snowdizx
asked on
Cisco PIX firewall routing issue
I have a dual Cisco Pix setup here and I'm trying to figure out why traffic wont route correctly from the inside firewall over to the outside firewall and out to the net.
(internet) <-- (router) <-- (littlepix) <-- (big pix)[problem lies at this juncture] <-- (users)
our little pix works with a 192.168.1.1 inside interface, which is what all users point to for their outside access. This part of the picture works 'excellently'. Here is the config of the 'bigpix'(our internal firewall). If anyone could help out with this tedious problem it would be greatly appeciated. Regards, Devon
config of big pix
BIGPIX(config)# wri t
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route inside 0.0.0.0 255.255.255.0 192.168.1.126 1
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b5243b57d3d
: end
[OK]
BIGPIX(config)#
config of littlepix
littlepix(config)# wri t
Building configuration...
: Saved
:
PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname littlepix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap warnings
logging history alerts
logging facility 20
logging queue 512
logging host inside 192.168.1.110
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.120 255.255.255.0
ip address inside 192.168.1.126 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 1.2.3.10-1.2.3.19 netmask 255.255.255.0
global (outside) 1 1.2.3.5 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.2.3.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.46 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:c767c936345
: end
[OK]
littlepix(config)#
(internet) <-- (router) <-- (littlepix) <-- (big pix)[problem lies at this juncture] <-- (users)
our little pix works with a 192.168.1.1 inside interface, which is what all users point to for their outside access. This part of the picture works 'excellently'. Here is the config of the 'bigpix'(our internal firewall). If anyone could help out with this tedious problem it would be greatly appeciated. Regards, Devon
config of big pix
BIGPIX(config)# wri t
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route inside 0.0.0.0 255.255.255.0 192.168.1.126 1
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b5243b57d3d
: end
[OK]
BIGPIX(config)#
config of littlepix
littlepix(config)# wri t
Building configuration...
: Saved
:
PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname littlepix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap warnings
logging history alerts
logging facility 20
logging queue 512
logging host inside 192.168.1.110
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.120 255.255.255.0
ip address inside 192.168.1.126 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 1.2.3.10-1.2.3.19 netmask 255.255.255.0
global (outside) 1 1.2.3.5 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.2.3.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.46 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:c767c936345
: end
[OK]
littlepix(config)#
ASKER
Config now reads exactly as shown...
BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa90777
BIGPIX(config)#
For some reason, still can't get out. Thank you lrmoore for your post! :) --Devon
BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa90777
BIGPIX(config)#
For some reason, still can't get out. Thank you lrmoore for your post! :) --Devon
From the PIX, can you ping the gateway 192.168.1.126?
Can you ping the PIX outside interface from the router?
Does the interface show up/up with "show interface" ?
You may need to enable icmp to come back in.
Look at the arp cache and make sure you see an arp entry for that gateway address.
Can you ping the PIX outside interface from the router?
Does the interface show up/up with "show interface" ?
You may need to enable icmp to come back in.
Look at the arp cache and make sure you see an arp entry for that gateway address.
ASKER
Thx again for your reply lrmoore, here's answers to your last post! Thank you for your help!
1. I am able to ping the gateway at 192.168.1.126 and it returns ping with 0ms.
BIGPIX(config)# ping outside 192.168.1.126
192.168.1.126 response received -- 0ms
192.168.1.126 response received -- 0ms
192.168.1.126 response received -- 0ms
2. From littlepix which is effectively routing traffic for BIGPIX i get the following when I ping it's outside interface from littlepix.
littlepix# ping inside 192.168.2.1
192.168.2.1 NO response received -- 1000ms
192.168.2.1 NO response received -- 1000ms
192.168.2.1 NO response received -- 1000ms
(for testing purposes, I enabled 'conduit permit icmp any any' till I can get everything working.)
3. Output of show interface yields...
BIGPIX(config)# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.4680.0641
IP address 192.168.1.85, subnet mask 255.255.255.255
MTU 1500 bytes, BW 100000 Kbit half duplex
404442 packets input, 63615174 bytes, 0 no buffer
Received 365101 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
42515 packets output, 4301729 bytes, 0 underruns
0 output errors, 7 collisions, 0 interface resets
0 babbles, 2 late collisions, 17 deferred
15 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/4)
output queue (curr/max blocks): hardware (0/4) software (0/2)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.4680.0642
IP address 192.168.2.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 100000 Kbit full duplex
407725 packets input, 48168963 bytes, 0 no buffer
Received 365139 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
39608 packets output, 19750596 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/3)
output queue (curr/max blocks): hardware (0/4) software (0/2)
So 'yes' both show interface up/up.
4. Lastly, the arp table of BIGPIX reads...
BIGPIX(config)# show arp
outside 192.168.1.47 0008.7436.5278
outside 192.168.1.126 0007.50b6.fd1b
inside 192.168.2.111 00c0.0d01.783f
Since I'm able to ping littlepix's outside interface from BIGPIX, I'm thinking there's one minor thing I'm missing. Irritating huh?
1. I am able to ping the gateway at 192.168.1.126 and it returns ping with 0ms.
BIGPIX(config)# ping outside 192.168.1.126
192.168.1.126 response received -- 0ms
192.168.1.126 response received -- 0ms
192.168.1.126 response received -- 0ms
2. From littlepix which is effectively routing traffic for BIGPIX i get the following when I ping it's outside interface from littlepix.
littlepix# ping inside 192.168.2.1
192.168.2.1 NO response received -- 1000ms
192.168.2.1 NO response received -- 1000ms
192.168.2.1 NO response received -- 1000ms
(for testing purposes, I enabled 'conduit permit icmp any any' till I can get everything working.)
3. Output of show interface yields...
BIGPIX(config)# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.4680.0641
IP address 192.168.1.85, subnet mask 255.255.255.255
MTU 1500 bytes, BW 100000 Kbit half duplex
404442 packets input, 63615174 bytes, 0 no buffer
Received 365101 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
42515 packets output, 4301729 bytes, 0 underruns
0 output errors, 7 collisions, 0 interface resets
0 babbles, 2 late collisions, 17 deferred
15 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/4)
output queue (curr/max blocks): hardware (0/4) software (0/2)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.4680.0642
IP address 192.168.2.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 100000 Kbit full duplex
407725 packets input, 48168963 bytes, 0 no buffer
Received 365139 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
39608 packets output, 19750596 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/3)
output queue (curr/max blocks): hardware (0/4) software (0/2)
So 'yes' both show interface up/up.
4. Lastly, the arp table of BIGPIX reads...
BIGPIX(config)# show arp
outside 192.168.1.47 0008.7436.5278
outside 192.168.1.126 0007.50b6.fd1b
inside 192.168.2.111 00c0.0d01.783f
Since I'm able to ping littlepix's outside interface from BIGPIX, I'm thinking there's one minor thing I'm missing. Irritating huh?
ASKER
one more interesting thing to note.... I'm able to ping my router from bigpix (the inner firewall)
BIGPIX# ping 198.246.70.126
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
BIGPIX# ping 198.246.70.126
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
You'll never be able to ping the inside interface from an outside host (it's a "feature" of the PIX). I.e. little pix will never be able to ping 192.168.2.1, so that may not be a viable test.
Can littlepix ping 192.168.1.85 ?
Can littlepix ping its own default gateway 1.2.3.126?
can bigpix ping that gateway 1.2.3.126?
can a host on the inside of bigpix ping that gateway?
Do you get hits on the conduits and xlates?
bigpix#sho conduit
bigpix#sho xlate
same on littlepix
Do you have the PDM enabled, with logging enabled? looking at the pdm log is a great troubleshooting tool...
How about logging on the pix? Is logging on?
BIGPIX(config)#logging on
BIGPIX(config)#logg trap debug
BIGPIX(config)#sho log
Can littlepix ping 192.168.1.85 ?
Can littlepix ping its own default gateway 1.2.3.126?
can bigpix ping that gateway 1.2.3.126?
can a host on the inside of bigpix ping that gateway?
Do you get hits on the conduits and xlates?
bigpix#sho conduit
bigpix#sho xlate
same on littlepix
Do you have the PDM enabled, with logging enabled? looking at the pdm log is a great troubleshooting tool...
How about logging on the pix? Is logging on?
BIGPIX(config)#logging on
BIGPIX(config)#logg trap debug
BIGPIX(config)#sho log
Progress?
Since you can ping from bigpix, you should be able to ping it from a client inside bigpix...
Can bigpix ping something on the far outside, i.e. 198.6.1.2 (UUNET cache nameserver)
Can an inside client ping it?
Since you can ping from bigpix, you should be able to ping it from a client inside bigpix...
Can bigpix ping something on the far outside, i.e. 198.6.1.2 (UUNET cache nameserver)
Can an inside client ping it?
ASKER
1. littlepix can ping 192.168.1.85 successfully
2. littlepix can ping it's gateway of 1.2.3.126
3. bigpix can ping 1.2.3.126 without a problem
4. the host inside bigpix cannot ping 1.2.3.126
5. BIGPIX has the following xlate
BIGPIX(config)# show xlate
1 in use, 6 most used
Global 192.168.1.88 Local 192.168.2.111
show conduit on BIGPIX yields...
BIGPIX(config)# show conduit
conduit permit tcp host 192.168.1.71 host 192.168.2.64 (hitcnt=0)
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0 (hitcnt=0)
conduit permit icmp any any (hitcnt=4)
littlepix# show xlate
Global 1.2.3.110 Local 192.168.1.110 static
Global 1.2.3.116 Local 192.168.1.116 static
Global 1.2.3.118 Local 192.168.1.118 static
Show conduit on littlepix yields...
conduit permit icmp any any (hitcnt=16)
BIGPIX can't ping anything past our router it seems.
Same result with host inside BIGPIX.
logging is turned on, I can't seem to get PDM working. I wonder if it's something that doesn't work in this IOS or something. All the other logging commands you specified are on however. It seems like we have progress, but it just seems to be a routing issue from internal host to external sites. This is very irritating! :( --Devon
2. littlepix can ping it's gateway of 1.2.3.126
3. bigpix can ping 1.2.3.126 without a problem
4. the host inside bigpix cannot ping 1.2.3.126
5. BIGPIX has the following xlate
BIGPIX(config)# show xlate
1 in use, 6 most used
Global 192.168.1.88 Local 192.168.2.111
show conduit on BIGPIX yields...
BIGPIX(config)# show conduit
conduit permit tcp host 192.168.1.71 host 192.168.2.64 (hitcnt=0)
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0 (hitcnt=0)
conduit permit icmp any any (hitcnt=4)
littlepix# show xlate
Global 1.2.3.110 Local 192.168.1.110 static
Global 1.2.3.116 Local 192.168.1.116 static
Global 1.2.3.118 Local 192.168.1.118 static
Show conduit on littlepix yields...
conduit permit icmp any any (hitcnt=16)
BIGPIX can't ping anything past our router it seems.
Same result with host inside BIGPIX.
logging is turned on, I can't seem to get PDM working. I wonder if it's something that doesn't work in this IOS or something. All the other logging commands you specified are on however. It seems like we have progress, but it just seems to be a routing issue from internal host to external sites. This is very irritating! :( --Devon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
one more interesting thing to note.... I'm able to ping my router from bigpix (the inner firewall)
BIGPIX# ping 198.246.70.126
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
BIGPIX# ping 198.246.70.126
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
1.2.3.126 response received -- 0ms
ASKER
Config now reads exactly as shown...
BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa90777
BIGPIX(config)#
For some reason, still can't get out. Thank you lrmoore for your post! :) --Devon
BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa90777
BIGPIX(config)#
For some reason, still can't get out. Thank you lrmoore for your post! :) --Devon
ASKER
Gave BIGPIX a 'no nat' command to turn off nat. After writing config I still have identical behavior to before. Thanks greatly for your help, I'm going to do a complete reload of this config from scratch and see if I can't turn anything up by going that route. Let me know if you think of anything, your help is greatly appreciated. --Devon
Hi,
Here is something to try, change your interface statements so your subnet mask matches your subnets. So they look something more like this:
ip address outside 192.168.1.85 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
Later....
Here is something to try, change your interface statements so your subnet mask matches your subnets. So they look something more like this:
ip address outside 192.168.1.85 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
Later....
G'day, snowdizx
It has been 64 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
It has been 64 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
snowdizx,
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
RECOMMENDATION: Award points to lrmoore
Please leave any comments here within 7 days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Thanks,
lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
RECOMMENDATION: Award points to lrmoore
Please leave any comments here within 7 days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Thanks,
lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
route inside 0.0.0.0 255.255.255.0 192.168.1.126 1
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
Remove the "route inside" statement completely, leave the route outside
no route inside 0.0.0.0 255.255.255.0 192.168.126