Solved

Need some help setting up a cisco 501 to a home network that is using a cisco 2950 switch.

Posted on 2004-08-07
29
385 Views
Last Modified: 2013-11-16
Ok I don't have a lot of experiance with cisco PIX, but I have worked on quite a few cisco routers.  The current layout is Cable Modem ->PIX->Cisco 2950->Cisco 2950.  I have several machines hooked up to both switches. I have the connection to the switch plugged into the ethernet0 port.  The other switch is connected to the first switch using a Xover cable.  I have played around with the PDM a little but have not gotten anything going yet.  I would really appreciate someone that is experianced with PIX configuration to look at this and give me a few pointers.  Here is the current config:

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xq/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service RemoteDesktopConnection tcp-udp
  port-object range 3389 3389
pager lines 24
logging on
logging timestamp
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.2-192.168.1.30 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip inside default version 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynTe6ojEYJ1VX encrypted privilege 15
terminal width 80
Cryptochecksum:dbe0b3644abc186fda4ca5f777c73a1
: end
[OK]

0
Comment
Question by:RayDoran
  • 16
  • 11
  • 2
29 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11747253
Hi RayDoran,
Your 'gobal' command is incorrect. It should be :-
global (outside) 1 interface

Have a look at my configuration example - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
0
 

Author Comment

by:RayDoran
ID: 11749299
I tried to update the config, but when I made the change I got this response.

Rayspixfirewall(config)# global (outside) 1 interface
Warning: Start and End addresses overlap with broadcast address.
outside interface address added to PAT pool
Rayspixfirewall(config)#
0
 

Author Comment

by:RayDoran
ID: 11749560
Ok I have made some modifications based on your website.  Can you please check out my settings and see if anyting is wrong.  

Rayspixfirewall# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.10 Server
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address 192.168.1.2-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:6f3e8d9ab001701f06c6b9ef3dcba487
: end
Rayspixfirewall#
0
 

Author Comment

by:RayDoran
ID: 11749607
Ok update.........
After entering in the above config I'm now able to access the internet.  But, when accessing the internet it is slow to bring up a page (www.yahoo.com).  When I say slow I mean like 15-20 sec.  In the past when I would access the net it was instant.  Is there a setting that will speed up this process, or is that just the way its gonna be?  Also I will not be able to test all of my ports until tomorrow when I'm at work and will try to access all the services.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11750476
There is no reason why it should be that slow. I suggest saving the configuration (wri mem) and then rebooting the PIX just incase it got confused when you changed the IP addresses.

Inbound web and smtp should work but you are missing the additional 'static' commands for the other protocols you have listed in your access list.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11751684
>interface ethernet1 10full

If you switchport is not also set to match, then you have duplex problem that is causing  your slowness.
Suggest setting Ethernet1 to auto and the switchport to auto also.
0
 

Author Comment

by:RayDoran
ID: 11752016
I will just set the switch and the ethernet1 to 100full.  I have had problems in the past with auto config.

When I got up this morning nothing was woking.  I could not connect anywhere I rebooted the server, but could not get an external connection.  The only thing that I have not done yet is reboot the PIX.  I will do that a little later today.  I had to hook up the old connection to get everything to work.

On the slow Yahoo subject.  It was happening only with yahoo it seems.  When I went to Google it was instant.  I still have a few bugs to work out on the entire project so we will continue to tackle them.
0
 

Author Comment

by:RayDoran
ID: 11752048
Just a stupid question.  I'm new to this fourm and when you responded to my question there is an accept button out by your name.  What is that used for?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11752174
Once you get an acceptible solution, you can "Accept" the appropriate comment(s). This will award the expert with a point value depending on the grade given, and close out the question. This is how we earn points, and how a question moves from being an open question to a "Solution" in the database.
You can always split points, too, by choosing the split points link and then choose multiple experts.
0
 

Author Comment

by:RayDoran
ID: 11755891
Ok I changed the port setting on the Pix to match what was on the switch.  It is set to 10 full.  I tried to set it to 100full on the E1 interface on the Pix but it said that I can only do 10 full.

I added the static statments for the protocols that are listed in the access list.

I have also disabled dhcp on the Pix (my server is providing dhcp)

Now what is happening is that the server (192.168.1.10) is the only machine on the network that is able to access the net.  All other machines on the network are not getting out.  I did a release and renew on them to make sure they were being registered, but nothing is happening.  Am I missing a statement somewhere?

Oh and by the way yahoo is loading instantly now.  My have been the port speed.

Man we are close here.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11756388
What is the default gateway that the clients are getting? Is it the PIX' inside interface IP?
0
 

Author Comment

by:RayDoran
ID: 11756562
They are getting 192.168.1.1 address.
0
 

Author Comment

by:RayDoran
ID: 11756591
they can ping the .1 address.  When trying to ping www.yahoo.com they get no response.  Might be a dns issue?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11756739
Yes. What IP address are they getting for DNS servers?
You have to use either an external ISP server, or your own server that will forward requests.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 11756760
Actually, they may not be able to ping because you have not explicitly permitted ICMP echo-reply to come in:

access-list outside_in permit icmp any any eq echo-reply

re-apply the access-list to the interface after making any changes to it.

access-list outside_in in interface out
0
 

Author Comment

by:RayDoran
ID: 11757002
im using my internal server 192.168.1.10 as primary and the one of the ISP DNS's server's as secondary.

ya that is true.  I dont havfe echo on.  I will make the change real quick

I entered the command access-list outside_in permit icmp any any.  It did not like the access-list outside_in in interface out command.  

Still not able to ping, or gain access from any other machine than the server...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11757595
You have to use the full "outside" instead of my shorthand "out"

access-list outside_in in interface outside

Is your local server setup to forward requests? If it cannot resolve a request, the secondary will never be used. The secondary is only used if the primary can't be contacted at all. If the primary answers "I don't know", then that's the end of the conversation and you can't get there. Try using the ISP's as primary just for testing.
0
 

Author Comment

by:RayDoran
ID: 11757802
ok when adding in the ISP's dns server it is working.  I also checked my dns server at it is not working.  I stopped and started the service but it is not comming up.  Do i need to open port 53 in the Pix.

Also I ftp using port 2121.  Im unable to get it to work.  I get in but get stuck when its doing a list on the directory.  Im getting an error in the log of the pix that says
deny tcp (no connection) from (ip address/26511 to ip address/2121) flags PSH ACK on interface outsde.  Says the same thing for the inside interface.

sorry for all the questions.  But its almost where i want it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11758124
If name resolution is working using the ISP dns server, then something is wrong with your local DNS server. Do you have root hints, or IP addresses of forwarders? What OS is your server?

For a non-standard FTP, try
fixup protocol ftp 2121
0
 

Author Comment

by:RayDoran
ID: 11758221
Ok i dont know what happened with the dns server, but its running now.  Yahoo is still jacked up but I can get to google from any machine.  Yahoo times out.  weird.

thought it might be helpfulf if you could look at the config

Result of PIX command: "sh run"
 
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
no fixup protocol ftp 21
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup raysvpn dns-server Server
vpngroup raysvpn default-domain raydoran.com
vpngroup raysvpn idle-time 1800
vpngroup raysvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address raysathlon-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:eb79320c6a113cefbae351f8d9364924
: end

0
 

Author Comment

by:RayDoran
ID: 11758284
im running a 2003 server

when entering in the external dns yahoo comes up very quickly.  Like it use to before i installed this Pix.  Something is jacking with the dns on the network.  It has never done this before.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11758459
Connected DSL modem perchance?
If you are connecting via DSL, you might want to change the MTU on the outside interface to 1492 from 1500
There is nothing else in the config that could hose up dns. Either it works or it doesn't. Anything else is a cache, or server issue.
0
 

Author Comment

by:RayDoran
ID: 11758601
what about the ftp issue?  Is my ftp configured correctly?  I mentioned the error i was getting in an above post.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11758636
Is the client using passive or active mode FTP?
Whichever mode is not working, try enabling the other mode.
0
 

Author Comment

by:RayDoran
ID: 11758889
Im using passive, but will try it without passive.

now a new problem is popping up.  Man this is starting to get frustrating!!

I have have had to reboot the Pix 2 times.  Everything is working and then it just stops.  No pages come up or nothing.  I reboot and it all works for a little while until i have to reboot again.  i have pointed machines to the external DNS.  I dont know why dns is not working.  I has worked flawlessly for about 7-8 months now. And as soon as I hook up the Pix it starts acting up.  I believe it has to do with the Pix.  I have external dns as primary and internal as secondary.
0
 

Author Comment

by:RayDoran
ID: 11759038
i have had to disconnect the pix.  Its going offline about every 10 minutes.  When this happens no clients can ping each other.  I checked the logs and did not see any errors.  Im just wondering if its a problem with the 6.2 code????????

Im officially hacked off at this darn PIX!!!!!!!!!!!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11759246
6.2 is buggy. The latest 6.3(4) seems to be pretty stable.
Are you sure you don't have virus/worms on your LAN?
If you do a "sho xlate" on the pix, do you see tons of icmp xlates for any one system, or for multiple systems?
0
 

Author Comment

by:RayDoran
ID: 11759291
this is what i got

Rayspixfirewall#  sho xlate
0 in use, 52 most used

I dont have a CCO that will allow me to download 6.3.4  where can i get it?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11762325
You can't get it without a CCO account.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now