I am having trouble getting traffic through my PIX 515. I am fairly new but can't seem to get it to happen. I have several very detailed manuals and have done what I think to be all the right steps and cannot get it right. I would like permit my users on the "INSIDE" (192.168.1.1) to access the internet on the "OUTSIDE" (188.8.131.52 - fictitious).
I set NAT with the following command:
nat (inside) 1 192.168.1.0 255.255.255.0
...and GLOBAL with:
global (outside) 1 184.108.40.206-220.127.116.11
I have created what I have thought to be the correct ACCESS-LIST:
access-list web_out permit ip any host 192.168.1.0
access-list web_out permit tcp any host 192.168.1.0
I then applied the ACL's to an interface:
access-group web_out in interface outside
My client box on the inside has the following info:
IP = 192.168.1.3
SM = 255.255.255.0
Gateway = 192.168.1.1
And of course the DNS servers
My physical configuration is as follows:
CLIENT PC >>> PIX 515 >>>> INTERNET
The PIX can ping the gateway on the OUTSIDE and can ping the client on the INSIDE but I have no connectivity through the PIX. HELP!
Are the 18.104.22.168-22.214.171.124 addresses where you're trying to go to, or what you want your inside users to be NAT'd to. If the former, that's wrong, if the latter, it's right but needs tweaking. You also don't need an access-list to go from inside to outside, so let's remove that cause it's not doing anything.
To go from inside to outside, all you need is a nat/global pair. You're nat (inside) statement is correct. Your global statement says nat all your inside hosts to only 3 addresses, not good. Once these 3 addresses are used up, then no-one else will be able to go out, and keep in mind that one user going to one web page will easily use 5-6 addresses as they create different connections.
Do the following:
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 126.96.36.199
This will do PAT instead of NAT, giving you 65000-odd translations with just the one address. You then have 188.8.131.52 and 184.108.40.206 spare to use for static translations if you need them later.
As traffic goes out through the PIX, the PIX will automatically open up holes to allow that traffic back in. It only does this for TCP and UDP packets though. If you're pinging through the PIX, you do need to tell the PIX to allow that traffic back in with:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-group inbound in interface outside
The "unreachable" allows Path MTU Discovery to still work, and the echo-reply's allow your pings to come back in.
I did what you suggested and you confirmed that fact that I fully understand the concept of what is taking place but I still cannot get through. At first I thought that it might be a hardware or software problem but I bought 5 PIX501s and 1 PIX515 and they are all not letting internet traffic through from the inside. To answer your question the 220.127.116.11-18.104.22.168 are numbers that I want my inside users to be NAT'd to. I knew about the PAT which allowed more than one private ip to be routed out on various ports of one single public ip, I was reaching at anything that would allow me access out. I changed it as you recommended and still nothing there is obviously something I am missing. Do I need to implement a route command?
Do I need to implement a static command?
The gateway address for my clients (inside) should be the ip of the INSIDE interface (192.168.1.1) right?
I pulled one staight out of the box (new) and did the following before adding the commands you recommended:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :