06-22-2003 10:32 PM - edited 03-09-2019 03:46 AM
Hi Nisha
Ive done what you instructed to me before to set a route outside and make changes to the global statements. Point the workstations to the inside ip of the PIX 501(192.168.1.x)
globat (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 210.23.197.x(peer router from ISP)
Thanks,
Mhel
06-23-2003 01:51 AM
Hi Mhel -
Can you pls. post your config (remember to exclude real IP's and passwords).
Thanks -
06-23-2003 10:50 PM
Hi,
Heres the current config. Any advice is highly appreciated.
PIX501# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password (edit) encrypted
passwd (edit) encrypted
hostname xxxxxx
domain-name proxy.(ISP).net.ph
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.x.0 255.255.x.x 10.4.x.x 255.255.x.x
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 210.23.x.x 255.255.x.x
ip address inside 192.168.x.x 255.255.x.x
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 210.23.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set xxxxxx esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 set peer 202.136.x.x
crypto map transam 1 set transform-set xxxxxx
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 202.136.x.x netmask 255.x.x.x
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:(edit)
: end
Thanks.
Mhel
06-24-2003 02:32 AM
Hi Mhel -
Q. Have you got a inside router with route to PIX?
Q. Can you ping the inside interface of the PIX form any inside PC's ?
Q. Have tried using 'clear xlate' cmd?
Q. What exact error messages are you getting / seeing ?
Pls. let me know.
Thanks - -
06-24-2003 04:50 PM
Hi,
Answer to the question(s)
1. Theres no inside router. The peer router that i mentioned is from the ISP side. The connection is:
PC--------------switch-------------PIX---------------dsl------------------internet
2. Yes
3. So far, I havent tried it yet
4. If im pointing my workstation to the inside ip of the PIX, it cant connect to the internet
Thanks
Mhel
06-24-2003 11:32 PM
OK Mhel --
Ok, Mhel - -
Another question which I didn't mention on my previous post is, have you tried any packet analysis on the PIX, i.e. > debug packet inside src
To stop the debug use > no debug packet inside, you can do this also for the outside interface but use the src (source) IP that is coming in to your network (an IP say, from your ISP).
Also, I notice that you don't seem to have any 'route inside' cmd on your PIX config?
i.e. > route inside
Hope the above makes sense and let me know how you get on.
Thanks --
06-24-2003 11:36 PM
Mhel -
Forgot to metion another thing on my previous post, Please be aware the 'debuging' can generate high CPU usage on the PIX so advisable not to do this on production PIX.
Thanks--
06-30-2003 11:15 PM
Hi,
I tried it already, the debug packet cmd. when im trying to add the route inside cmd, the output is "route already exist "
mhel
07-01-2003 03:51 AM
Mhel --
What does your PIX show when you do a 'show route inside' cmd ? Also, try cmd - 'no route inside' and then make sure you save it with cmd 'write memory' and then re-apply the 'ip route inside cmd' and see what happens.
Hope this helps, let me know how you get on.
07-01-2003 05:58 AM
Mehl,
Just curious, but what exactly do you mean by not able to connect to Internet. If looking to your config, you have the correct statements nat and global set, also the route statement seems correct to me. But with this config the PIX would not allow ICMP echo's coming back to your internal network, so "ping"would not work in this config (better to let this disable though).
Net thing to check would normally be if you can connect to an HTTP server on IP-adres only, cause most problems are not related to packets not traversing through the PIX to the outside, but the other way around. What I have seen in many cases is that there the DNS server of the Provider is used for name-resolving (better would be a split dns solution, but this is of topic off course)
If you are using split dns, this would not work in this config, cause replies of the outside dns server cannot travel back to your inside dns server.
If this is the case you would have to open the appropiate UDP ports used for DNS resolving.
Hope this helps.
Kind regards,
Leo
07-02-2003 11:10 PM
Hi,
Heres the output; I also include the route outside
sh route inside
inside 192.168.x.0 255.255.255.0 192.168.x.x (inside ip of PIX)1 CONNECT static
sh route outside
outside 0.0.0.0 0.0.0.0 210.23.x.161 1 OTHER static
outside 210.23.x.160 255.255.255.240 210.23.x.162 1 CONNECT static
Im trying to use the no route inside cmd but still "route already exist"
what do you think?
thanks
Mhel
07-01-2003 06:58 AM
Hi,
what kind of traffic are you using for the test? ICMP, http, ....?
ICMP does not work, unless you create an access-list that allows icmp echo-reply packet and apply this acl to the outside interface.
If you are using http, make sure that dns is correctly configured.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide