03-17-2006 01:58 AM - edited 02-21-2020 02:19 PM
Hi!
I have a Cisco PIX 501 firewall that I have problems setting up. No hosts on the inside can access the outside in any way. My old firewall didn't allow VPN and strangely enough I can get this to work on the new firewall. The firewall can ping and answer pings, but not the hosts. I have tried to configure the access-list according to instructions on the net but to no avail. Can anyone help?
The configuration after resetting and restoring basic information:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
domain-name goldpen.se
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 62.x.x.x.x.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 x.x.x.x.x.x.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 194.22.190.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
03-17-2006 03:29 AM
Hi
can you confirm the kinda VPN you are trying to establish with this PIX firewall ? Is it simple RAVPN clients forming the VPN connectivity with this PIX or is it a point to point VPN connectivity with this pix ?
also the link which you have followed to configure up the same and the configuration with which the VPN and ping is sucessfull..
regds
03-17-2006 08:27 AM
just wondering if the outbound internet issue only occurs after the vpn configuration or not.
according to the posted config, it's pretty straight forward and it shouldn't have any issue for inside host to browse the internet.
assuming the issue only occurs after the vpn configuration, please post the config with the vpn configuration instead.
03-17-2006 06:48 PM
I am just taking a guess that your inside hosts are trying to VPN outbound. If this is the case you need to add this to your config:
isakmp traversal 20
If not please elaborate.
03-18-2006 06:39 PM
Hard to determine without a complete list of access lists and nat exemption statements from VPN configs.
03-19-2006 11:55 PM
Thanks everybody for the replies and your effort! It is greatly appreciated.
As requested I will elaborate. This is the configuration after a clean restart after which I have set up the basics. The hosts on the inside cannot get contact with the outside. As I mentioned the firewall can ping the world and vice versa.
My goals are primarily to get the firewall to work as one. I have a few servers I want to protect and make visible on the outside. Obviously these rules are not implemented yet.
Secondly I would like to make it possible to access the inside via VPN from home. It sounds like point to point, but I am unsure of any flavour differences? In some mysterious way I have gotten the VPN to work in previous attempts. Outside hosts have been able to log onto and access the inside. But for now that is not the problem. I think I can get it working again.
The outbound issue does occur independent of the VPN configuration or not. A VPN client connected could not connect with the outside.
This is the complete configuration as of now, and the inside hosts are unable to access the Internet.
One thought I have had is that the unit is faulty in some way? Should I send it in return?
03-20-2006 04:10 AM
Before throwing the firewall out, what are the basics for the hosts? You do not have icmp enabled. Enable it from any to any for troubleshooting. Then, make sure the hosts can ping the firewall and cand can ping the router in front of the firewall. Make sure the workstations have a proper gateway of 192.168.1.1 /24. Make sure the workstations have proper DNS servers configured. Maybe they can access the Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide