11-08-2003 04:24 PM - edited 03-09-2019 05:27 AM
hey all,
I am at a lost. got a 501 out of the box 6.3.3. assign it an public ip address XXX.XX.XX.13 and its private ip 10.1.25.254
the public interface is connected to a 2600, eth0 ip address is one of my public ip addresses XXX.XX.XX.254 and se0 is 172.XX.XXX.157, which is provided by my ISP. On the inside I have a Cat4006, IP 10.1.254.254. Here is where I get confused. Before I got the 501 i could tracert ip address on se0 (icmp was enabled). From the 501 I can ping et0 of the 2600, but I can't get any traffic to go outside. I tried http, dns, ftp. I have left ACL's as is, which to my understanding is all traffic outbound is allowed.
before I started I tracert some ip address and could follow to se0
now when I tracert it stops at the cat4006, it timesout there.
I am getting confused on my routing statements
on the cat4006 i define an "ip route 0.0.0.0 0.0.0.0 10.1.25.254" so that all packets no for my network to go to the private ip of the pix. (is that correct)
I then tried to set a route in the pix for the inside interface to route 0.0.0.0 0.0.0.0 to XXX.XX.XX.254 (is that right) I don't think that it is. I can't figure out how the routing should be accomplised. Do I route the outside interface to XXX.XX.XX.254? Right now I am trying this on a 501, but In a couple of weeks I plan to use a 515e
any help would be appreciated
S.O.S.
Thanks
Matt
Solved! Go to Solution.
11-09-2003 11:45 AM
Hi,
Your default route from CAT swich is correct, that is pointing to PIX's private IP. But on the PIX there is no default route. you need a statement like
route outside 0 0 xxx.xxx.xxxx.254 (the ip of your router)
Ping or traceroute may not work, unless you allow them in from outside using access-list. but other statefull protocols e.g http/telnet should work.
Thanks
Nadeem
11-08-2003 05:38 PM
can you post your config?
11-09-2003 06:34 AM
: Saved
: Written by enable_15 at 12:13:06.330 EST Fri Nov 7 2003
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX encrypted
passwd XX encrypted
hostname XX
domain-name XX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap alerts
logging host inside 10.1.254.15
mtu outside 1500
mtu inside 1500
ip address outside XXX.XX.XX.13 255.255.255.0
ip address inside 10.1.25.254 255.255.0.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm drop
pdm location 10.1.20.1 255.255.255.255 inside
pdm location 10.1.20.2 255.255.255.255 inside
pdm location 10.2.0.0 255.255.0.0 inside
pdm location 10.1.254.15 255.255.255.255 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.20.2 255.255.255.255 inside
http 10.1.20.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.1.20.2 pix
floodguard enable
telnet 10.1.20.2 255.255.255.255 inside
telnet 10.1.20.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:XX
: end
11-09-2003 11:45 AM
Hi,
Your default route from CAT swich is correct, that is pointing to PIX's private IP. But on the PIX there is no default route. you need a statement like
route outside 0 0 xxx.xxx.xxxx.254 (the ip of your router)
Ping or traceroute may not work, unless you allow them in from outside using access-list. but other statefull protocols e.g http/telnet should work.
Thanks
Nadeem
11-09-2003 05:38 PM
thanks
that was it
matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide