cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
220
Views
5
Helpful
3
Replies

Some problem with PIX

sheldon.wu
Level 1
Level 1

I could ping internet website through the PIX(6.3) with internal IP,but only some IP could do this... I check my pix's configuration and find out there are no limits on inside interface(PIX aloow access from high security level interface to low security level interface by default??)..So strange, could some one help me to find the problem??(cut...)

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip host 192.168.21.100 172.16.1.0 255.255.255.0

access-list 102 permit ip host 192.168.1.170 any

access-list 102 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside *.*.*.* 255.255.255.224

ip address inside 172.18.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool normal 172.16.1.1-172.16.1.255

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

arp timeout 14400

global (outside) 1 61.172.253.99-61.172.253.117

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

route inside 192.168.0.0 255.255.0.0 172.18.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.168.1.43 cisco123 timeout 10

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set oss1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map transam 10 ipsec-isakmp

crypto map peer1 11 ipsec-isakmp

crypto map peer1 11 set peer 194.39.131.167

crypto map peer1 11 set transform-set oss1

isakmp enable outside

isakmp key ******** address 194.39.131.167 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 30

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup normal address-pool normal

vpngroup normal dns-server 192.168.1.43 202.96.199.133

vpngroup normal split-tunnel 101

vpngroup normal idle-time 1800

vpngroup normal password ********

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

3 Replies 3

jgervia_2
Level 1
Level 1

Hello,

Your config looks fine for outbound access. However, you have a class C on your inside interface, which is 200+ hosts, not even counting anything you may be routing through the pix (the 192.168 class B). However, your nat/global statements say that only 20 hosts can have outside access (and presumably internet access) at the same time:

global (outside) 1 61.172.253.99-61.172.253.117

Once 20 internal IP addresses are mapped to 20 external IP addresses, everyone else has to wait until a translation slot frees up.

try changing it to the following:

global (outside) 1 61.172.253.99-61.172.253.116

global (outside) 1 61.172.253.117

This means after the first 19 addresses are used by hosts needing translation, everyone else will use PAT - giving you 65000+ more translations for internet access. However, there are caveats when using PAT for some type of applications, make sure you look them up.

Check out this URL if you have any more questions. It explains everything you should need to know - assuming nat is your problem. :)

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113151

--Jason

Don't forget to rate if it helps

jgervia,

Thanks a lot. Could you tell me how to free up the translation slot list when the address rangle was exhausted ??

Hello,

the command

show xlate

will show you the translation slots.

the command

clear xlate

will clear them, but this is usually disruptive and any connections associated with those translations will go away.

--Jason

Please rate if it's helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: