Solved: Re: Pix 515e no packets passed to the web

mscottmikayla · ‎12-27-2002

What's wrong with my config ?

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXX encrypted

passwd XXXXXXXXXXX encrypted

hostname TheWall

domain-name XXXXXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.100.2 DC

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list frominisde permit tcp any any eq www

access-list frominisde permit tcp any any eq smtp

access-list inside permit ip any any

access-list inside permit tcp any any

access-list inside permit udp any any

access-list frominside permit tcp any any eq www

pager lines 24

logging on

logging host inside 192.168.100.14

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 68.XX.XX.XX 255.255.255.248

ip address inside 192.168.100.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location DC 255.255.255.255 inside

pdm location 192.168.100.14 255.255.255.255 inside

pdm location 192.168.100.252 255.255.255.255 inside

pdm location 192.168.200.0 255.255.255.255 inside

pdm location 192.168.100.0 255.255.255.255 inside

pdm location 68.XX.XX.XX 255.255.255.255 outside

pdm location 192.168.100.250 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 192.168.100.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 68.157.126.233 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.100.14 255.255.255.255 inside

http 192.168.100.0 255.255.255.0 inside

http 192.168.100.252 255.255.255.255 inside

http 192.168.200.0 255.255.255.255 inside

http 192.168.100.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

vpngroup remote idle-time 1800

telnet 192.168.100.252 255.255.255.255 inside

telnet 192.168.100.0 255.255.255.0 inside

telnet 192.168.200.0 255.255.255.255 inside

telnet timeout 10

ssh timeout 5

TheWall(config)#

tvanginneken · ‎12-27-2002

Remove this line and it should work:

nat (inside) 0 192.168.100.0 255.255.255.0 0 0

This line tells the pix not to translate (nat 0) the source address of packets passing through the pix originating for the 192.168.100.0 network. You should only use the nat 0 command in VPN configs.

Kind Regards,

Tom

View solution in original post

tvanginneken · ‎12-27-2002

Remove this line and it should work:

nat (inside) 0 192.168.100.0 255.255.255.0 0 0

This line tells the pix not to translate (nat 0) the source address of packets passing through the pix originating for the 192.168.100.0 network. You should only use the nat 0 command in VPN configs.

Kind Regards,

Tom

mscottmikayla · ‎01-08-2003

Thanks....

I can now browse the web but cannot receive e-mail from outside.

bdube · ‎01-08-2003

To receive email, if your smtp/pop3 server is inside, you need to create a static translation and leave the smtp traffic coming in (access-list) to your server.

If your pop3 server is outside, you need to leave pop3 traffic going out.

Ben