01-09-2003 12:12 AM - edited 02-20-2020 10:28 PM
Hi, I have 2 problems with a PIX 501.
First I need come back to the default configuration but the command "configure factory-default" doesn't work, then how can I do it?
Second, I have a default route in the interface inside like route inside 0.0.0.0 0.0.0.0 192.6.2.9 1 but doesn't work too.
I don't know why because I suppose that I can go anywhere from the interface inside without through the PIX, don't I?
Thanks in advance
01-09-2003 07:04 AM
Hi,
to reset your pix to the factory default (=no config present) you have to use these commands:
write erase
reload
Using these commands, your config is entirely erased. If you need your current config afterwards, please make a backup first.
Is the default gateway of the pix located on the inside interface of the pix?
Kind Regards,
Tom
01-09-2003 08:09 AM
Thanks for your answer.
I ersed the configuration I configurated it again, but I still have the same problem that I can't go to the exterior from the inside.
I have a dsl router with ethernet 0 192.168.200.251 , I have a FTP server with the IP 192.168.200.126 and this is the configuration of the PIX
pixfirewall# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list devping permit icmp any any
access-list devping permit ip host 192.168.2.123 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.253 255.255.255.0
ip address inside 192.168.200.125 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.6.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.2.200 192.168.200.126 netmask 255.255.255.255 0
0
access-group devping in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.200.251 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.200.14 255.255.255.255 inside
telnet timeout 20
ssh timeout 5
terminal width 80
From the PIX I can ping to 198.133.219.25 (www.cisco.com) but from any pc (192.168.200.14 for example) I can't.
Can you help me?
Other thing, can you tell me how a PC of the LAN outside (192.168.2.123 for example) could go anywhere to the LAN inside?
Because I used the command static (inside,outside) 192.168.2.200 192.168.200.126 netmask 255.255.255.255 0 0 but with this I only can reach the FTP server and I want to go anywhere.
Thanks in advance
01-10-2003 12:14 AM
Hi,
what is the default gateway of the inside pc's. If it is the inside ipaddress of the pix, then it won't work. Because when a packet (going to the internet) from an inside pc arrrives at the pix's inside interface, it has to come out of the pix on the same interface. The pix does not allow this.
Can I ask you why the internet connection (dsl router) is located at the inside? This way the pix will not be able to protect your inside network.
Kind Regards,
Tom
01-10-2003 01:13 AM
I use this PIX to separate two networks. The pc's that are in the inside interface can go to internet and too to pc' of the outside interface.
However the pc's in the outside interface can't go to the pc's of the inside (well only one pc can).
I tried to put a router in the in the hub where are the pc's of the outside interface with ethernet 0: 192.168.2.254 and serial 1: 10.10.10.2, and in the PIX I have append route outside 10.10.10.0 255.255.255.0 192.168.2.254.
The from the PIX I can reach the 10.10.10.2 but I can from a pc.
If a packet arrives at one pix's interface, couldn't it to come out of the pix on the same interface?
Then why are static routes?
Thanks in advance
01-10-2003 03:22 AM
Hi,
is it possible to give a brief overview of the setup you are trying to achieve?
If all hosts on the outside (insecure) network has to be able to access the inside (secure)network, what's the point then for using a pix? Or am I mistaken?
The pix has limited routing functionalities, it just doesn't allow packets to go out on the same interface. The static routes are there for packets that go through the pix.
Kind Regards,
Tom
01-11-2003 01:56 AM
Thanks for your asnwer, I didn't know that the static routes are only for packets that go through the pix.
Then for the pc's that are on the inside interface I must put your gateway as the ethernet0 of the dsl router and in this router put a static route to the network of the pc's of the outside interface, musn't I?
This PIX will be used to separate two networks, the 192.168.2.0 (on the outside) and the 192.168.200.0 (on the inside).
The pc's on the inside can go to the pc's on the outside and too can go to internet (going to the dsl router).
Obviously the pc's on the outside interface can't go to the pc's on the inside interface (except one pc of one administrator). Because of this I think that I have to put this:
static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.255 0 0
access-list devping permit ip host 192.168.2.X any
access-group devping in interface outside
haven't I?
Can you tell if is it correct?
Many thanks, I have to install this PIX on Monday, I hope that all work
01-11-2003 04:15 AM
Hi,
thanks for explaining your setup. It's a lot clearer me right now :-)
There is an error at the static command you provided. Since you are static translating an entire subnet, you have to use a different subnetmask. It should be like this:
static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0
But I still find it some strange setup. The dsl router to the internet is on the inside, so you trust the internet, but you don't trust the users on the 192.168.2.0 network. Or am I mistaken here? Isn't it more logical to put the
dsl router at the outside interface?
Kind Regards,
Tom
01-11-2003 10:52 AM
Yes it's strange but is that the client have told me about your network.
Maybe the dsl router is for a point to point connection with other office, I don't know yet, but I have done the configuration of the PIX like if the router will be used for Internet.
Anyway, now I'm home and I'm triying with the PIX with the help of my desktop and my laptop.
I put this command :static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0 and I think that all work well, ( As at home I don't have any router I don't know if I could go to internet from a pc of the outside interface, but you told me that the static routes are valid only for the trafic that go through the PIX I suppose that in the client network will work, I hope)
I think that this order ( static (inside,outside) ......) does the same that:
global (outside) 1 interface
nat (inside) 1 0 0
doesn't it?
Best regards
01-11-2003 05:08 PM
Hi,
static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0
does not the same as:
global (outside) 1 interface
nat (inside) 1 0 0
With the global/nat commands in place, your inside network is hidden behind the ip address of the outside interface of the pix. The source addresses of packets going from the inside to the outside are replaced with the ip address of the outside interface of the pix. This is what we call PAT = port address translation.
Kind Regards,
Tom
01-12-2003 03:02 AM
Thanks for your help, now I understand.
This was the first time that i had seen a PIX and I had to configure it in a couple of days.
Anyway, then I could go to internet from a pc of the outside interface (administrator pc), because you told me that the static routes are valid only for the trafic that go through the PIX, don't you?
And the pc's of the inside interface must have as gateway the IP of the router in order to go to Internet, musn't they?
Many thanks
01-12-2003 03:35 AM
Hi,
you are right. Since the pix does not allow/route traffic coming out of the same interface it came in, you will have to define the ip address of the router as the default gateway for your inside pc's.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide