Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot access the Internet through my new PIX 501 Firewall

Posted on 2004-04-25
7
Medium Priority
?
1,069 Views
Last Modified: 2013-11-16
I can't connect to the Internet from behind my new PIX 501 firewall.  I am hoping that one of you PIX experts can tell me what is wrong with my configuration.

My PIX 501 is connected to the Internet via a DSL modem.  My ISP has assigned me:

5 static IP addresses: 209.xxx.xxx.250-209.xxx.xxx.254
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.11
Secondary DNS: 206.13.29.11

When the PIX 501 is connected to the DSL Modem, the LINK/ACT-0 light is solid green while the 100MBPS-0 light immediately below it is off.

I have 5 hosts on my LAN that have the following static IP addresses:
192.168.1.10
192.168.1.100
192.168.1.105
192.168.1.200
192.168.1.210

When connected to the PIX, the appropriate LINK/ACT light flashes green while the corresponding 100MBPS is sold green.

I defined inside and outside as follows:

names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.210 bosung
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0

So far, I have been unable to access the Internet from an inside host.

From a pixfirewall(config)# prompt, I can ping the inside interface, outside interface and any connected inside host.  An inside host can ping pix_inside successfully.  But, an inside host cannot ping pix_outside nor can it ping the Primary DNS.  In both cases, the ping request is echoed to the console, but the reponse never comes:

ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1280 length=40
68: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
69: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1536 length=40
70: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
71: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=1792 length=40
72: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
73: ICMP echo-request from inside:bosung to pix_outside ID=512 seq=2048 length=40
74: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
75: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2304 length=40
76: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
77: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2560 length=40
78: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
79: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=2816 length=40
80: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252
81: ICMP echo-request from inside:bosung to 206.13.28.11 ID=512 seq=3072 length=40
82: ICMP echo-request: translating inside:bosung to outside:209.xxx.xxx.252

Below is my entire configuration with debugging turned on.
There may be some unnecessary settings as I started programming my PIX via
the web interface and then switch to the console after it froze on me:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
access-list acl_out permit icmp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server staff kathy
vpnclient mode network-extension-mode
vpnclient enable
terminal width 80
Cryptochecksum:b9256d393a54c1fee4d758c97323e30f
: end
[OK]


0
Comment
Question by:carlkelley
  • 3
  • 3
7 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 375 total points
ID: 10916795
Set these to the speed they should be and NOT auto:

interface ethernet0 auto
interface ethernet1 100full

If your PIX to DSL router connection is Cat5, you should be getting the 100Mbs link light up.

Can you ping the DNS server from the PIX itself ??

Here's a getting start guide for reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1112345

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10917948
>But, an inside host cannot ping pix_outside
Never will. You can't ping the outside interface from inside, or vice versa the inside interface from outside. This is a security "feature"

Can you ping your router 209.xxx.xxx.249  from the pix console?

0
 

Author Comment

by:carlkelley
ID: 10919552
My ADSL modem is supposed to support 384KBS outbound and 1.5-3.0 KBS inbound.  I don't really know what that translates to in Cisco hardware_speed.

My Cisco PIX 501

Yes, I can ping the ISP DNS server 206.13.28.11 successfully from the PIX as well as the secondary DNS 206.13.29.11.

No, I cannot ping my router 209.xxx.xxx.249 from the PIX console.

Irmoore pointed out that my inside host should never be able to ping the outside interface.  Makes sense.



0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10921057
Is this fixed now ?
0
 

Author Comment

by:carlkelley
ID: 10921104
No, this is not yet fixed.  I paid for your last answer and re-entered my question with more evidence.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10926683
You only accept an answer once you're happy the problem is resolved !  This can run into as many posts as you like without you having to give away points.
The 'Community support' topic area will be able to get this un-answered so that people can still see it other than those whom have already replied above.

Right... back to it !  
The Cisco hardware speed has nothing to do with your DSL speed.  I was thinking of the Cisco > ADSL modem connection itself, which should be 10 or 100 Mbs.  But.. as you can ping your DNS servers, this means that the link between your Cisco and ADSL modem is UP ok.

Try removing this line:

no global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask 255.255.255.248

..this will ensure packets will leave the PIX with the address of it's outside interface.

Try putting these lines in.  This enables any any access.

access-list acl_out permit ip any any
access-list acl_in permit ip any any
access-group acl_in in interface inside

and I'm not sure about the 1 on the end of this route, so:

no route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249
0
 

Author Comment

by:carlkelley
ID: 10929853
Tim,

Thank you for the follow-up.  Your first response included "Set these to the speed they should be and NOT auto: interface ethernet0 auto".  I took your advice and changed it to "10baset".  As a result, I was finally able to ping my 209.xxx.xxx.249 Internet gateway router from the PIX console.  I found this out after I accepted your answer, but it was still worth the points to me.

As reported in my follow-up question, I already tried removing:

no global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask 255.255.255.248

and it did not help.

The access-list and route commands you suggest are the next things I will try and I will report the results in my follow-up question.


0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question