Solved

PIX 506E config problems - PIX can connect to internet but NAT'ed computers can't

Posted on 2004-09-20
10
489 Views
Last Modified: 2010-05-18
I'm setting up my first PIX 506E and I'm having problems getting connectivity for the test computer I have behind it.  The PIX itself can ping external hosts, but the computer behind the PIX can't.  I've read through some older postings of others trying to set up a PIX for the first time, but I'm still stuck.

My test computer does have its gateway set to the PIX's internal IP so I don't think that's a problem.  I created a static route on the PIX for 0.0.0.0 0.0.0.0 to point to my router's public IP and that allowed the PIX itself to ping external hosts but nothing for my test computer.

I turned on console logging and when I ping a domain on the internet the PIX logs openings in the firewall for UDP traffic coming back from DNS queries, but no IP comes back and no denied errors appear in the console log.

Let me know if you need to see my config to try and troubleshoot.

Thanks.
0
Comment
Question by:jshuck3
  • 5
  • 4
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12103131
ICMP echo-replys are blocked by default on the PIX.
Try getting out to a web page like http://www.experts-exchange.com instead of pinging from a host

Else, you'll have to post up your config..

0
 

Author Comment

by:jshuck3
ID: 12103598
I actually opened up replies to see if that was the problem, but nothing changed.  If I try to get to a web page it just sits there and never gets anywhere.

Here's my config:

: Saved
: Written by enable_15 at 09:10:29.630 CST Mon Sep 20 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.83
  network-object host x.x.x.84
  network-object host x.x.x.85
  network-object host x.x.x.86
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.103
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.79
  network-object host x.x.x.81
  network-object host x.x.x.103
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.103
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN permit icmp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered critical
logging host inside 192.168.10.62 6/1468
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.123 255.255.255.128
ip address inside 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.10-x.x.x.78
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.79 192.168.10.62 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.80 192.168.10.63 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.81 192.168.10.64 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.82 192.168.10.65 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.83 192.168.10.66 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.84 192.168.10.67 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.85 192.168.10.68 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.86 192.168.10.69 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.103 192.168.10.2 netmask 255.255.255.255 0 0
access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 216.81.173.126 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact Jason Shuck
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9fcbcabeb08a9163a39fe358fb837876
0
 
LVL 3

Expert Comment

by:snoopy13
ID: 12110282
A couple of things the inside network by default is allowed to make any connections outbound unless you apply an inside access list. Your outside access-list you do not have to put a deny as by default the pix will only allow what you tell it in the access-list and it will have an explicit deny by default.

You object groups do not seem to be tied into an access-list, they should be used with an access-list as pre this example

(config)# object-group icmp-type icmp-allowed
(config-icmp-type)# icmp-object echo
(config-icmp-type)# icmp-object time-exceeded
(config-icmp-type)# exit

(config)# access-list 100 permit icmp any any object-group icmp-allowed

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12112104
I swear I commented on this yesterday..... Maybe I need more coffee this morning..

>access-list PERMIT_IN deny ip any any  <== this is killing you
>access-list PERMIT_IN permit icmp any any

As snoopy13 pointed out, everything is allowed out, its just that you have explicitly blocked all responses coming back in

Suggest either using an icmp object group as snoopy13 has shown above, or create a new acl:
  access-list PERMIT_IN permit icmp any any echo-reply
  access-list PERMIT_IN permit icmp any any unreachable
  access-list PERMIT_IN permit icmp any any time-exceeded
  access-list PERMIT_IN permit icmp any object-group network ping_responders echo
  access-list PERMIT_IN permit udp any object-group network dns_servers eq domain
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5800
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5900

<etc>

0
 

Author Comment

by:jshuck3
ID: 12116296
I removed the access-list item for deny ip any any, but still nothing.  

I did some more experimenting starting over from scratch and everything works up until the point where I define my global address pool.

I define it using:
global (outside) 1 x.x.x.71-x.x.x.77
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Once I do that nothing works.  If I set it to 'global (outside) 1 interface' it works, but that's using PAT and that's not what I want.

Before I set the pools all I've done is set the interface IPs, turned off DHCP, set passwords, and defined interface settings.  I turned on logging to watch what happens when i try to go online once I change it to my desired global pool but nothing is registering.  It does list translations in the xlate listings but that's it.

Any ideas?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12116583
Set the global to the addresses like you have it, then issue "clear xlate" and try again.

Did you set the netmask on the global:

 global (outside) 1 x.x.x.71-x.x.x.77 netmask 255.255.255.128
You also need one more for an "overload", else you are limited to 7 hosts inside - the depth of your pool
  global (outside) 1 x.x.x.78  <== no netmask


You might try as an experiment:

  global (outside) 1 interface
  global (outside) 2 x.x.x.71-x.x.x.77 netmask 255.255.255.128
  global (outside) 2 x.x.x.78
  nat (inside) 1 192.168.1.128 255.255.255.128
  nat (inside) 2 192.168.1.0 255.255.255.128

Now see if it works from a PC with IP 192.168.1.129, and one with IP 192.168.1.9
The two PC's should use two different global, one pat, one nat
 
0
 

Author Comment

by:jshuck3
ID: 12116920
Went back and set the netmask on the global and added the PAT overload address but nothing.  Tried the experiment you suggested too and still nothing.

I went back to just a PAT translation on the outside interface and everything works but when I add just a static translation it breaks.

I'm getting really confused as to why everything stops working as soon as I try and do any translation beyond PAT.

I hope this won't matter but this is the PIX behind another firewall per my previous question you answered lrmoore.  That firewall isn't doing anything with translation if somehow that changes anything.  

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 12117020
Is this the one that has proxyarp turned off on? You need to turn it back on
 no sysopt noproxyarp outside
0
 

Author Comment

by:jshuck3
ID: 12117035
If I turn it on will it only proxy arps for hosts behind the PIX or will it do what it did before and take down my entire network?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117516
It could, but it is required if you want to use a pool of addresses instead of the interface IP for the global...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now