Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help Configuring Pix515E

I'm testing with my laptop behind the pix and I can't browse the web or ping anything in the outside.

Outside IP of Pix is 209.78.212.62 netmask 255.255.255.224

Inside IP is 192.168.1.1 netmask 255.255.255.0

DHCP is enabled from 192.168.1.100-200

static route outside 0.0.0.0 0.0.0.0 209.78.212.33 1

Any help getting this to work is appreciated.

Jose

Attached the Configuration

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password PW5/XtguiShnqfUP encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname fw1

domain-name targetmediapartners.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 209.78.212.62 FW1

access-list outside_access_in deny ip any any

access-list inside_access_in permit ip any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside FW1 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.99 255.255.255.255 inside

pdm location FW1 255.255.255.255 outside

pdm location 209.78.212.55 255.255.255.255 outside

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 209.78.212.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 209.78.212.55 255.255.255.255 outside

http 192.168.1.99 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 209.78.212.40 209.78.212.41

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain targetmediapartners.com

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:4665b5b51467493b354c3fe48356c61f

: end

[OK]

2 REPLIES
Silver

Re: Need Help Configuring Pix515E

I see two problems right off.

#1. NAT: If you want to get to the Internet, you'll need to NAT your IPs to something public. Your [nat inside (0)] statement tells the Pix not to NAT traffic for the 192.168.1.0/24 network. Instead, replace it with something like

nat (inside) 1 192.168.1.0 255.255.255.0

Now add a global statement to NAT the traffic to something public. You can use the Pix's outside interface if you would like.

global (outside) 1 interface

#2. ACLs: Your two access-lists don't actually accomplish anything as they are both the Pix's behavior by default. That is, allow all traffic on the inside interface going out and deny all traffic on the outside interface coming in. So just remove the inside interface ACL all together and replace the outside ACL with something like this.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachables

access-list outside_access_in permit icmp any any time-exceeded

access-group outside_access_in in interface outside

The pix does not do stateful inspection of ICMP traffic. Therefore, this access-list allow responses to ping requests from hosts on the outside to hosts on the inside. It will also allow ICMP unreachables in. The time-exceeded will permit traceroute to work going out to the internet. It should be noted that using this ACL will not allow hosts on the Internet to ping your hosts on the inside.

All other traffic started on the inside going out will automagically be let back in by the Pix due to its stateful inspection of the packets.

-Shannon

New Member

Re: Need Help Configuring Pix515E

Thanks for the help Shannon, got it to work.

First time I ever touched a Firewall, Thanks for the quick response.

Jose

94
Views
0
Helpful
2
Replies
CreatePlease login to create content