Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DHCP clients can't get out to internet

Hi All,

I'm new to PIX 506. My network I have a cable modem, a pix 506, a w2003 server and pc's. The pix internal address is 192.168.1.1. The server address is 192.168.1.2 and the pc's get dhcp from the pix 192.168.1.100-192.168.1.150. I have a couple of ports forwarded from the pix to the server. this outside access works fine. My server 192.168.1.2 can go on the internet (through Internet explorer) without a problem. The problem is my client pcs can't get on the internet. Any help would be greatly appreciated. Thanks, Erik

Building configuration...

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 24.xx.xx.138 eq pcanywhere-data

access-list inbound permit tcp any host 24.xx.xx.138 eq 3389

access-list inbound permit udp any host 24.xx.xx.138 eq 3389

access-list inbound permit udp any host 24.xx.xx.138 eq pcanywhere-status

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 24.xx.xx.138 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 24.xx.xx.138 192.168.1.2 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 24.xx.xx.137 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns 24.x.x.3 24.25.161.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain maine.rr.com

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

8 REPLIES
Green

Re: DHCP clients can't get out to internet

I believe you need to set the default-gateway parameter in your DHCP config. THE DHCP service is not providing a default gateway to the client.

Good Luck

Scott

New Member

Re: DHCP clients can't get out to internet

Scott...Thanks for your responce.

What would I type on the pix? I did try manually setting a static on the pc 192.168.1.30 with gateway 192.168.1.1 and dns servers and it still doesn't let the client out to the internet. Also, with dhcp on the client it does show the gateway with ipconfig /all

Silver

Re: DHCP clients can't get out to internet

The pix doesn't offer the option to configure a "default-router" the way IOS does. It always uses itself as the default gateway. Also I don't see why you need: "nat (inside) 1 192.168.1.0 255.255.255.0 0 0

" statement. The next statement does it all.

I do not readily see any problems in the config that would prevent the inside hosts from getting out, but do verify the ipconfig of the hosts. You might run "debug packet inside" and do "term mon" to see in any traffic is hitting the inside interface of the pix from the inside hosts.

New Member

Re: DHCP clients can't get out to internet

Your static statement "static (inside,outside) 24.xx.xx.138 192.168.1.2 netmask 255.255.255.255 0 0" only allows for 192.168.1.2 to translate to the outside. You need to change it to "static (inside,outside) 24.xx.xx.138 192.168.1.0 netmask 255.255.255.0 0 0". This will allow all devices assigned to the 192.168.1.0/24 subnet to access the outside.

New Member

Re: DHCP clients can't get out to internet

Hi,

- Please check that in the IP configuration of your client, the default gateway is "192.168.1.1"

- There are no access-list bound to the inside interface. Maybe you can try to add the following lines:

access-list outbound permit ip any any

access-group outbound in interface inside

- If it doesn't work, the problem stems from your NAT configuration, I think:

The problem occurs in this line:

static (inside,outside) 24.xx.xx.138 192.168.1.2 netmask 255.255.255.255 0 0

If you have an other IP available on the network 24.xx.xx.138/29, use it, for example:

static (inside, outside) 24.xx.xx.139 192.168.1.2 netmask 255.255.255.255.0.0

It should work...

Otherwise, if you have only the adress 24.xx.xx.138, replace your static line by

static(inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 0 0

It should also work but then check that you can access your server from the outside as before.

If not, add the same line with the port "pcanywhere-data" and "pcanywhere-status" instead of 3389

Let me know if it's better :)

Re: DHCP clients can't get out to internet

Hi .. the Nat on your config seems Ok however you don't need nat(inside) 1 192.168.1.0 255.255.255.0 as you already have nat(inside) 1 0 0

Two things you need to check ..

1.- I suggest you removing the dccpd auto-config outside command as you are already providing domain name and dns statically to your clients. This might be conflicting.

I hope it helps .. please rate it if it does !!!

New Member

Re: DHCP clients can't get out to internet

Hi,

you have configured the same public IP address 24.xxx.xxx.xxx.138 for:

- the server address is 192.168.1.2

- the outside interface

- the IP address used for nat all the internal hosts

ip address outside 24.xx.xx.138 255.255.255.248

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 24.xx.xx.138 192.168.1.2 netmask 255.255.255.255 0 0

Try to utilize another IP of your public IP range (not the .137 not the .138 may be the .139 to the 142) for the internal server

no static (inside,outside) 24.xx.xx.138 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 24.xx.xx.??? 192.168.1.2 netmask 255.255.255.255 0 0

no access-list inbound permit tcp any host 24.xx.xx.138 eq pcanywhere-data

no access-list inbound permit tcp any host 24.xx.xx.138 eq 3389

no access-list inbound permit udp any host 24.xx.xx.138 eq 3389

no access-list inbound permit udp any host 24.xx.xx.138 eq pcanywhere-status

access-list inbound permit tcp any host 24.xx.xx.??? eq pcanywhere-data

access-list inbound permit tcp any host 24.xx.xx.??? eq 3389

access-list inbound permit udp any host 24.xx.xx.??? eq 3389 (the terminal server need only TCP porotocol ????)

access-list inbound permit udp any host 24.xx.xx.??? eq pcanywhere-status

mx
New Member

Re: DHCP clients can't get out to internet

dont forget to do a clear xlate on your edge router. if its a cisco, it wont age out arp entries so you need to reboot it or clear xlate.

155
Views
0
Helpful
8
Replies
CreatePlease to create content