Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX 520 6.01 w/Cable modem & PAT: Outbound?

Hi Folks,

Quick diagram:

internet -- cable modem -- pix 520 -- unmanaged hub

I'm having trouble getting out from the inside lan with a PIX 520 connecting to a cable modem using PAT.

Here's my config:

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 extra1 security10

nameif ethernet2 inside security100

nameif ethernet3 intra1 security50

hostname mail

domain-name eworldes.com

fixup protocol ftp 21

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol http 80

interface ethernet0 auto

interface ethernet1 auto shutdown

interface ethernet2 auto

interface ethernet3 auto shutdown

mtu outside 1500

mtu extra1 1500

mtu inside 1500

mtu intra1 1500

ip address outside x.x.38.76 255.255.255.240

ip address extra1 192.168.20.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address intra1 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

pdm history enable

arp timeout 600

global (outside) 1 x.x.38.77 netmask 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 x.x.39.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.21 255.255.255.255 inside

http 192.168.1.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt route dnat

ssh timeout 5

(Conduits and Access-Lists are temporary for initial implementation purposes only)

Now the symptoms:

with debug icmp trace on, I can see that when someone from the inside lan pings an outside address (say the gateway for the outside interface) the packets are sent and received, but not returned to the client on the inside lan.

outgoing port 80 (www) connections are not established.

The UDP and TCP connections are built (per syslog messages 302005 & 302001)

What I've tried so far:

-Swapping interfaces, extra1 with inside, in case there was a hardware preference for the inside interface

-Verified all ip's, default routes

-Swapping the outside address ip with the global

-Resetting the cable modem (although the ip is static)

-Removing any blocks via conduit and access-list commands

Are arp cache problems possible on a cable modem interface?

Do I need a router between my cable modem and my pix?

Any other suggestions?

Thanks in advance,

Kris

2 REPLIES
Community Member

Re: PIX 520 6.01 w/Cable modem & PAT: Outbound?

try the following -

access-list acl-inside permit tcp any any

access-group acl-inside in interface inside

global (outside) 1 interface

if that works, go back and fine-tune your access lists.

also.. 'conduit permit icmp any any' isnt really buying you anything either.

btw, that's one heck of a firewall to be paired up with a cable modem. ; )

Community Member

Re: PIX 520 6.01 w/Cable modem & PAT: Outbound?

Hi Kris,

have you checked your routing?

You're using a mask of .240, outside-ip is .76 and your default route points to .81.

With that subnet mask the available range is from .65 to .79, the .81 from the modem is in the next .240 range.

Regards

Ralf Krist

121
Views
0
Helpful
2
Replies
CreatePlease to create content