Thanks for your advice Steve. I may have messed things up on the firewall though it seems. Is there a way to return the PIX to it's default configuration?

Also, a very novice question here, do I need to define a router on my internal network or will it automatically route averything through the firewall??

Thanks

Robin

"Clear configure" will reset command parameters in the configuration to their default values.

You can have a router on the inside send packets to your PIX or you can have your PCs have the default gateway to the PIX. Depends on the size of your LAN/company. Both work, but the router model will scale better.

Steve

Re-read your last post (misread the first time), yes you will need a route on your router to point to the PIX as it's default gateway (eg ip route 0.0.0.0 0.0.0.0 x.x.x.x - where x is your PIX internal IP).

Steve

Thanks again Steve.

I think you were right with your first response. I do not have a router currently on the network. I realise that if the network grows this may become a neccesity but at the moment I was hoping to do with out one.

I have now reconfigured the PIX from scratch, in theory allowing outbound traffic but can still not connect to the internet. Would this have anything to do with the firewall being plugged into a Cisco Switch?? I can ping the firewall, use PDM form my workstation but not get any internet connection. I am using Windows 2000 Pro on the Workstation and this is connected to a Windows 2000 Server network using active directory. this means that there is a DNS and DHCP server running on the internal network. Would this confuse the path to the internet?

I have set a gateway address of the internal interface to the firewall on the workstation but it still does not get through.

Thanks again for your help on this.

Robin.

You need to setup the NAT and global commands (are they correct?). You also need a route to the internet on the PIX, use the command "route outside 0.0.0.0 0.0.0.0 x.x.x.x" (where x.x.x.x is the external router outside the PIX - provided by your ISP). I assume your internal routing is working as the PIX can connect to your internal hosts. If this is routing is configured and still doesn't work:

-Can the PIX ping the ISP router?

-Do you have any access-lists applied?

-Does the web page resolve to a IP (thereby eliminating DNS as an issue)

Posting your config may save time (minus public IPs, passwords etc. to protect the guilty).

Steve

Steve, I can't thank you enough for your help on this matter.

The following is a breakdown of our setup:

Internal network running Windows2000. IP addressing scheme that must have been made up as it is 192.168.0.0 with a sub-net mask of 255.255.0.0.

The internal interface of the PIX is 192.168.0.xx. T.

The external interface of the PIX is one of the address assigned me by our ISP. his has a mask of 255.255.255.248

If I run the 'Show Route' command on the PIX I get the following:

-outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1 OTHER static (where xx is the IP of the Router provided by our ISP.)

-outside xx.xxx.xxx.x 255.255.255.248 xx.xxx.xxx.x 1 CONNECT static (where the first xx number is one address below the external interface number. I did not give this number but it is refered to in my ISP documentation as the 'network' address. The second xx number is the external interface of the PIX)

-inside 192.168.0.0 255.255.0.0 192.168.0.xx 1 CONNECT static (where xx is the internal interface of the PIX)

I CAN ping the PIX form my workstation.

I CAN use PDM form my workstation.

I can NOT access a website from my workstation.

I can NOT resolve a website IP address form my workstation.

The PIX CAN ping the above website using it's IP address.

The PIX CAN ping the ISP router.

I can NOT ping the external interface of the PIX from my workstation.

The PIX was cleared and rebuilt form scratch to acheive the above as I thought is would be the easiest way.

Thanks again for your help on this matter.

Regards,

Robin.

Robin,

Here is a sample of the commands you need to allow access outbound:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ......

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol smtp 25

interface ethernet0 10baset

interface ethernet1 10full

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.0.x 255.255.0.0

global (outside) 1 interface (or IP address)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.y 1

logging on

logging buffered warnings

logging timestamp

logging host inside 192.168.0.z

To let users ping through the PIX, add the "access-list 101 permit icmp any host x.x.x.x echo-reply" (where x.x.x.x is your NAT IP) command to the configuration and bind it to each interface you want to test with the access-group command (eg access-group 101 in interface outside). This lets pings go outbound and allows the reply back in. You aren't allowed to ping the PIX external IP from the inside (PIX isn't a router).

Is your DNS set-up correctly and working? Can you do nslookups? You aren't using access-lists right?

Do a show log to see what is happening when you try to open a web page.

Steve

Steve,

All of the commands as you listed them were entered but I still can not connect to the internet.

I am now worried about DNS as you mention it. Windows 2000 Active Directory uses DNS for the internal network. Therefore our ficticious domain is none existent on the internet and the root DNS server is completely internal. Is this what is causing my problems??

Robin.

Steve,

Even after entering the acl to permit ping I can NOT get past the firewall. I tried the static route for DNS also but this had no effect.

Using 'show log' revealed that logging was enabled but there were no messages.

I am begining to think that either I am totally stupid or there is something wrong with the firewall. I have downloaded and used each and every command you have kindly sent me to no avail. I have also done this with a sample configuration from the Cisco site following every ste bit by bit, again it does not work.

Even using the simple 'wizard' setup in PDM to allow all outbound traffic does not work.

The version of PIX is 6.1(4)

Thanks for all your help.

Robin.

I think there are 2 options left:

1) post the all the config as is (minus public IPs and passwords only)

2) upgrade the OS to 6.2.

This will rule out a config issue, may be a bug or faultly hardware. But if you post the config, we can eliminate the config as the issue. If you change the OS to 6.2 we can eliminate a bug. That would only leave a hardware issue, which you can RMA for a new one. But at this point I don't think it's HW.

Steve

Steve,

Here is the Config.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password N51JqWodsWmI5V9u encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name wolverhamptoncitycouncil.gov.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 62.190.xxx.x 255.255.255.248

ip address inside 192.168.0.30 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.142 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 62.190.xxx.xxx-62.190.xxx.xxx netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 62.190.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.142 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

service resetoutside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:b132dd7fd4f5964b79a1474b97c67b19

: end

I hope this helps. I agree that Hardware is probably not the problem. Just me!!!

Robin.

Obvious point here but make sure the first global IP doesn't overlap with the outside interface of the PIX (which is covered by the second global command).

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password N51JqWodsWmI5V9u encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name wolverhamptoncitycouncil.gov.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any 62.190.x.x 255.255.255.248 echo-reply

access-list 101 permit icmp any host 62.190.x.x echo-reply

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging host inside x.x.x.x

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 62.190.xxx.x 255.255.255.248

ip address inside 192.168.0.30 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.142 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 62.190.xxx.xxx-62.190.xxx.xxx netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 62.190.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.142 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

no sysopt route dnat

service resetoutside

telnet timeout 5

ssh timeout 5

terminal width 80

I added a few small changes, "Wr mem" it, reload.

You should be able to ping to and through the PIX from the inside. You should be able to surf. Enable logging as above and do a show log if any fails. Show conn (eg show conn local x.x.x.x or show conn for x.x.x.x) and show xlate may help as well.

If a no go I would change the OS as everything should be working.

Steve