carlkelley
asked on
Cannot access the Internet through my new PIX 501 Firewall
I can't connect to the Internet from behind my new PIX 501 firewall. I am hoping that one of you PIX experts can tell me what is wrong with my configuration.
My PIX 501 is connected to the Internet via a DSL modem. My ISP has assigned me:
5 static IP addresses: 209.xxx.xxx.250-209.xxx.xx
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.11
Secondary DNS: 206.13.29.11
When the PIX 501 is connected to the DSL Modem, the LINK/ACT-0 light is solid green while the 100MBPS-0 light immediately below it is off.
I have 5 hosts on my LAN that have the following static IP addresses:
192.168.1.10
192.168.1.100
192.168.1.105
192.168.1.200
192.168.1.210
When connected to the PIX, the appropriate LINK/ACT light flashes green while the corresponding 100MBPS is sold green.
I defined inside and outside as follows:
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.210 bosung
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
So far, I have been unable to access the Internet from an inside host.
From a pixfirewall(config)# prompt, I can ping the inside interface, outside interface and any connected inside host. An inside host can ping pix_inside successfully. But, an inside host cannot ping pix_outside nor can it ping the Primary DNS. In both cases, the ping request is echoed to the console, but the reponse never comes:
ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1280 length=40
68: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
69: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1536 length=40
70: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
71: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1792 length=40
72: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
73: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=2048 length=40
74: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
75: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2304 length=40
76: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
77: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2560 length=40
78: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
79: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2816 length=40
80: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
81: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=3072 length=40
82: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
Below is my entire configuration with debugging turned on.
There may be some unnecessary settings as I started programming my PIX via
the web interface and then switch to the console after it froze on me:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
access-list acl_out permit icmp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xx
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server staff kathy
vpnclient mode network-extension-mode
vpnclient enable
terminal width 80
Cryptochecksum:b9256d393a5
: end
[OK]
My PIX 501 is connected to the Internet via a DSL modem. My ISP has assigned me:
5 static IP addresses: 209.xxx.xxx.250-209.xxx.xx
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.11
Secondary DNS: 206.13.29.11
When the PIX 501 is connected to the DSL Modem, the LINK/ACT-0 light is solid green while the 100MBPS-0 light immediately below it is off.
I have 5 hosts on my LAN that have the following static IP addresses:
192.168.1.10
192.168.1.100
192.168.1.105
192.168.1.200
192.168.1.210
When connected to the PIX, the appropriate LINK/ACT light flashes green while the corresponding 100MBPS is sold green.
I defined inside and outside as follows:
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.210 bosung
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
So far, I have been unable to access the Internet from an inside host.
From a pixfirewall(config)# prompt, I can ping the inside interface, outside interface and any connected inside host. An inside host can ping pix_inside successfully. But, an inside host cannot ping pix_outside nor can it ping the Primary DNS. In both cases, the ping request is echoed to the console, but the reponse never comes:
ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1280 length=40
68: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
69: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1536 length=40
70: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
71: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1792 length=40
72: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
73: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=2048 length=40
74: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
75: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2304 length=40
76: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
77: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2560 length=40
78: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
79: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2816 length=40
80: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
81: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=3072 length=40
82: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
Below is my entire configuration with debugging turned on.
There may be some unnecessary settings as I started programming my PIX via
the web interface and then switch to the console after it froze on me:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
access-list acl_out permit icmp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xx
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server staff kathy
vpnclient mode network-extension-mode
vpnclient enable
terminal width 80
Cryptochecksum:b9256d393a5
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My ADSL modem is supposed to support 384KBS outbound and 1.5-3.0 KBS inbound. I don't really know what that translates to in Cisco hardware_speed.
My Cisco PIX 501
Yes, I can ping the ISP DNS server 206.13.28.11 successfully from the PIX as well as the secondary DNS 206.13.29.11.
No, I cannot ping my router 209.xxx.xxx.249 from the PIX console.
Irmoore pointed out that my inside host should never be able to ping the outside interface. Makes sense.
My Cisco PIX 501
Yes, I can ping the ISP DNS server 206.13.28.11 successfully from the PIX as well as the secondary DNS 206.13.29.11.
No, I cannot ping my router 209.xxx.xxx.249 from the PIX console.
Irmoore pointed out that my inside host should never be able to ping the outside interface. Makes sense.
Is this fixed now ?
ASKER
No, this is not yet fixed. I paid for your last answer and re-entered my question with more evidence.
You only accept an answer once you're happy the problem is resolved ! This can run into as many posts as you like without you having to give away points.
The 'Community support' topic area will be able to get this un-answered so that people can still see it other than those whom have already replied above.
Right... back to it !
The Cisco hardware speed has nothing to do with your DSL speed. I was thinking of the Cisco > ADSL modem connection itself, which should be 10 or 100 Mbs. But.. as you can ping your DNS servers, this means that the link between your Cisco and ADSL modem is UP ok.
Try removing this line:
no global (outside) 1 209.xxx.xxx.251-209.xxx.xx
..this will ensure packets will leave the PIX with the address of it's outside interface.
Try putting these lines in. This enables any any access.
access-list acl_out permit ip any any
access-list acl_in permit ip any any
access-group acl_in in interface inside
and I'm not sure about the 1 on the end of this route, so:
no route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249
The 'Community support' topic area will be able to get this un-answered so that people can still see it other than those whom have already replied above.
Right... back to it !
The Cisco hardware speed has nothing to do with your DSL speed. I was thinking of the Cisco > ADSL modem connection itself, which should be 10 or 100 Mbs. But.. as you can ping your DNS servers, this means that the link between your Cisco and ADSL modem is UP ok.
Try removing this line:
no global (outside) 1 209.xxx.xxx.251-209.xxx.xx
..this will ensure packets will leave the PIX with the address of it's outside interface.
Try putting these lines in. This enables any any access.
access-list acl_out permit ip any any
access-list acl_in permit ip any any
access-group acl_in in interface inside
and I'm not sure about the 1 on the end of this route, so:
no route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249
ASKER
Tim,
Thank you for the follow-up. Your first response included "Set these to the speed they should be and NOT auto: interface ethernet0 auto". I took your advice and changed it to "10baset". As a result, I was finally able to ping my 209.xxx.xxx.249 Internet gateway router from the PIX console. I found this out after I accepted your answer, but it was still worth the points to me.
As reported in my follow-up question, I already tried removing:
no global (outside) 1 209.xxx.xxx.251-209.xxx.xx
and it did not help.
The access-list and route commands you suggest are the next things I will try and I will report the results in my follow-up question.
Thank you for the follow-up. Your first response included "Set these to the speed they should be and NOT auto: interface ethernet0 auto". I took your advice and changed it to "10baset". As a result, I was finally able to ping my 209.xxx.xxx.249 Internet gateway router from the PIX console. I found this out after I accepted your answer, but it was still worth the points to me.
As reported in my follow-up question, I already tried removing:
no global (outside) 1 209.xxx.xxx.251-209.xxx.xx
and it did not help.
The access-list and route commands you suggest are the next things I will try and I will report the results in my follow-up question.
Never will. You can't ping the outside interface from inside, or vice versa the inside interface from outside. This is a security "feature"
Can you ping your router 209.xxx.xxx.249 from the pix console?