Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Public networks behind Pix not working

Hi,

We are an ISP that has two public networks ans well and private addressing that sit behind pur Pix. All outbound from the private networks works as expected. However, any server on the public networks can not be reached, and any DSL customer with a public IP can't get out to the internet. A.B.C and X.Y are the two public nets. There is a 7200 series that sits inside of the Pix.

I have posted the config to see if you can find any errors.

Thanks!

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

hostname xxxxxxxxxx

domain-name xxxxxxxxxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list public_net permit ip x.y.41.0 255.255.255.0 any

access-list public_net permit ip a.b.c.0 255.255.255.0 any

access-list acl_out permit udp any host a.b.c.2 eq domain

access-list acl_out permit tcp any host a.b.c.3 eq smtp

access-list acl_out permit udp any host a.b.c.4 eq domain

access-list acl_out permit icmp any host a.b.c.72 echo-reply

access-list acl_out permit icmp any host x.y.41.254 echo-reply

access-list acl_out permit icmp any host x.y.41.182 echo-reply

access-list acl_out permit icmp any host x.y.41.195 echo-reply

access-list acl_out permit tcp any host x.y.41.3 eq www

access-list acl_out permit icmp host x.y.41.182 any echo

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.230 255.255.255.0

ip address inside 10.100.0.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside x.x.x.231

failover ip address inside 10.100.0.3

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list public_net

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) a.b.c.2 a.b.c.2 netmask 255.255.255.255 0 0

static (inside,outside) a.b.c.4 a.b.c.4 netmask 255.255.255.255 0 0

static (inside,outside) a.b.c.72 a.b.c.72 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.254 x.y.41.254 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.182 x.y.41.182 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.195 x.y.41.195 netmask 255.255.255.255 0 0

static (inside,outside) x.y.41.3 x.y.41.3 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 255.255.255.255 x.x.x.1 1

route inside 10.0.0.0 255.0.0.0 10.100.0.1 1

route inside x.y.41.0 255.255.255.0 x.y.41.1 1

route inside a.b.c.0 255.255.255.0 a.b.c.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

1 REPLY
Cisco Employee

Re: Public networks behind Pix not working

These are your problem:

route inside x.y.41.0 255.255.255.0 x.y.41.1 1

route inside a.b.c.0 255.255.255.0 a.b.c.1 1

The PIX (or any IP device) can't have a route pointing to a network where the next hop is not on the connected interface subnet. The next hop needs to be in the inside interfaces subnet (10.100.0.0/24).

If you get to these networks through the same inside gateway as the rest of the 10 network, then change the above lines to:

route inside x.y.41.0 255.255.255.0 10.100.0.1 1

route inside a.b.c.0 255.255.255.0 10.100.0.1 1

78
Views
0
Helpful
1
Replies
CreatePlease to create content