (except icmp!).
If you want all internal hosts to have full access to the outside, you may remove the "acl_out" access-list.
Kind Regards,
Tom
12-16-2002 12:32 PM
Hi,
indeed there is something wrong with your nat/global config:
remove those lines:
global (outside) 200 interface
global (inside) 100 192.168.50.8-192.168.50.254
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
and replace with those lines:
global (outside) 200 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 0.0.0.0 0.0.0.0 0 0
The "nat (inside) 0" is part of the VPN configuration.
What is important now are the "nat (outside) 200" and "global (outside) 200" commands.
You should always have a nat/global pair with the same id (=200 in this case). All addresses on the inside (0.0.0.0 0.0.0.0) will be translate to ip address of the outside pix interface.
This will allow all outside access initiated from inside addresses (except icmp!).
If you want all internal hosts to have full access to the outside, you may remove the "acl_out" access-list.
Kind Regards,
Tom
12-16-2002 01:33 PM
Ah, well that makes sense... thank you. I will try the config soon and respond again if I have any trouble, again, thank you for your help.
:)
Dave
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: