10-26-2005 01:00 PM - edited 02-21-2020 12:29 AM
I am only a CCNA student, so please be gental...
I am trying to configure a Cisco PIX firewall version 5.3.
Here is my current setup:
PC <-- x-over cable --> firewall <--- router ----> Internet
The inside interface has an IP of 10.27.164.254, and the outside interface has an IP on the same subnet as my router. From console, I can ping other hosts on the wan. I can also ping the PC connected directly to the inside interface.
The pc cannot get on the net. What am I missing here? Thank you.
10-26-2005 01:48 PM
Do you have a cable between firwall <> Router <> Internet? What kind? Light's on the outside interface of the PIX? Is it blinking/Passing traffic?
Can you ping a publig ip from the pix via console? like 4.2.2.2?
I am sure the PC does not get reply from pinging 4.2.2.2?
If all of these are true, you may need a route on the pix to route traffic to the gateway (router).
10-26-2005 02:07 PM
Thanks for the reply.
I have a straight through cable from the outside interface, into a hub. There is another cable from the hub to the router (straight thru). I can ping public IPs from the console of the firewall. I can also ping the PC on the inside interface from the firewall console, but the PC (on the inside) cannot ping public IPs.
10-26-2005 05:29 PM
Its possible that you are missing a route from your inside network to the outside. It looks like you are not passing network traffic to the gateway of the PIX. For example,
ip route inside_network network_mask gateway_ip
for example routing 192.168.1.0 network to the gateway of the internet
i.e. IP ROUTE 192.168.1.0 255.255.255.0 55.35.4.1
I hope this makes sense.
10-26-2005 05:52 PM
Might be good to post your config, guessing without a config or error message is very dificult.
example config:
ip address outside YOUR-PUB-IP-X 255.255.255.xxx
ip address inside 10.27.164.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 RouterIP 1
Questions:
1.) Do you have access-lists, please post it ?
2.) Where are you doing the NAT on the PIX or on the Router ?
3.) Can you telnet to the outside router.
Note: If you want to ping to the Router from the PC you need to add an access-list.
Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.
example:
See: Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute Command
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
access-group outside in interface outside
access-list outside permit icmp any host YourPublicIP unreachable
access-list outside permit icmp any host YourPublicIP time-exceeded
access-list outside permit icmp any host YourPublicIP echo-reply
And finaly after changing the NAT statement you need to reset the translation table otherwise this will not work.
clear xlate
Take also a look on this whitepaper:
Establishing Connectivity
sincerely
Patrick
10-27-2005 05:33 AM
Thanks for the replys. I do not have a route from the inside to the outside. I will apply that route to the gateway. If that doesn't work, I am going to assume that I need an access list.
I will post my progress here. Thanks.
10-27-2005 12:04 PM
I set up those ACLs exactly as they were posted, with both outside and inside interfaces as parameters with no luck. How can I view the running-config so I can post it here?
10-27-2005 12:36 PM
Connect the blue console cable and use a terminal emulation software to connect to the Cisco PIX console.
Set 9600/8/N/1
When you have the prompt type:
enable
write terminal => Display current configuration on the terminal.
sincerely
Patrick
10-27-2005 01:06 PM
My running-config:
PIX Version 5.3(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list outside permit icmp any host MY.PUBLIC.IP unreachable
access-list outside permit icmp any host MY.PUBLIC.IP time-exceeded
access-list outside permit icmp any host MY.PUBLIC.IP echo-reply
access-list inside permit icmp any host MY.PUBLIC.IP echo-reply
access-list inside permit icmp any host MY.PUBLIC.IP time-exceeded
access-list inside permit icmp any host MY.PUBLIC.IP unreachable
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside IP.OF.OUTSIDE.INT 255.255.255.248
ip address inside 10.27.164.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:1822fe6c04d66d7d676575872736e2c4
: end
[OK]
10-27-2005 07:45 PM
1. the current acl inside is going to block all outbound traffic. since you've got the identical acl applied on the outside interface, there is no need to apply another one on the inside interface.
2. no nat/global. pix v6.x (or eariler) will not forward any traffic without nat/global statement.
e.g.
global (outside) 1 interface
nat (inside) 1 0 0
with the sample above, the pix will pat all outbound traffic by using the pix outside interface ip.
in case you don't want pix to perform nat/pat, then:
nat (inside) 0 0 0
10-28-2005 09:39 AM
I exhausted all of your suggestions and I am still having trouble with the firewall.
I want to reset it to factory defaults and start again. What is the procedure? On a 2500 router it would be:
Set configure reg. to 0x2142
reboot
copy run start
set conf. reg to 0x2102
reboot.
What is the PIX equivelant? Thanks.
10-28-2005 11:37 AM
Just go in enable mode and:
write erase
reload
sincerely
Patrick
10-28-2005 06:27 PM
Lets start from the begining step by step procedure. Firstly your below setup is incorrect.
"Here is my current setup:
PC <-- x-over cable --> firewall <--- router ----> Internet"
MAKE IT TO
1. Connect Straight cable from PC into PIX 1 port
2. Connect X over cable from Modem into PIX 0 port
3. Dont forget to plugin pstn line into modem.
4. Plug console cable into pix and pc to configure pix.
=====================================================
Now its time to configure your PIX
=====================================================
Erase your current configuration by typing
wr erase (press enter)
Reload (press enter)
=====================================================
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX
domain-name mattpociask.com
ip address outside pppoe setroute
ip address inside 192.168.2.2 255.255.255.0
pdm history enable
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.2.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
vpdn group Internet request dialout pppoe
vpdn group Internet localname (isp username)
vpdn group Internet ppp authentication chap
vpdn username (isp username) password (ISP Password)
PIX#
=====================================================
Please note: Use the above config if your ISP require PPPOE Authentication otherwise use the below config
=====================================================
vpdn group VPN accept dialin pptp
vpdn group VPN ppp authentication mschap
vpdn group VPN ppp encryption mppe 40
vpdn group VPN client configuration address local VPNPool
vpdn group VPN pptp echo 60
vpdn group VPN client authentication local
vpdn username vpn password (ISP Password)
vpdn enable outside
=====================================================
10-29-2005 05:08 AM
I very much appreciate your post! It is indeed well thoughout and structured information, however, I need my connection to come from a router (T1 line), not a modem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: