Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cannot access outside with PIX

we recently got PIX i was setting up in a testing lab

in the lab everything was workig fine but once moved to thr production nothing works

i have sets up like this

LAN------7513----PIX----router----internet

LAn as 10.0.0.0 address 7513 as 2 ip address primary and seconday on LAN side Fastethernet(one 10.0.0.0 and another 170.15.x.x

WAN side fastethernet i have 170.x.x.x , iCan ping this address from my LAN.

PIX inside interface 170.16.x.x and i can ping from all hosts in 10.0.0. and i can see all my users when i used sh xlate

from inside i can ping inside interface of PIX

when i used sh xlate i can see my glocal address mapped to internal address but but i cannot go out internet or i cannot ping my external interface on PIX, but from my 7513

i can ping only external interface on PIX

This is my PIX config

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 ISP2 security60

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

nameif ethernet6 intf6 security30

nameif ethernet7 failover security15

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix-1

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list dmz_coming_in permit icmp any any

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www

access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain

access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain

access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128

pager lines 24

logging on

logging monitor errors

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

interface ethernet6 auto shutdown

interface ethernet7 100full

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu ISP2 1500

mtu intf4 1500

mtu intf5 1500

mtu intf6 1500

mtu failover 1500

ip address outside 206.X.X.X 255.255.255.128

ip address inside 170.X.X.X 255.255.255.0

ip address DMZ 206.X.X.252 255.255.255.128

ip address ISP2 171.X.X.21 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip address intf6 127.0.0.1 255.255.255.255

ip address failover 7.7.7.7 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 206.X.X.X

failover ip address inside 170.X.X.3

failover ip address DMZ 206.X.X.253

failover ip address ISP2 171.X.X.21

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover ip address intf6 0.0.0.0

failover ip address failover 7.7.7.8

failover link failover

pdm location 169.x.x.155 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128

global (outside) 1 206.X.X.X

global (DMZ) 1 206.X.X.X-206.X.X.X

nat (inside) 0 access-list 101

nat (inside) 1 1 170.X.X.X 255.255.255.0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group dmz_coming_in in interface DMZ

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 206.X.X.X

route inside 10.0.0.0 255.0.0.0 170.X.X. 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T

CP

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e

: end

[OK]

2 REPLIES
Silver

Re: cannot access outside with PIX

nat (inside) 1 1 170.X.X.X 255.255.255.0

Is that line a typo? it should read:

nat (inside) 1 170.X.X.X 255.255.255.0 0 0

With your configuration, from 10/8 and 170.x.x/24 you should be able to ping the external interface of the PIX. If you cannot ping that from a client on those networks, but can from the 7513, then there is probably a routing problem on the 7513.

From the pix, can you ping the router to the internet? The ip you should be trying to ping from the pix is the ip in the route outside command statement.

Silver

Re: cannot access outside with PIX

1. Conduits and ACLs should not be used concurrently. Not that I think this is your problem. You should replace your conduit for ICMP into ACLs.

2. You CANNOT ping a Pix's interface accept from the same attached interface. In otherwords, you'll never be able to ping the Pix's outside interface from inside. Or ping the Pix's inside interface from outside. You can only ping the inside interface from inside. etc. This is normal and not a symptom of your problem.

Since you can ping the Pix's internal interface from you 10.x.x.x clients, can you ping the inside interface of your external router? If not this is where the problem lies.

I can't tell the subnets we're dealing with here due to the doctoring of the IPs, but make sure that your external router knows that it needs to route the traffic of your NAT pool to the Pix. This should only be necessary however if the NAT pools are not on the same subnet of the Pix's outside interface. This test would tell more if you temporarily removed the NAT 0 statement or used a [static] that mapped one of your internal clients to an IP in the same subnet as your NAT pool.

115
Views
0
Helpful
2
Replies