Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 506e setup

I just setup a pix 506e to support 50 or so internal users giving them Internet access, I have the Internal Interface setup as a DHCP server and both Interfaces wide open to see if I could get thing up and running, even though I can ping out though the US LEC equipment to the DNS Servers I can not get the Internet to work from a Work Station, what am I missing. The equipment the PIX will replace (a Netgear Router) works fine and both are set with the same settings.

9 REPLIES
Silver

Re: pix 506e setup

can you post your config so we can look for possible issues?

Thanks

Steve

New Member

Re: pix 506e setup

Here you go

Sub outside and DNS address with A.B.C and E.F.G

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password AgqM4.gG7qpt16Ai encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside A.B.C.162 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 A.B.C.161 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.100 inside

dhcpd dns E.F.G.8 E.F.G.9

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:2568a91677239e71d2b41439588ea411

: end

Re: pix 506e setup

nat (x) 0 is used to disable NAT, use 1 or whatever number and the corresponding global.

Try this setup:

no nat (inside) 0 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

clear xlate.

wr mem

sincerely

Patrick

Re: pix 506e setup

New Member

Re: pix 506e setup

now it is back to

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

still can't access the internet, what to do ?

New Member

Re: pix 506e setup

Every thing is working now, thanks for your help.

Re: pix 506e setup

Is it working finaly ?

The nat and global number must correspond to get it working.

example:

global (outside) 1 x.x.x.3

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 2 x.x.x.4

nat (inside) 2 192.168.100.0 255.255.255.0

In this example 192.168.1.x would use public IP x.x.x.3 and 192.168.100.x would use x.x.x.4 public IP.

And always do a < clear xlate > after changing the Address translation.

sincerely

Patrick

Click on Rate when you found this Post useful.

New Member

Re: pix 506e setup

Removed the original nat statment ok but I can't seem to input a valid nat_id for the global command, tried 1, 20, 256 none would work. Is there a certian number to use, the information says any positive number would work.

Re: pix 506e setup

No, you can use any number in exception of 0.

See command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1032129

Given outbound traffic and the following example, for the nat command statements with a nat_id of 1, any of the hosts on the 10.1.1.0 network are translated to the range of 209.165.201.25-209.165.201.27. After all three addresses have been used, the translation rule starts using 209.165.201.30 as the PAT address. For the nat command statements with a nat_id of 3, all of the hosts on the 10.1.3.0 network are translated to the outside IP address of the FWSM using PAT.

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224

global (outside) 1 209.165.201.30

nat (inside) 3 10.1.3.0 255.255.255.0

global (outside) 3 209.165.201.30

The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 10.3.3.0 inside networks can start outbound connections. The global command statements create unique pools of global addresses for those hosts that cannot overlap.

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 209.165.201.24-209.165.201.27 netmask 255.255.255.224

global (outside) 1 209.165.201.30

nat (inside) 3 10.3.3.0 255.255.255.0

global (outside) 3 209.165.201.10-209.165.201.23 netmask 255.255.255.224

sincerely

Patrick

226
Views
0
Helpful
9
Replies
CreatePlease login to create content