Ive done what you instructed to me before to set a route outside and make changes to the global statements. Point the workstations to the inside ip of the PIX 501(192.168.1.x)
globat (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 210.23.197.x(peer router from ISP)
Heres the current config. Any advice is highly appreciated.
PIX501# sh run
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password (edit) encrypted
passwd (edit) encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 101 permit ip 192.168.x.0 255.255.x.x 10.4.x.x 255.255.x.x
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 210.23.x.x 255.255.x.x
ip address inside 192.168.x.x 255.255.x.x
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 210.23.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set xxxxxx esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 set peer 202.136.x.x
crypto map transam 1 set transform-set xxxxxx
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 202.136.x.x netmask 255.x.x.x
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Hi Mhel -
Q. Have you got a inside router with route to PIX?
Q. Can you ping the inside interface of the PIX form any inside PC's ?
Q. Have tried using 'clear xlate' cmd?
Q. What exact error messages are you getting / seeing ?
Pls. let me know.
Thanks - -
Answer to the question(s)
1. Theres no inside router. The peer router that i mentioned is from the ISP side. The connection is:
3. So far, I havent tried it yet
4. If im pointing my workstation to the inside ip of the PIX, it cant connect to the internet
OK Mhel --
Ok, Mhel - -
Another question which I didn't mention on my previous post is, have you tried any packet analysis on the PIX, i.e. > debug packet inside src
To stop the debug use > no debug packet inside, you can do this also for the outside interface but use the src (source) IP that is coming in to your network (an IP say, from your ISP).
Also, I notice that you don't seem to have any 'route inside' cmd on your PIX config?
i.e. > route inside
Hope the above makes sense and let me know how you get on.
Forgot to metion another thing on my previous post, Please be aware the 'debuging' can generate high CPU usage on the PIX so advisable not to do this on production PIX.
What does your PIX show when you do a 'show route inside' cmd ? Also, try cmd - 'no route inside' and then make sure you save it with cmd 'write memory' and then re-apply the 'ip route inside cmd' and see what happens.
Hope this helps, let me know how you get on.
Just curious, but what exactly do you mean by not able to connect to Internet. If looking to your config, you have the correct statements nat and global set, also the route statement seems correct to me. But with this config the PIX would not allow ICMP echo's coming back to your internal network, so "ping"would not work in this config (better to let this disable though).
Net thing to check would normally be if you can connect to an HTTP server on IP-adres only, cause most problems are not related to packets not traversing through the PIX to the outside, but the other way around. What I have seen in many cases is that there the DNS server of the Provider is used for name-resolving (better would be a split dns solution, but this is of topic off course)
If you are using split dns, this would not work in this config, cause replies of the outside dns server cannot travel back to your inside dns server.
If this is the case you would have to open the appropiate UDP ports used for DNS resolving.
Hope this helps.