02-28-2003 04:10 PM - edited 03-09-2019 02:19 AM
I'm testing with my laptop behind the pix and I can't browse the web or ping anything in the outside.
Outside IP of Pix is 209.78.212.62 netmask 255.255.255.224
Inside IP is 192.168.1.1 netmask 255.255.255.0
DHCP is enabled from 192.168.1.100-200
static route outside 0.0.0.0 0.0.0.0 209.78.212.33 1
Any help getting this to work is appreciated.
Jose
Attached the Configuration
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password PW5/XtguiShnqfUP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname fw1
domain-name targetmediapartners.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 209.78.212.62 FW1
access-list outside_access_in deny ip any any
access-list inside_access_in permit ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside FW1 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.99 255.255.255.255 inside
pdm location FW1 255.255.255.255 outside
pdm location 209.78.212.55 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 192.168.1.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 209.78.212.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 209.78.212.55 255.255.255.255 outside
http 192.168.1.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 209.78.212.40 209.78.212.41
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain targetmediapartners.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4665b5b51467493b354c3fe48356c61f
: end
[OK]
02-28-2003 06:07 PM
I see two problems right off.
#1. NAT: If you want to get to the Internet, you'll need to NAT your IPs to something public. Your [nat inside (0)] statement tells the Pix not to NAT traffic for the 192.168.1.0/24 network. Instead, replace it with something like
nat (inside) 1 192.168.1.0 255.255.255.0
Now add a global statement to NAT the traffic to something public. You can use the Pix's outside interface if you would like.
global (outside) 1 interface
#2. ACLs: Your two access-lists don't actually accomplish anything as they are both the Pix's behavior by default. That is, allow all traffic on the inside interface going out and deny all traffic on the outside interface coming in. So just remove the inside interface ACL all together and replace the outside ACL with something like this.
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachables
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside
The pix does not do stateful inspection of ICMP traffic. Therefore, this access-list allow responses to ping requests from hosts on the outside to hosts on the inside. It will also allow ICMP unreachables in. The time-exceeded will permit traceroute to work going out to the internet. It should be noted that using this ACL will not allow hosts on the Internet to ping your hosts on the inside.
All other traffic started on the inside going out will automagically be let back in by the Pix due to its stateful inspection of the packets.
-Shannon
02-28-2003 06:56 PM
Thanks for the help Shannon, got it to work.
First time I ever touched a Firewall, Thanks for the quick response.
Jose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide