Question

PIX 506E config problems - PIX can connect to internet but NAT'ed computers can't

Asked by: jshuck3

I'm setting up my first PIX 506E and I'm having problems getting connectivity for the test computer I have behind it.  The PIX itself can ping external hosts, but the computer behind the PIX can't.  I've read through some older postings of others trying to set up a PIX for the first time, but I'm still stuck.

My test computer does have its gateway set to the PIX's internal IP so I don't think that's a problem.  I created a static route on the PIX for 0.0.0.0 0.0.0.0 to point to my router's public IP and that allowed the PIX itself to ping external hosts but nothing for my test computer.

I turned on console logging and when I ping a domain on the internet the PIX logs openings in the firewall for UDP traffic coming back from DNS queries, but no IP comes back and no denied errors appear in the console log.

Let me know if you need to see my config to try and troubleshoot.

Thanks.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-09-20 at 08:32:05ID21137738
Tags

pix

,

506e

,

connect

,

config

,

nat

Topics

Network Software Firewalls

,

Cisco PIX Firewall

Participating Experts
2
Points
200
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Pix 515 - multiple dns udp connections
    I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connection...
  2. Removing Double NAT (Router-Stub-PIX) using Only PI…
    I have been searching through these archives for about a week and someone has come close to answering my question in one of the posts but since it was not the same question it was only touched on. Currently I have this setup T-1 WAN (12.12.12.1/27 Subnet) to 3725 Edge router...
  3. Cisco PIX and no nat
    Hello, I have configured a pix 501 and everything works OK when I have nat configured to use a translated address on the outside interface (ie - I can ping hosts on the outside network from the internal network. However, I don't want to use nat - I don't want the inside addr...
  4. Router to PIX configuration
    Here is the situation currently my network looks like below, DSL Modem ---- PIX ---- Baystack Switch ----- Cisco Switch--- Router1 | ...
  5. Cisco Pix - NAT pool
    Cisco PIX 501 PIX ver 6.3.(3)117 I have NAT pool set up from x.x.x.71-x.x.x.125, which gives me 59 addresses. I have anywhere from 45-65 internal clients at any one time. I also have a PAT address of x.x.x.2. I have been running out of addresses lately, so I dropped the r...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: lrmoorePosted on 2004-09-20 at 08:41:17ID: 12103131

ICMP echo-replys are blocked by default on the PIX.
Try getting out to a web page like http://www.experts-exchange.com instead of pinging from a host

Else, you'll have to post up your config..

 

by: jshuck3Posted on 2004-09-20 at 09:25:20ID: 12103598

I actually opened up replies to see if that was the problem, but nothing changed.  If I try to get to a web page it just sits there and never gets anywhere.

Here's my config:

: Saved
: Written by enable_15 at 09:10:29.630 CST Mon Sep 20 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.83
  network-object host x.x.x.84
  network-object host x.x.x.85
  network-object host x.x.x.86
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.103
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.79
  network-object host x.x.x.81
  network-object host x.x.x.103
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.103
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN permit icmp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered critical
logging host inside 192.168.10.62 6/1468
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.123 255.255.255.128
ip address inside 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.10-x.x.x.78
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.79 192.168.10.62 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.80 192.168.10.63 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.81 192.168.10.64 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.82 192.168.10.65 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.83 192.168.10.66 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.84 192.168.10.67 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.85 192.168.10.68 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.86 192.168.10.69 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.103 192.168.10.2 netmask 255.255.255.255 0 0
access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 216.81.173.126 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact Jason Shuck
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9fcbcabeb08a9163a39fe358fb837876

 

by: snoopy13Posted on 2004-09-21 at 02:08:18ID: 12110282

A couple of things the inside network by default is allowed to make any connections outbound unless you apply an inside access list. Your outside access-list you do not have to put a deny as by default the pix will only allow what you tell it in the access-list and it will have an explicit deny by default.

You object groups do not seem to be tied into an access-list, they should be used with an access-list as pre this example

(config)# object-group icmp-type icmp-allowed
(config-icmp-type)# icmp-object echo
(config-icmp-type)# icmp-object time-exceeded
(config-icmp-type)# exit

(config)# access-list 100 permit icmp any any object-group icmp-allowed

 

by: lrmoorePosted on 2004-09-21 at 06:48:20ID: 12112104

I swear I commented on this yesterday..... Maybe I need more coffee this morning..

>access-list PERMIT_IN deny ip any any  <== this is killing you
>access-list PERMIT_IN permit icmp any any

As snoopy13 pointed out, everything is allowed out, its just that you have explicitly blocked all responses coming back in

Suggest either using an icmp object group as snoopy13 has shown above, or create a new acl:
  access-list PERMIT_IN permit icmp any any echo-reply
  access-list PERMIT_IN permit icmp any any unreachable
  access-list PERMIT_IN permit icmp any any time-exceeded
  access-list PERMIT_IN permit icmp any object-group network ping_responders echo
  access-list PERMIT_IN permit udp any object-group network dns_servers eq domain
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5800
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5900

<etc>

 

by: jshuck3Posted on 2004-09-21 at 12:51:44ID: 12116296

I removed the access-list item for deny ip any any, but still nothing.  

I did some more experimenting starting over from scratch and everything works up until the point where I define my global address pool.

I define it using:
global (outside) 1 x.x.x.71-x.x.x.77
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Once I do that nothing works.  If I set it to 'global (outside) 1 interface' it works, but that's using PAT and that's not what I want.

Before I set the pools all I've done is set the interface IPs, turned off DHCP, set passwords, and defined interface settings.  I turned on logging to watch what happens when i try to go online once I change it to my desired global pool but nothing is registering.  It does list translations in the xlate listings but that's it.

Any ideas?

 

by: lrmoorePosted on 2004-09-21 at 13:23:09ID: 12116583

Set the global to the addresses like you have it, then issue "clear xlate" and try again.

Did you set the netmask on the global:

 global (outside) 1 x.x.x.71-x.x.x.77 netmask 255.255.255.128
You also need one more for an "overload", else you are limited to 7 hosts inside - the depth of your pool
  global (outside) 1 x.x.x.78  <== no netmask


You might try as an experiment:

  global (outside) 1 interface
  global (outside) 2 x.x.x.71-x.x.x.77 netmask 255.255.255.128
  global (outside) 2 x.x.x.78
  nat (inside) 1 192.168.1.128 255.255.255.128
  nat (inside) 2 192.168.1.0 255.255.255.128

Now see if it works from a PC with IP 192.168.1.129, and one with IP 192.168.1.9
The two PC's should use two different global, one pat, one nat
 

 

by: jshuck3Posted on 2004-09-21 at 14:04:04ID: 12116920

Went back and set the netmask on the global and added the PAT overload address but nothing.  Tried the experiment you suggested too and still nothing.

I went back to just a PAT translation on the outside interface and everything works but when I add just a static translation it breaks.

I'm getting really confused as to why everything stops working as soon as I try and do any translation beyond PAT.

I hope this won't matter but this is the PIX behind another firewall per my previous question you answered lrmoore.  That firewall isn't doing anything with translation if somehow that changes anything.  

Thanks

 

by: lrmoorePosted on 2004-09-21 at 14:15:47ID: 12117020

Is this the one that has proxyarp turned off on? You need to turn it back on
 no sysopt noproxyarp outside

 

by: jshuck3Posted on 2004-09-21 at 14:18:17ID: 12117035

If I turn it on will it only proxy arps for hosts behind the PIX or will it do what it did before and take down my entire network?

 

by: lrmoorePosted on 2004-09-21 at 15:14:15ID: 12117516

It could, but it is required if you want to use a pool of addresses instead of the interface IP for the global...

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...