Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 can't browse

Sorry for the simple question, but I am new to the PIX world and have a new 501 just out of the box.

I can't browse the Internet from behind the PIX, regardless of how much I open up the settings. The PIX seems to be performing its DHCP correctly to my ISP, but I can't browse out. Is there something I have to enable just to get started? I'm running behind a Fujitsu SpeedPort DSL modem which works fine when connected directly to the NIC.

Can anyone help?

Here's the configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.0 AllInternal

access-list inside_access_in permit tcp any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location AllInternal 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 AllInternal 255.255.255.255 0 0

nat (inside) 0 AllInternal 255.255.255.255 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http AllInternal 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

5 REPLIES
New Member

Re: PIX 501 can't browse

I don't see a "ip address dhcp setroute" command to get teh default route from the DHCP server.

New Member

Re: PIX 501 can't browse

Geoffry,

Thanks for the reply. I know this is pretty basic, and I appreciate the help.

Here's the new config with a setroute statement. I added some Ping access, but still I can't browse from behind the PIX, nor ping outside the PIX.

Result of PIX command: "sh config"

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.0 AllInternal

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any echo

access-list outside_access_in permit icmp any any unreachable

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location AllInternal 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 AllInternal 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http AllInternal 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.20-192.168.1.99 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

The outside connection is negotiating properly with my ISP; I can see the appropriate DNS and gateways. And if I do an ipconfig from my computer (I have just one client on here for testing the setup), it shows me a PIX DHCP assignment of 192.168.1.21, the gateway of 192.168.1.1 and the correct connection-specific DNS suffix from my ISP.

What am I missing here? Is there a simple setup or troubleshooting document somewhere so I wouldn't have to bother the list with this basic stuff? I've tried the help inside the PDM, and the FAQ's on the Cisco site, but those assume you have at least taken Step 1 :(

Thanks.

New Member

Re: PIX 501 can't browse

Can you ping from the PIX to an external address? What is the contents of "sho ip route"?

New Member

Re: PIX 501 can't browse

Geoffry,

I found the troubleshooting section on the Cisco site and I'm better now. I got it working by changing the NAT rules. It looks like I didn't have a translation rule set up properly.

I'm using the PDM to set this up, and I think the command line is easier to understand what is going on.

This now works. Does it make sense?

Result of PIX command: "sh config"

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.0 AllInternal

access-list inside_access_in permit tcp any any

access-list inside_access_in permit ip any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location AllInternal 255.255.255.255 inside

pdm location 192.168.1.20 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http AllInternal 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.20 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.20-192.168.1.99 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Thanks again,

Ovid Bailey

New Member

Re: PIX 501 can't browse

Hi,

This new config makes sense. The old one doesn't have a valid NAT. "nat(inside) 0 Allinternal 255.255.255.255 0 0" doesn't do NAT, what its tells the PIX is do not do NAT on the IP address. After changing to "nat(inside) 1 0.0.0.0 0.0.0.0 0 0" NAT is performed by the PIX. But what it means it to allow anything on the internal interface to go out.

You may want to change it to "nat(inside) 1 Allinternal 255.255.255.0 0 0" This will allow only the subnet 192.168.1.0 to go out. Anything else will not be allowed.

Regards,

Ron

234
Views
0
Helpful
5
Replies
CreatePlease login to create content