Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
4
Replies

Problem Browsing from a remote network

matthew.long
Level 1
Level 1

‎08-04-2003 07:30 AM - edited ‎03-09-2019 04:18 AM

I have the following config running on a 515 UR

Internet

|

|

Pix -- Wan DMZ -- Router --- ATM Cloud---Router -- Remote Net

|

|

Internal

The problem I have is that my remote net can ping the internet but cannot browse.

This suggested to me either a NAT issue or Access lists.

I have put a sniffer on the outside network and I can see translated pings and web traffic exiting the network and responses coming back from the internet server but they just don't seem to reach the host on the remote network.

Any ideas?

Here are the line of the config relating to the WAN

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 WAN security40

access-list WAN_ACCESS_IN permit icmp any any

access-list WAN_ACCESS_IN permit ip any any

access-list NO_NAT_WAN permit ip object-group NO-NAT-LIST 192.168.1.0 255.255.255.0

ip address outside EXT-FW 255.255.255.240

ip address inside INT-FW 255.255.240.0

ip address WAN 172.16.16.250 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT_INSIDE

nat (inside) 1 172.16.0.0 255.255.240.0 0 0

nat (WAN) 0 access-list NO_NAT_WAN

nat (WAN) 1 172.16.16.0 255.255.255.0 0 0 - Wan DMZ,

nat (WAN) 1 172.16.21.0 255.255.255.0 0 0 - Remote NEt

nat (WAN) 1 172.16.22.0 255.255.255.0 0 0 - Remote Net

static (inside,WAN) 172.16.0.0 172.16.0.0 netmask 255.255.240.0 0 0

access-group OUTSIDE_ACCESS_IN in interface outside

access-group WAN_ACCESS_IN in interface WAN

route outside 0.0.0.0 0.0.0.0 EXT-ROUTER 1

route WAN 172.16.21.0 255.255.255.0 WAN-ROUTER 1

route WAN 172.16.22.0 255.255.255.0 WAN-ROUTER 1

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎08-04-2003 07:42 AM

Hello Matthew,

Can you configure one of your inside PC's default-gateway as the inside interface IP addrs of the PIX and see if you can browse the internet??

Thanks --

0 Helpful

matthew.long
Level 1
Level 1
In response to jmia

‎08-04-2003 11:26 PM

Sorry, I don't understand how this would help.

The remote host has ip connectivity to the internet and I can ping and traceroute successfully.

Also, if i set the remote hosts DG to the pix how will the traffic know to go through the remote sites router.

0 Helpful

jmia
Level 7
Level 7
In response to matthew.long

‎08-04-2003 11:54 PM

Hi -

Sorry, misread your question, so you can not browse from the remote end. As you say, you can traceroute and ping then can you traceroute by IP and name www sites i.e. http://www.yahoo.com ??

And also, has your remote router got gateway of last resort set to point to the PIX, i.e.

> Gateway of last resort is to network 0.0.0.0 ?? and can you also, post you full PIX config + router config (remote end) please but remember to edit IP's and passwords.

Thanks --

0 Helpful

jboyer
Level 1
Level 1

‎08-05-2003 06:05 AM

Routing is obviously not an issue if you can ping. Have you verifed DNS resolution by pinging a name instead of a number? Are there any access-list on the two routers? Also, try browsing and do a "show xlate" on the pix to verify the workstation's address appears correctly in the xlate table. If the issue still is not resolved post back the version of code you are running on the pix, it may be a bug.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents