Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 with DSL MODEM for internet connection

Hi

This is the first time that i configured PIX! Pls help me.

I configured PIX 501. All the pc's in the network, cannot access the internet (gateway is the outside ip add of PIX).

Here's the config:

KAJIMA# sh conf

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname KAJIMA

domain-name KAJIMA.com.ph

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list devping permit icmp any any

access-list devping permit ip host 192.168.1.1 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 210.23.197.162 255.255.255.0

ip address inside 192.168.1.10 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.1 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:1543c58ffdaacc5b7a33a8569b6b3c6d

I' ll accept any additional parameters for my initial configuration

Thanks in advance

Mhel

  • Other Security Subjects
3 REPLIES
New Member

Re: PIX 501 with DSL MODEM for internet connection

The default gateway on the PC must be on the same subnet. ie: if the PC is 192.168.1.x, the default gateway on the PC's should be 192.168.1.10

Re: PIX 501 with DSL MODEM for internet connection

Hi,

the default gateway of the pc on your should should point to the INSIDE ip address of the pix (not the outside address)

Also the pix needs a default gateway. You should use the 'route' command to do this:

route outside 0.0.0.0 0.0.0.0 ip_address_of_default_gateway

I also ran the config through the cisco output interpreter tool and got these results:

--------------------------------------------------------------------------------

DISCLAIMER: This tool is provided as is and no guarantees are provided. The tool

may make suggestions to improve the security/performance of the PIX Firewall.

Any proposed changes to the configuration should be researched thoroughly and

tested in a lab environment if possible, and should be consistent with any

security policy you have in place. If you are still having problems, you should

contact a Cisco TAC engineer.

-------------------------------------------------------------------------------

WARNING: The enable password has not been set.

TRY THIS: Set the enable password with the 'enable password' configuration

command.

WARNING: A User level password (for TELNET access etc.) has not been set.

TRY THIS: Set the User level password with the 'passwd' configuration command.

WARNING: Make sure that you do NOT use 'cisco' as a password for access or

enable passwords.

TRY THIS: Set the regular password with the 'passwd' configuration command. Set

the enable password with the 'enable password' configuration command.

WARNING: The following 'static' statements do not appear to have a corresponding

'conduit' or 'access-list/access-group' pair:

static (inside,outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0 0 0

TRY THIS: Check that you require these static statements, and if so, consider

configuring an access-list/access-group pair (or conduit) for these statics.

WARNING: You have access-lists defined that are not applied in the configuration

with an 'access-group', 'crypto map', 'crypto dynamic-map', 'vpngroup {name}

split-tunnel' 'nat 0', 'aaa accounting match', 'aaa authentication match', or

'aaa authorization match' command:

access-list devping permit icmp any any

access-list devping permit ip host 192.168.1.1 any

TRY THIS: Make sure that these access-lists are required in your configuration.

(e.g. used for RADIUS authorization)

INFO: The following static statements reference an IP address that do not belong

to the same subnet as the referenced interface:

'static (inside, outside) 192.168.1.0 210.23.197.0 netmask 255.255.255.0'

references 'outside'

TRY THIS: If there is a router connected to the reference interface, it will

require static routes to the PIX for any non-connected subnet addresses.

INFO: Your 'Xlate' timeout is greater than 1 hour. The xlate timeout determines

the idle time until a translation slot is freed. You may increase system

performance by setting this timer to 1 hour with the configuration command,

'timeout xlate 1:00:00'.

Kind Regards,

Tom

New Member

Re: PIX 501 with DSL MODEM for internet connection

hi, I didn't see a "route outside 0.0.0.0 0.0.0.0 x.x.x.x" statement in your config. Could that be the problem? x.x.x.x is the address of your default destination, presumably your outside router's IP address.

Bruce MacDougall

144
Views
0
Helpful
3
Replies