Pix 501 - No internet access (HELP!)

admin_2 · ‎03-12-2004

I've had this problem once before, but I'm unsure of what's happening exactly. All I know is that I cannot access the internet. Though oddly enough it seems my site to site vpn is working (Tho I cannnot ping) Another thing I should add is that the 123.44.67.0 network is not an internet network. It's the local network here. (I didn't set up the scheme, I just know it's impossible to change in the near future)

Please help me out here. I'm so confused and I'm sure all I'm doing is confusing matters more.

Here's a copy of my config

names

name 123.44.67.0 Toledo

name 123.44.67.206 misys

access-list outside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Toledo 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Toledo 255.255.255.0

access-list acl_out permit icmp any any

access-list nonat_vpn permit ip any 192.168.1.0 255.255.255.0

access-list nonat_vpn permit ip host misys host 192.168.1.2

access-list nonat_vpn permit ip host misys host 192.168.1.32

access-list nonat_vpn permit ip host misys host 192.168.1.3

pager lines 24

icmp permit any outside

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any traceroute inside

mtu outside 1500

mtu inside 1500

ip address outside 69.3.45.* 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Toledo 255.255.255.0 outside

pdm location misys 255.255.255.255 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 69.3.45.*

nat (inside) 0 access-list nonat_vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

rip inside passive version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 69.3.45.* 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 68.76.6.185

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 68.76.6.* netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 64.105.179.138 64.105.189.26

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

mvoight · ‎03-12-2004

There isn't really enough information to determine the problem. If you get a sniffer trace outside the PIX, are packets from the inside going outbound? Does the router on the outside of the PIX show the correct arp entry for the global address and the PIX outside interface address?