Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
20
Replies

Using 515 on cable modem with only 1 IP want to be able to host web & mail

kiska
Level 1
Level 1

‎02-09-2003 12:00 PM - edited ‎03-09-2019 02:01 AM

I can get out to the internet but the connections are not coming in, anyone have advice?

Here is my config

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ClN1H8LxKWZjaQL6 encrypted

passwd ClN1H8LxKWZjaQL6 encrypted

hostname PiX

domain-name ns1.gorilla.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any any

access-list 101 permit tcp 192.168.1.0 255.255.255.0 any

access-list 101 permit udp 192.168.1.0 255.255.255.0 any

access-list 110 permit tcp any host 24.129.142.118 eq www

access-list 110 permit tcp any host 24.129.142.118 eq ftp

access-list 110 permit tcp any host 24.129.142.118 eq pop3

access-list 110 permit tcp any host 24.129.142.118 eq smtp

access-list 110 permit udp any host 24.129.142.118 eq domain

access-list 110 permit tcp any host 24.129.142.118 eq ident

no pager

logging on

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

interface ethernet0 auto

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 24.129.142.118 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.50 255.255.255.255 inside

pdm location 192.168.1.5 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.252 outside

pdm location 192.168.1.5 255.255.255.255 outside

pdm logging notifications 500

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface domain 192.168.1.5 domain netmask 255.255.255.255 0 0

static (inside,outside) udp interface domain 192.168.1.5 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.5 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ident 192.168.1.5 ident netmask 255.255.255.255 0 0

static (inside,outside) udp interface 113 192.168.1.5 113 netmask 255.255.255.255 0 0

static (outside,inside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0

access-group 110 in interface outside

rip outside passive version 1

rip inside default version 1

route outside 0.0.0.0 255.255.255.252 24.129.142.117 1

route outside 0.0.0.0 0.0.0.0 24.129.142.117 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http 192.168.1.5 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.50 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 10

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

username ryan password icFEj5X32btgf670 encrypted privilege 15

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

terminal width 80

Cryptochecksum:5ccd5cebea09133bea27c368aba2d2db

: end

[OK]

Labels:
0 Helpful
20 Replies 20

kiska
Level 1
Level 1
In response to shannong

‎02-11-2003 07:24 AM

192.168.1.5 can get out to the internet fine, that is a good point though :).

My most recent config is above.

If anyone has a config they would like to suggest I will wipe mine and try yours, but I still don't get why the one I have isn't working.

0 Helpful

shannong
Level 4
Level 4

‎02-10-2003 04:43 PM

You have two static statements in there. The first one is correct and the second is incorrect. Get rid of the second one and then "cle xlate".

Bad--> static (outside,inside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

0 Helpful

kiska
Level 1
Level 1
In response to shannong

‎02-10-2003 05:10 PM

That was removed a while ago, please refer to the most recent config that I placed, I've changed somethings.

Thank you for your help :)

-Ryan

0 Helpful

wbuchinger
Level 1
Level 1

‎02-11-2003 06:57 AM

Config looks fine. I would add deny any any at the end of ACL 110 to see if anything is being blocked in the log. You can also debug packets on the outside interface to look at traffic flow. Are there any hit counts on ACL 110? If not, traffic is not reaching the outside interface for those ports.

show xlate to view current translations and show conns for current connections.

0 Helpful

kiska
Level 1
Level 1

‎02-11-2003 01:58 PM

Apparently it is working now, out of nowhere... I don't get it, but I called my cable company to check into it and they said they could resolve port 80 and saw the "pix is finally working"message.

I am unable to open http://24.129.142.118 from within the LAN but people tell me it works from outside, any ideas why it doesn't open internally? It will if I use the local IP but no the external one.

0 Helpful

kagodfrey
Level 3
Level 3
In response to kiska

‎02-11-2003 02:04 PM

It's because the pix won't route a packet out of the interface it came in on.

Rgds

Kev

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents