[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


PIX 506E config problems - PIX can connect to internet but NAT'ed computers can't

Posted on 2004-09-20
Medium Priority
Last Modified: 2010-05-18
I'm setting up my first PIX 506E and I'm having problems getting connectivity for the test computer I have behind it.  The PIX itself can ping external hosts, but the computer behind the PIX can't.  I've read through some older postings of others trying to set up a PIX for the first time, but I'm still stuck.

My test computer does have its gateway set to the PIX's internal IP so I don't think that's a problem.  I created a static route on the PIX for to point to my router's public IP and that allowed the PIX itself to ping external hosts but nothing for my test computer.

I turned on console logging and when I ping a domain on the internet the PIX logs openings in the firewall for UDP traffic coming back from DNS queries, but no IP comes back and no denied errors appear in the console log.

Let me know if you need to see my config to try and troubleshoot.

Question by:jshuck3
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 79

Expert Comment

ID: 12103131
ICMP echo-replys are blocked by default on the PIX.
Try getting out to a web page like http://www.experts-exchange.com instead of pinging from a host

Else, you'll have to post up your config..


Author Comment

ID: 12103598
I actually opened up replies to see if that was the problem, but nothing changed.  If I try to get to a web page it just sits there and never gets anywhere.

Here's my config:

: Saved
: Written by enable_15 at 09:10:29.630 CST Mon Sep 20 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.83
  network-object host x.x.x.84
  network-object host x.x.x.85
  network-object host x.x.x.86
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.103
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.79
  network-object host x.x.x.81
  network-object host x.x.x.103
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.103
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN permit icmp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered critical
logging host inside 6/1468
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.123
ip address inside
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.10-x.x.x.78
nat (inside) 1 0 0
static (inside,outside) x.x.x.79 netmask 0 0
static (inside,outside) x.x.x.80 netmask 0 0
static (inside,outside) x.x.x.81 netmask 0 0
static (inside,outside) x.x.x.82 netmask 0 0
static (inside,outside) x.x.x.83 netmask 0 0
static (inside,outside) x.x.x.84 netmask 0 0
static (inside,outside) x.x.x.85 netmask 0 0
static (inside,outside) x.x.x.86 netmask 0 0
static (inside,outside) x.x.x.103 netmask 0 0
access-group PERMIT_IN in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server source outside prefer
http server enable
http inside
snmp-server location Server Room
snmp-server contact Jason Shuck
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Expert Comment

ID: 12110282
A couple of things the inside network by default is allowed to make any connections outbound unless you apply an inside access list. Your outside access-list you do not have to put a deny as by default the pix will only allow what you tell it in the access-list and it will have an explicit deny by default.

You object groups do not seem to be tied into an access-list, they should be used with an access-list as pre this example

(config)# object-group icmp-type icmp-allowed
(config-icmp-type)# icmp-object echo
(config-icmp-type)# icmp-object time-exceeded
(config-icmp-type)# exit

(config)# access-list 100 permit icmp any any object-group icmp-allowed

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

LVL 79

Expert Comment

ID: 12112104
I swear I commented on this yesterday..... Maybe I need more coffee this morning..

>access-list PERMIT_IN deny ip any any  <== this is killing you
>access-list PERMIT_IN permit icmp any any

As snoopy13 pointed out, everything is allowed out, its just that you have explicitly blocked all responses coming back in

Suggest either using an icmp object group as snoopy13 has shown above, or create a new acl:
  access-list PERMIT_IN permit icmp any any echo-reply
  access-list PERMIT_IN permit icmp any any unreachable
  access-list PERMIT_IN permit icmp any any time-exceeded
  access-list PERMIT_IN permit icmp any object-group network ping_responders echo
  access-list PERMIT_IN permit udp any object-group network dns_servers eq domain
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5800
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5900



Author Comment

ID: 12116296
I removed the access-list item for deny ip any any, but still nothing.  

I did some more experimenting starting over from scratch and everything works up until the point where I define my global address pool.

I define it using:
global (outside) 1 x.x.x.71-x.x.x.77
nat (inside) 1 0 0

Once I do that nothing works.  If I set it to 'global (outside) 1 interface' it works, but that's using PAT and that's not what I want.

Before I set the pools all I've done is set the interface IPs, turned off DHCP, set passwords, and defined interface settings.  I turned on logging to watch what happens when i try to go online once I change it to my desired global pool but nothing is registering.  It does list translations in the xlate listings but that's it.

Any ideas?
LVL 79

Expert Comment

ID: 12116583
Set the global to the addresses like you have it, then issue "clear xlate" and try again.

Did you set the netmask on the global:

 global (outside) 1 x.x.x.71-x.x.x.77 netmask
You also need one more for an "overload", else you are limited to 7 hosts inside - the depth of your pool
  global (outside) 1 x.x.x.78  <== no netmask

You might try as an experiment:

  global (outside) 1 interface
  global (outside) 2 x.x.x.71-x.x.x.77 netmask
  global (outside) 2 x.x.x.78
  nat (inside) 1
  nat (inside) 2

Now see if it works from a PC with IP, and one with IP
The two PC's should use two different global, one pat, one nat

Author Comment

ID: 12116920
Went back and set the netmask on the global and added the PAT overload address but nothing.  Tried the experiment you suggested too and still nothing.

I went back to just a PAT translation on the outside interface and everything works but when I add just a static translation it breaks.

I'm getting really confused as to why everything stops working as soon as I try and do any translation beyond PAT.

I hope this won't matter but this is the PIX behind another firewall per my previous question you answered lrmoore.  That firewall isn't doing anything with translation if somehow that changes anything.  

LVL 79

Accepted Solution

lrmoore earned 800 total points
ID: 12117020
Is this the one that has proxyarp turned off on? You need to turn it back on
 no sysopt noproxyarp outside

Author Comment

ID: 12117035
If I turn it on will it only proxy arps for hosts behind the PIX or will it do what it did before and take down my entire network?
LVL 79

Expert Comment

ID: 12117516
It could, but it is required if you want to use a pool of addresses instead of the interface IP for the global...

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question