PIX 506E config problems - PIX can connect to internet but NAT'ed computers can't

I'm setting up my first PIX 506E and I'm having problems getting connectivity for the test computer I have behind it.  The PIX itself can ping external hosts, but the computer behind the PIX can't.  I've read through some older postings of others trying to set up a PIX for the first time, but I'm still stuck.

My test computer does have its gateway set to the PIX's internal IP so I don't think that's a problem.  I created a static route on the PIX for to point to my router's public IP and that allowed the PIX itself to ping external hosts but nothing for my test computer.

I turned on console logging and when I ping a domain on the internet the PIX logs openings in the firewall for UDP traffic coming back from DNS queries, but no IP comes back and no denied errors appear in the console log.

Let me know if you need to see my config to try and troubleshoot.

Who is Participating?
lrmooreConnect With a Mentor Commented:
Is this the one that has proxyarp turned off on? You need to turn it back on
 no sysopt noproxyarp outside
ICMP echo-replys are blocked by default on the PIX.
Try getting out to a web page like http://www.experts-exchange.com instead of pinging from a host

Else, you'll have to post up your config..

jshuck3Author Commented:
I actually opened up replies to see if that was the problem, but nothing changed.  If I try to get to a web page it just sits there and never gets anywhere.

Here's my config:

: Saved
: Written by enable_15 at 09:10:29.630 CST Mon Sep 20 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.83
  network-object host x.x.x.84
  network-object host x.x.x.85
  network-object host x.x.x.86
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.79
  network-object host x.x.x.80
  network-object host x.x.x.81
  network-object host x.x.x.82
  network-object host x.x.x.103
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.79
  network-object host x.x.x.81
  network-object host x.x.x.103
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.103
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN permit icmp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered critical
logging host inside 6/1468
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.123
ip address inside
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.10-x.x.x.78
nat (inside) 1 0 0
static (inside,outside) x.x.x.79 netmask 0 0
static (inside,outside) x.x.x.80 netmask 0 0
static (inside,outside) x.x.x.81 netmask 0 0
static (inside,outside) x.x.x.82 netmask 0 0
static (inside,outside) x.x.x.83 netmask 0 0
static (inside,outside) x.x.x.84 netmask 0 0
static (inside,outside) x.x.x.85 netmask 0 0
static (inside,outside) x.x.x.86 netmask 0 0
static (inside,outside) x.x.x.103 netmask 0 0
access-group PERMIT_IN in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server source outside prefer
http server enable
http inside
snmp-server location Server Room
snmp-server contact Jason Shuck
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

A couple of things the inside network by default is allowed to make any connections outbound unless you apply an inside access list. Your outside access-list you do not have to put a deny as by default the pix will only allow what you tell it in the access-list and it will have an explicit deny by default.

You object groups do not seem to be tied into an access-list, they should be used with an access-list as pre this example

(config)# object-group icmp-type icmp-allowed
(config-icmp-type)# icmp-object echo
(config-icmp-type)# icmp-object time-exceeded
(config-icmp-type)# exit

(config)# access-list 100 permit icmp any any object-group icmp-allowed

I swear I commented on this yesterday..... Maybe I need more coffee this morning..

>access-list PERMIT_IN deny ip any any  <== this is killing you
>access-list PERMIT_IN permit icmp any any

As snoopy13 pointed out, everything is allowed out, its just that you have explicitly blocked all responses coming back in

Suggest either using an icmp object group as snoopy13 has shown above, or create a new acl:
  access-list PERMIT_IN permit icmp any any echo-reply
  access-list PERMIT_IN permit icmp any any unreachable
  access-list PERMIT_IN permit icmp any any time-exceeded
  access-list PERMIT_IN permit icmp any object-group network ping_responders echo
  access-list PERMIT_IN permit udp any object-group network dns_servers eq domain
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5800
  access-list PERMIT_IN permit tcp any object-group network vnc_servers eq 5900


jshuck3Author Commented:
I removed the access-list item for deny ip any any, but still nothing.  

I did some more experimenting starting over from scratch and everything works up until the point where I define my global address pool.

I define it using:
global (outside) 1 x.x.x.71-x.x.x.77
nat (inside) 1 0 0

Once I do that nothing works.  If I set it to 'global (outside) 1 interface' it works, but that's using PAT and that's not what I want.

Before I set the pools all I've done is set the interface IPs, turned off DHCP, set passwords, and defined interface settings.  I turned on logging to watch what happens when i try to go online once I change it to my desired global pool but nothing is registering.  It does list translations in the xlate listings but that's it.

Any ideas?
Set the global to the addresses like you have it, then issue "clear xlate" and try again.

Did you set the netmask on the global:

 global (outside) 1 x.x.x.71-x.x.x.77 netmask
You also need one more for an "overload", else you are limited to 7 hosts inside - the depth of your pool
  global (outside) 1 x.x.x.78  <== no netmask

You might try as an experiment:

  global (outside) 1 interface
  global (outside) 2 x.x.x.71-x.x.x.77 netmask
  global (outside) 2 x.x.x.78
  nat (inside) 1
  nat (inside) 2

Now see if it works from a PC with IP, and one with IP
The two PC's should use two different global, one pat, one nat
jshuck3Author Commented:
Went back and set the netmask on the global and added the PAT overload address but nothing.  Tried the experiment you suggested too and still nothing.

I went back to just a PAT translation on the outside interface and everything works but when I add just a static translation it breaks.

I'm getting really confused as to why everything stops working as soon as I try and do any translation beyond PAT.

I hope this won't matter but this is the PIX behind another firewall per my previous question you answered lrmoore.  That firewall isn't doing anything with translation if somehow that changes anything.  

jshuck3Author Commented:
If I turn it on will it only proxy arps for hosts behind the PIX or will it do what it did before and take down my entire network?
It could, but it is required if you want to use a pool of addresses instead of the interface IP for the global...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.