Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow traffic through PIX 515

I am having trouble getting traffic through my PIX 515. I am fairly new but can't seem to get it to happen. I have several very detailed manuals and have done what I think to be all the right steps and cannot get it right. I would like permit my users on the "INSIDE" (192.168.1.1) to access the internet on the "OUTSIDE" (68.8.9.5 - fictitious).

I set NAT with the following command:

nat (inside) 1 192.168.1.0 255.255.255.0

...and GLOBAL with:

global (outside) 1 68.8.9.6-68.8.9.8

I have created what I have thought to be the correct ACCESS-LIST:

access-list web_out permit ip any host 192.168.1.0

access-list web_out permit tcp any host 192.168.1.0

I then applied the ACL's to an interface:

access-group web_out in interface outside

My client box on the inside has the following info:

IP = 192.168.1.3

SM = 255.255.255.0

Gateway = 192.168.1.1

And of course the DNS servers

My physical configuration is as follows:

CLIENT PC >>> PIX 515 >>>> INTERNET

The PIX can ping the gateway on the OUTSIDE and can ping the client on the INSIDE but I have no connectivity through the PIX. HELP!

Thanks in advance for all you expertise.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Allow traffic through PIX 515

You probably don't have a default route on the PIX. The PIX needs to know where the Internet is and how to get to it, so add the following:

> route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the IP address of your outside router that the PIX connects to.

4 REPLIES
Cisco Employee

Re: Allow traffic through PIX 515

Are the 68.8.9.6-68.8.9.8 addresses where you're trying to go to, or what you want your inside users to be NAT'd to. If the former, that's wrong, if the latter, it's right but needs tweaking. You also don't need an access-list to go from inside to outside, so let's remove that cause it's not doing anything.

To go from inside to outside, all you need is a nat/global pair. You're nat (inside) statement is correct. Your global statement says nat all your inside hosts to only 3 addresses, not good. Once these 3 addresses are used up, then no-one else will be able to go out, and keep in mind that one user going to one web page will easily use 5-6 addresses as they create different connections.

Do the following:

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 68.8.9.6

This will do PAT instead of NAT, giving you 65000-odd translations with just the one address. You then have 68.8.9.7 and 68.8.9.8 spare to use for static translations if you need them later.

As traffic goes out through the PIX, the PIX will automatically open up holes to allow that traffic back in. It only does this for TCP and UDP packets though. If you're pinging through the PIX, you do need to tell the PIX to allow that traffic back in with:

access-list inbound permit icmp any any echo-reply

access-list inbound permit icmp any any unreachable

access-group inbound in interface outside

The "unreachable" allows Path MTU Discovery to still work, and the echo-reply's allow your pings to come back in.

New Member

Re: Allow traffic through PIX 515

I did what you suggested and you confirmed that fact that I fully understand the concept of what is taking place but I still cannot get through. At first I thought that it might be a hardware or software problem but I bought 5 PIX501s and 1 PIX515 and they are all not letting internet traffic through from the inside. To answer your question the 68.8.9.6-68.8.9.8 are numbers that I want my inside users to be NAT'd to. I knew about the PAT which allowed more than one private ip to be routed out on various ports of one single public ip, I was reaching at anything that would allow me access out. I changed it as you recommended and still nothing there is obviously something I am missing. Do I need to implement a route command?

Do I need to implement a static command?

The gateway address for my clients (inside) should be the ip of the INSIDE interface (192.168.1.1) right?

I pulled one staight out of the box (new) and did the following before adding the commands you recommended:

ip address inside 192.168.1.1

ip address outside 68.8.9.5

What else do I need?

Thanks again for your time.

Cisco Employee

Re: Allow traffic through PIX 515

You probably don't have a default route on the PIX. The PIX needs to know where the Internet is and how to get to it, so add the following:

> route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the IP address of your outside router that the PIX connects to.

New Member

Re: Allow traffic through PIX 515

That was it - all is well. Thanks for you help!

J

690
Views
0
Helpful
4
Replies
CreatePlease login to create content