Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I need help quickly- PIX 515e ver. 6.3 (5)

I'm new to this Cisco product and I'm in a jam. I've got to get this product up and running by tomorrow morning.

(Problem:) I've got communications running on the inside of the firewall, and with an access-list I can ping the outside world successfully; however, while inside, behind the firewall, I can't see anything through a web browser. It's like the traffic is not getting through. Please help, what do I need to do?

Below is copy of the current configuration:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

object-group service Internet tcp-udp

description Group for Internet access

port-object eq echo

port-object eq www

port-object eq domain

access-list inside_access_in permit icmp interface inside interface outside echo-reply

access-list inside_access_in permit icmp interface inside interface outside time-exceeded

access-list inside_access_in permit icmp interface inside interface outside unreachable

access-list inside_access_in permit tcp any object-group Internet any object-group Internet log

access-list inside_access_in permit tcp any object-group Internet host 208.50.85.161 object-group Internet log

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 208.x.x.x.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm location 208.50.x.x.x.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 192.168.1.3-192.168.1.254 netmask 255.255.255.0

global (inside) 1 192.168.1.3-192.168.1.254

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

routing interface outside

ospf authentication null

routing interface inside

ospf authentication null

route outside 0.0.0.0 0.0.0.0 208.50.85.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa proxy-limit disable

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server contact

snmp-server community

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd dns 206.165.6.11 209.130.136.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: I need help quickly- PIX 515e ver. 6.3 (5)

access-list inside_access_in permit ip any any

Thats my guess.

Im a gui guy, never use the cli. Good luck

Gold

Re: I need help quickly- PIX 515e ver. 6.3 (5)

global (outside) 10 192.168.1.3-192.168.1.254 netmask 255.255.255.0

this statement should have a public ip (or a range of public ips), such as 208.50.85.x.

further, i was just wondering what is the purpose of the outbound acl. pix will (by default) forward packet from higher security level (i.e. inside) to lower security level (i.e. outside) providing nat/global/static is configured properly.

4 REPLIES
New Member

Re: I need help quickly- PIX 515e ver. 6.3 (5)

access-list inside_access_in permit ip any any

Thats my guess.

Im a gui guy, never use the cli. Good luck

Gold

Re: I need help quickly- PIX 515e ver. 6.3 (5)

global (outside) 10 192.168.1.3-192.168.1.254 netmask 255.255.255.0

this statement should have a public ip (or a range of public ips), such as 208.50.85.x.

further, i was just wondering what is the purpose of the outbound acl. pix will (by default) forward packet from higher security level (i.e. inside) to lower security level (i.e. outside) providing nat/global/static is configured properly.

New Member

Re: I need help quickly- PIX 515e ver. 6.3 (5)

To Trinityfruit & Jackko:

Guys, thanks for your help. I got the system up and running. All the bells and whistles came on-line when I entered:

access-list inside_access_in permit ip any any

-through the CLI - saved to config, then to flash, and BAM I was seeing the outside world. You rock Trinity!!

Jackko made a good point on the global (outside) IP address, to clean things up, this was also changed to reflect an outside routable IP (pool). The network traffic in and out is fast. It now reads:

global (outside) 100 208.50.85.165-208.50.85.175 netmask 255.255.255.224 (100 being the ID I assigned to the pool)

Jackko your question about the outbound acl - this may have been added for the VPN connection to a host company. I had to cut back a section of the coding because I exceeded the 4000 character limit for the post. (good eye)

Thanks again for all your help.

New Member

Re: I need help quickly- PIX 515e ver. 6.3 (5)

jc,

If you go to post a config in the future, be sure to remove:

1) Your passwords:

enable password xxxx

passwd xxxx

2) Your public IP address:

ip address outside 208.50.x.x.x.255.224

With that amount of information, an UNSCRUPULOUS person could hack into your PIX and make changes, getting into your protected network. If you haven't already, I would change your passwords . . .

127
Views
0
Helpful
4
Replies