We are an ISP that has two public networks ans well and private addressing that sit behind pur Pix. All outbound from the private networks works as expected. However, any server on the public networks can not be reached, and any DSL customer with a public IP can't get out to the internet. A.B.C and X.Y are the two public nets. There is a 7200 series that sits inside of the Pix.
I have posted the config to see if you can find any errors.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list public_net permit ip x.y.41.0 255.255.255.0 any
access-list public_net permit ip a.b.c.0 255.255.255.0 any
access-list acl_out permit udp any host a.b.c.2 eq domain
access-list acl_out permit tcp any host a.b.c.3 eq smtp
access-list acl_out permit udp any host a.b.c.4 eq domain
access-list acl_out permit icmp any host a.b.c.72 echo-reply
access-list acl_out permit icmp any host x.y.41.254 echo-reply
access-list acl_out permit icmp any host x.y.41.182 echo-reply
access-list acl_out permit icmp any host x.y.41.195 echo-reply
access-list acl_out permit tcp any host x.y.41.3 eq www
access-list acl_out permit icmp host x.y.41.182 any echo
The PIX (or any IP device) can't have a route pointing to a network where the next hop is not on the connected interface subnet. The next hop needs to be in the inside interfaces subnet (10.100.0.0/24).
If you get to these networks through the same inside gateway as the rest of the 10 network, then change the above lines to:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :