01-20-2003 12:03 AM - edited 02-20-2020 10:30 PM
Hi
This is the first time that i configured PIX! Pls help me.
I configured PIX 501. All the pc's in the network, cannot access the internet (gateway is the outside ip add of PIX).
Here's the config:
KAJIMA# sh conf
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname KAJIMA
domain-name KAJIMA.com.ph
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list devping permit icmp any any
access-list devping permit ip host 192.168.1.1 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 210.23.197.162 255.255.255.0
ip address inside 192.168.1.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:1543c58ffdaacc5b7a33a8569b6b3c6d
I' ll accept any additional parameters for my initial configuration
Thanks in advance
Mhel
01-20-2003 06:21 AM
The default gateway on the PC must be on the same subnet. ie: if the PC is 192.168.1.x, the default gateway on the PC's should be 192.168.1.10
01-20-2003 03:23 PM
Hi,
the default gateway of the pc on your should should point to the INSIDE ip address of the pix (not the outside address)
Also the pix needs a default gateway. You should use the 'route' command to do this:
route outside 0.0.0.0 0.0.0.0 ip_address_of_default_gateway
I also ran the config through the cisco output interpreter tool and got these results:
--------------------------------------------------------------------------------
DISCLAIMER: This tool is provided as is and no guarantees are provided. The tool
may make suggestions to improve the security/performance of the PIX Firewall.
Any proposed changes to the configuration should be researched thoroughly and
tested in a lab environment if possible, and should be consistent with any
security policy you have in place. If you are still having problems, you should
contact a Cisco TAC engineer.
-------------------------------------------------------------------------------
WARNING: The enable password has not been set.
TRY THIS: Set the enable password with the 'enable password' configuration
command.
WARNING: A User level password (for TELNET access etc.) has not been set.
TRY THIS: Set the User level password with the 'passwd' configuration command.
WARNING: Make sure that you do NOT use 'cisco' as a password for access or
enable passwords.
TRY THIS: Set the regular password with the 'passwd' configuration command. Set
the enable password with the 'enable password' configuration command.
WARNING: The following 'static' statements do not appear to have a corresponding
'conduit' or 'access-list/access-group' pair:
static (inside,outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0 0 0
TRY THIS: Check that you require these static statements, and if so, consider
configuring an access-list/access-group pair (or conduit) for these statics.
WARNING: You have access-lists defined that are not applied in the configuration
with an 'access-group', 'crypto map', 'crypto dynamic-map', 'vpngroup {name}
split-tunnel' 'nat 0', 'aaa accounting match', 'aaa authentication match', or
'aaa authorization match' command:
access-list devping permit icmp any any
access-list devping permit ip host 192.168.1.1 any
TRY THIS: Make sure that these access-lists are required in your configuration.
(e.g. used for RADIUS authorization)
INFO: The following static statements reference an IP address that do not belong
to the same subnet as the referenced interface:
'static (inside, outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0'
references 'outside'
TRY THIS: If there is a router connected to the reference interface, it will
require static routes to the PIX for any non-connected subnet addresses.
INFO: Your 'Xlate' timeout is greater than 1 hour. The xlate timeout determines
the idle time until a translation slot is freed. You may increase system
performance by setting this timer to 1 hour with the configuration command,
'timeout xlate 1:00:00'.
Kind Regards,
Tom
02-04-2003 05:36 PM
hi, I didn't see a "route outside 0.0.0.0 0.0.0.0 x.x.x.x" statement in your config. Could that be the problem? x.x.x.x is the address of your default destination, presumably your outside router's IP address.
Bruce MacDougall
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide