Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

problems connecting outside

we recently got PIX i was setting up in a testing lab

in the lab everything was workig fine but once moved to thr production nothing works

i have sets up like this

LAN------7513----PIX----router----internet

LAn as 10.0.0.0 address 7513 as 2 ip address primary and seconday on LAN side Fastethernet(one 10.0.0.0 and another 170.15.x.x

WAN side fastethernet i have 170.x.x.x , iCan ping this address from my LAN.

PIX inside interface 170.16.x.x and i can ping from all hosts in 10.0.0. and i can see all my users when i used sh xlate

from inside i can ping inside interface of PIX

when i used sh xlate i can see my glocal address mapped to internal address but but i cannot go out internet or i cannot ping my external interface on PIX, but from my 7513

i can ping only external interface on PIX

This is my PIX config

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 ISP2 security60

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

nameif ethernet6 intf6 security30

nameif ethernet7 failover security15

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix-1

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list dmz_coming_in permit icmp any any

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www

access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain

access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain

access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128

pager lines 24

logging on

logging monitor errors

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

interface ethernet6 auto shutdown

interface ethernet7 100full

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu ISP2 1500

mtu intf4 1500

mtu intf5 1500

mtu intf6 1500

mtu failover 1500

ip address outside 206.X.X.X 255.255.255.128

ip address inside 170.X.X.X 255.255.255.0

ip address DMZ 206.X.X.252 255.255.255.128

ip address ISP2 171.X.X.21 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip address intf6 127.0.0.1 255.255.255.255

ip address failover 7.7.7.7 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 206.X.X.X

failover ip address inside 170.X.X.3

failover ip address DMZ 206.X.X.253

failover ip address ISP2 171.X.X.21

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover ip address intf6 0.0.0.0

failover ip address failover 7.7.7.8

failover link failover

pdm location 169.x.x.155 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128

global (outside) 1 206.X.X.X

global (DMZ) 1 206.X.X.X-206.X.X.X

nat (inside) 0 access-list 101

nat (inside) 1 1 170.X.X.X 255.255.255.0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group dmz_coming_in in interface DMZ

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 206.X.X.X

route inside 10.0.0.0 255.0.0.0 170.X.X. 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T

CP

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e

: end

[OK]

2 REPLIES
Cisco Employee

Re: problems connecting outside

First of all, forget about trying to ping the outside PIX interface from anything on the inside, you won't be able to do that. The PIX doesn't allow you to ping/telnet/whatever to an interface address from another interface.

Now, if you're seeing your inside users get an xlate then it looks like the PIX is doing the right thing. Everyone on the inside will get mapped to 206.X.X.90-206.X.X.120 and then a PAT address of 206.X.X.X, so you need to make sure they're valid and your ISP has actually mapped those to you. Can you ping Internet addresses from the PIX itself, it's possible ICMP's are being filtered somewhere and so your ping tests are all being blocked? Can you ping from the outside router? Can you ping the global addresses listed above from the outside router?

Bronze

Re: problems connecting outside

Hi, if I may ask a follow-up question about trying to ping the PIX's outside interface, you mean,

TOTALLY, whatever configuration I use, it is NOT possible to ping the PIX outside interface from

any hosts inside? It was mentioned in one of the PIX tech notes that command below permits pings

from the network immediately outside the PIX:

icmp permit 200.1.1.0 255.255.255.0 echo outside

So it means I can ping any IP address on that network EXCEPT the PIX interface?

Thanks.

97
Views
0
Helpful
2
Replies
CreatePlease to create content