RayDoran
asked on
Need some help setting up a cisco 501 to a home network that is using a cisco 2950 switch.
Ok I don't have a lot of experiance with cisco PIX, but I have worked on quite a few cisco routers. The current layout is Cable Modem ->PIX->Cisco 2950->Cisco 2950. I have several machines hooked up to both switches. I have the connection to the switch plugged into the ethernet0 port. The other switch is connected to the first switch using a Xover cable. I have played around with the PDM a little but have not gotten anything going yet. I would really appreciate someone that is experianced with PIX configuration to look at this and give me a few pointers. Here is the current config:
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xq/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service RemoteDesktopConnection tcp-udp
port-object range 3389 3389
pager lines 24
logging on
logging timestamp
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.2-192.168.1.30 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip inside default version 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynTe6ojEYJ1VX encrypted privilege 15
terminal width 80
Cryptochecksum:dbe0b3644ab
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xq/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service RemoteDesktopConnection tcp-udp
port-object range 3389 3389
pager lines 24
logging on
logging timestamp
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.2-192.168.1.30 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip inside default version 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynTe6ojEYJ1VX encrypted privilege 15
terminal width 80
Cryptochecksum:dbe0b3644ab
: end
[OK]
ASKER
I tried to update the config, but when I made the change I got this response.
Rayspixfirewall(config)# global (outside) 1 interface
Warning: Start and End addresses overlap with broadcast address.
outside interface address added to PAT pool
Rayspixfirewall(config)#
Rayspixfirewall(config)# global (outside) 1 interface
Warning: Start and End addresses overlap with broadcast address.
outside interface address added to PAT pool
Rayspixfirewall(config)#
ASKER
Ok I have made some modifications based on your website. Can you please check out my settings and see if anyting is wrong.
Rayspixfirewall# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.10 Server
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address 192.168.1.2-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:6f3e8d9ab00
: end
Rayspixfirewall#
Rayspixfirewall# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.10 Server
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address 192.168.1.2-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:6f3e8d9ab00
: end
Rayspixfirewall#
ASKER
Ok update.........
After entering in the above config I'm now able to access the internet. But, when accessing the internet it is slow to bring up a page (www.yahoo.com). When I say slow I mean like 15-20 sec. In the past when I would access the net it was instant. Is there a setting that will speed up this process, or is that just the way its gonna be? Also I will not be able to test all of my ports until tomorrow when I'm at work and will try to access all the services.
After entering in the above config I'm now able to access the internet. But, when accessing the internet it is slow to bring up a page (www.yahoo.com). When I say slow I mean like 15-20 sec. In the past when I would access the net it was instant. Is there a setting that will speed up this process, or is that just the way its gonna be? Also I will not be able to test all of my ports until tomorrow when I'm at work and will try to access all the services.
There is no reason why it should be that slow. I suggest saving the configuration (wri mem) and then rebooting the PIX just incase it got confused when you changed the IP addresses.
Inbound web and smtp should work but you are missing the additional 'static' commands for the other protocols you have listed in your access list.
Inbound web and smtp should work but you are missing the additional 'static' commands for the other protocols you have listed in your access list.
>interface ethernet1 10full
If you switchport is not also set to match, then you have duplex problem that is causing your slowness.
Suggest setting Ethernet1 to auto and the switchport to auto also.
If you switchport is not also set to match, then you have duplex problem that is causing your slowness.
Suggest setting Ethernet1 to auto and the switchport to auto also.
ASKER
I will just set the switch and the ethernet1 to 100full. I have had problems in the past with auto config.
When I got up this morning nothing was woking. I could not connect anywhere I rebooted the server, but could not get an external connection. The only thing that I have not done yet is reboot the PIX. I will do that a little later today. I had to hook up the old connection to get everything to work.
On the slow Yahoo subject. It was happening only with yahoo it seems. When I went to Google it was instant. I still have a few bugs to work out on the entire project so we will continue to tackle them.
When I got up this morning nothing was woking. I could not connect anywhere I rebooted the server, but could not get an external connection. The only thing that I have not done yet is reboot the PIX. I will do that a little later today. I had to hook up the old connection to get everything to work.
On the slow Yahoo subject. It was happening only with yahoo it seems. When I went to Google it was instant. I still have a few bugs to work out on the entire project so we will continue to tackle them.
ASKER
Just a stupid question. I'm new to this fourm and when you responded to my question there is an accept button out by your name. What is that used for?
Once you get an acceptible solution, you can "Accept" the appropriate comment(s). This will award the expert with a point value depending on the grade given, and close out the question. This is how we earn points, and how a question moves from being an open question to a "Solution" in the database.
You can always split points, too, by choosing the split points link and then choose multiple experts.
You can always split points, too, by choosing the split points link and then choose multiple experts.
ASKER
Ok I changed the port setting on the Pix to match what was on the switch. It is set to 10 full. I tried to set it to 100full on the E1 interface on the Pix but it said that I can only do 10 full.
I added the static statments for the protocols that are listed in the access list.
I have also disabled dhcp on the Pix (my server is providing dhcp)
Now what is happening is that the server (192.168.1.10) is the only machine on the network that is able to access the net. All other machines on the network are not getting out. I did a release and renew on them to make sure they were being registered, but nothing is happening. Am I missing a statement somewhere?
Oh and by the way yahoo is loading instantly now. My have been the port speed.
Man we are close here.
I added the static statments for the protocols that are listed in the access list.
I have also disabled dhcp on the Pix (my server is providing dhcp)
Now what is happening is that the server (192.168.1.10) is the only machine on the network that is able to access the net. All other machines on the network are not getting out. I did a release and renew on them to make sure they were being registered, but nothing is happening. Am I missing a statement somewhere?
Oh and by the way yahoo is loading instantly now. My have been the port speed.
Man we are close here.
What is the default gateway that the clients are getting? Is it the PIX' inside interface IP?
ASKER
They are getting 192.168.1.1 address.
ASKER
they can ping the .1 address. When trying to ping www.yahoo.com they get no response. Might be a dns issue?
Yes. What IP address are they getting for DNS servers?
You have to use either an external ISP server, or your own server that will forward requests.
You have to use either an external ISP server, or your own server that will forward requests.
Actually, they may not be able to ping because you have not explicitly permitted ICMP echo-reply to come in:
access-list outside_in permit icmp any any eq echo-reply
re-apply the access-list to the interface after making any changes to it.
access-list outside_in in interface out
access-list outside_in permit icmp any any eq echo-reply
re-apply the access-list to the interface after making any changes to it.
access-list outside_in in interface out
ASKER
im using my internal server 192.168.1.10 as primary and the one of the ISP DNS's server's as secondary.
ya that is true. I dont havfe echo on. I will make the change real quick
I entered the command access-list outside_in permit icmp any any. It did not like the access-list outside_in in interface out command.
Still not able to ping, or gain access from any other machine than the server...
ya that is true. I dont havfe echo on. I will make the change real quick
I entered the command access-list outside_in permit icmp any any. It did not like the access-list outside_in in interface out command.
Still not able to ping, or gain access from any other machine than the server...
You have to use the full "outside" instead of my shorthand "out"
access-list outside_in in interface outside
Is your local server setup to forward requests? If it cannot resolve a request, the secondary will never be used. The secondary is only used if the primary can't be contacted at all. If the primary answers "I don't know", then that's the end of the conversation and you can't get there. Try using the ISP's as primary just for testing.
access-list outside_in in interface outside
Is your local server setup to forward requests? If it cannot resolve a request, the secondary will never be used. The secondary is only used if the primary can't be contacted at all. If the primary answers "I don't know", then that's the end of the conversation and you can't get there. Try using the ISP's as primary just for testing.
ASKER
ok when adding in the ISP's dns server it is working. I also checked my dns server at it is not working. I stopped and started the service but it is not comming up. Do i need to open port 53 in the Pix.
Also I ftp using port 2121. Im unable to get it to work. I get in but get stuck when its doing a list on the directory. Im getting an error in the log of the pix that says
deny tcp (no connection) from (ip address/26511 to ip address/2121) flags PSH ACK on interface outsde. Says the same thing for the inside interface.
sorry for all the questions. But its almost where i want it.
Also I ftp using port 2121. Im unable to get it to work. I get in but get stuck when its doing a list on the directory. Im getting an error in the log of the pix that says
deny tcp (no connection) from (ip address/26511 to ip address/2121) flags PSH ACK on interface outsde. Says the same thing for the inside interface.
sorry for all the questions. But its almost where i want it.
If name resolution is working using the ISP dns server, then something is wrong with your local DNS server. Do you have root hints, or IP addresses of forwarders? What OS is your server?
For a non-standard FTP, try
fixup protocol ftp 2121
For a non-standard FTP, try
fixup protocol ftp 2121
ASKER
Ok i dont know what happened with the dns server, but its running now. Yahoo is still jacked up but I can get to google from any machine. Yahoo times out. weird.
thought it might be helpfulf if you could look at the config
Result of PIX command: "sh run"
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
no fixup protocol ftp 21
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup raysvpn dns-server Server
vpngroup raysvpn default-domain raydoran.com
vpngroup raysvpn idle-time 1800
vpngroup raysvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address raysathlon-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:eb79320c6a1
: end
thought it might be helpfulf if you could look at the config
Result of PIX command: "sh run"
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
no fixup protocol ftp 21
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup raysvpn dns-server Server
vpngroup raysvpn default-domain raydoran.com
vpngroup raysvpn idle-time 1800
vpngroup raysvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address raysathlon-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:eb79320c6a1
: end
ASKER
im running a 2003 server
when entering in the external dns yahoo comes up very quickly. Like it use to before i installed this Pix. Something is jacking with the dns on the network. It has never done this before.
when entering in the external dns yahoo comes up very quickly. Like it use to before i installed this Pix. Something is jacking with the dns on the network. It has never done this before.
Connected DSL modem perchance?
If you are connecting via DSL, you might want to change the MTU on the outside interface to 1492 from 1500
There is nothing else in the config that could hose up dns. Either it works or it doesn't. Anything else is a cache, or server issue.
If you are connecting via DSL, you might want to change the MTU on the outside interface to 1492 from 1500
There is nothing else in the config that could hose up dns. Either it works or it doesn't. Anything else is a cache, or server issue.
ASKER
what about the ftp issue? Is my ftp configured correctly? I mentioned the error i was getting in an above post.
Is the client using passive or active mode FTP?
Whichever mode is not working, try enabling the other mode.
Whichever mode is not working, try enabling the other mode.
ASKER
Im using passive, but will try it without passive.
now a new problem is popping up. Man this is starting to get frustrating!!
I have have had to reboot the Pix 2 times. Everything is working and then it just stops. No pages come up or nothing. I reboot and it all works for a little while until i have to reboot again. i have pointed machines to the external DNS. I dont know why dns is not working. I has worked flawlessly for about 7-8 months now. And as soon as I hook up the Pix it starts acting up. I believe it has to do with the Pix. I have external dns as primary and internal as secondary.
now a new problem is popping up. Man this is starting to get frustrating!!
I have have had to reboot the Pix 2 times. Everything is working and then it just stops. No pages come up or nothing. I reboot and it all works for a little while until i have to reboot again. i have pointed machines to the external DNS. I dont know why dns is not working. I has worked flawlessly for about 7-8 months now. And as soon as I hook up the Pix it starts acting up. I believe it has to do with the Pix. I have external dns as primary and internal as secondary.
ASKER
i have had to disconnect the pix. Its going offline about every 10 minutes. When this happens no clients can ping each other. I checked the logs and did not see any errors. Im just wondering if its a problem with the 6.2 code????????
Im officially hacked off at this darn PIX!!!!!!!!!!!!!
Im officially hacked off at this darn PIX!!!!!!!!!!!!!
6.2 is buggy. The latest 6.3(4) seems to be pretty stable.
Are you sure you don't have virus/worms on your LAN?
If you do a "sho xlate" on the pix, do you see tons of icmp xlates for any one system, or for multiple systems?
Are you sure you don't have virus/worms on your LAN?
If you do a "sho xlate" on the pix, do you see tons of icmp xlates for any one system, or for multiple systems?
ASKER
this is what i got
Rayspixfirewall# sho xlate
0 in use, 52 most used
I dont have a CCO that will allow me to download 6.3.4 where can i get it?
Rayspixfirewall# sho xlate
0 in use, 52 most used
I dont have a CCO that will allow me to download 6.3.4 where can i get it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your 'gobal' command is incorrect. It should be :-
global (outside) 1 interface
Have a look at my configuration example - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html