Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Configuring PIX 501 in reverse?

Posted on 2004-11-26
44
Medium Priority
?
1,008 Views
Last Modified: 2013-11-16
Got a PIX 501.  I was told to use it to prohit potential intrusion from an inbound dialup connection to a PC on our network.  Our company uses static IPs.  Somehow I feel this isn't what we needed or it is to be used differently than I would normally expect a firewall to be used.  We don't want to prevent access to this PC from other PCs on our network just from this PC to the rest of our network.  How do I set this up??
0
Comment
Question by:imherson
  • 21
  • 21
  • 2
44 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12682984
Hi imherson,
Here are a few links for you to have a look at.
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

In your situation You would connect one interface to the PC/hardware accepting dial-in connections and the other to your internal network. Then define an access-list to permit only the traffic you want between the modem and your internal network.
0
 

Author Comment

by:imherson
ID: 12683071
Which interface do I hook to the computer, which to the network?  How do I make on our static network.  

I'm sure if I did a lot more reading or took a course I would know what to do, but..
0
 
LVL 36

Expert Comment

by:grblades
ID: 12683115
It does not really matter which interface you connect up as long as it matches your configuration.
I suggest you use Ethernet0 for the Internal network and Ethernet1 for the modem. You will see that on the configuration examples that the inside has a security level of 100 and the outside a level of 0.
This means that by default the internal network can talk to the modem but the modem cannot talk to the internal network.
You then just add an access-list to the Ethernet1 interface to permit in what you want.
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 

Author Comment

by:imherson
ID: 12683152
This first thing that throws me off is that this is dialup modem and connects to the PC via a phone line.  I can't connect it directly to the firewall.  The firewall has just RJ-45 ports
0
 
LVL 36

Expert Comment

by:grblades
ID: 12683161
In that case you would need to connect the modem to a PC and connect that PC to the PIX.
0
 

Author Comment

by:imherson
ID: 12683227
The modem is used by an outside vender to service the computer.  Are you saying I have to connect the modem to a different PC than the one he needs to service?
0
 

Author Comment

by:imherson
ID: 12683238
Our purpose is just to keep the outside vender out of our network.  Our PC has to use a specific static IP to function on our network.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12683247
In that case leave the modem attached to the computer they service but put this computer on the other side of the PIX. That way the default security will permit you and all your employees to access the server as they currently do but the vendor if they connect to the server they wont be able to connect to any of your other internal machines.
0
 

Author Comment

by:imherson
ID: 12683424
If I understand you correctly I would attach the PC with modem to Ethernet 0 and patch our network to Ethernet 1 and our people could access the PC with the same static IP they have always been using (Eg. 207.22.0.7)  I don't want to use give it a private IP like 192.168.0.3
0
 
LVL 36

Expert Comment

by:grblades
ID: 12683450
You will have to give the server a different IP address since it has to be on a different logical network. However you can configure a feature called NAT on the PIX to translate requests to 207.22.0.7 into 192.168.0.3 on the other interface so internal users can still access it using the same address they have always used.
0
 

Author Comment

by:imherson
ID: 12683468
I'm not going to be able to try this out until Monday.  I will let you know how it goes
0
 
LVL 36

Expert Comment

by:grblades
ID: 12683506
Here is a config to start you off.

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 pc security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address pc 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (pc) 1 0.0.0.0 0.0.0.0 0 0
static (pc,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
0
 

Author Comment

by:imherson
ID: 12698534
Now I have figured out how to recover the password/ reset the password/ configuration with the TFTP server.  I've done this each time I made a change and could not get back into the web interface.  It seems like I need some sort of encryption client to interact with it because whenever I set a password and then get challenged for it, I can't get back in and I have to use TFTP to reset the configuration.

I want to try the script above but I cannot log in (I'm using Hyperterminal).   I thought the default password for administrator was cisco.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12698561
I don't think the web interface is enabled in my example.
The two lines with all the ******'s in them are the passwords to log in and go into 'enable' mode. You need to pick a password and change the script before applying it.
Once applied to a 'wti mem' to save the configuration.
0
 

Author Comment

by:imherson
ID: 12699508
I've reset the pix to factory default, but when I try the first line of your example "interface ethernet0 auto", the feedback I get is " type help or '?' for a list of available commands"
0
 
LVL 36

Expert Comment

by:grblades
ID: 12701323
Ignore the first 2 lines. The 501 does has 10Mbps interfaces and a hub at one end I believe.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12701706
when configureing the pix you need to been in enable mode

at the prompt type enable or en press enter
it may ask you for the enable password

if you want to configure a interface as above you need to :

at the promt type

interface ethernet0 (maybe fastethernet) enter
speed auto
exit

but as above this should be the default but just wated to show you how to configure the interface if you are not sure of a command press the ? and the pix will suggest the next statement

hope this helps
0
 
LVL 36

Expert Comment

by:grblades
ID: 12703857
Go into enable mode as Blackduke77 said but you will also need to type 'conf t' to go into configuration mode aswell.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12703863
The interface configuration example Blackduke77 gave above is for routers. The PIX has a different command language.
0
 

Author Comment

by:imherson
ID: 12706448
I'm able to get through some of the script.  Here's where I'm having trouble:

pixfirewall(config)# nameif ethernet pc security0
Usage:  nameif <hardware_id> <if_name> <security_lvl>
        nameif <vlan_id> <if_name> <security_lvl>
        no nameif
pixfirewall(config)# hostname pix
%Key pair with hostname pixfirewall.ciscopix.com will be invalid

Use this configuration and write to flash? yes
Interface address is not on same subnet as DHCP pool
Error setting inside IP address and mask

pix(config)# ip address pc 192.168.0.1
Usage:  [no] ip address <if_name> <ip_address> [<mask>]
        [no] ip address <if_name> <ip_address> <mask> pppoe [setroute]
        [no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
        [no] ip address <if_name> pppoe [setroute]
        ip local pool <poolname> <ip1>[-<ip2>]
        ip verify reverse-path interface <if_name>
        ip audit {info|attack} action [alarm] [drop] [reset]
        ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]

        ip audit interface <if_name> <audit_name>
        ip audit signature <sig_number> disable
        show|clear ip audit count [global] [interface <interface>]
        show ip [address [<if_name> [pppoe|dhcp [lease|server]]]]
pix(config)#

pix(config)# ?
At the end of show <command>, use the pipe character '|' followed by:
begin|includ
e|exclude|grep [-v] <regular_exp>, to filter sho
w output.
aaa             Enable, disable, or view TACACS+, RADIUS or LOCAL
                user authentication, authorization and accounting
aaa-server      Define AAA Server group
access-group    Bind an access-list to an interface to filter inbound traffic
access-list     Add an access list
activation-key  Modify activation-key.
age             This command is deprecated. See ipsec, isakmp, map, ca commands
alias           Administer overlapping addresses with dual NAT.
apply           Apply outbound lists to source or destination IP addresses
arp             Change or view arp table, set arp timeout value, view statistics

auth-prompt     Customize authentication challenge, reject or acceptance prompt
auto-update     Configure auto update support
banner          Configure login/session banners
ca              CEP (Certificate Enrollment Protocol)
                Create and enroll RSA key pairs into a PKI
                (Public Key Infrastructure).
capture         Capture inbound and outbound packets on one or more interfaces
clock           Show and set the date and time of PIX
conduit         Add conduit access to higher security level network or ICMP
configure       Configure from terminal, floppy, memory, network, or
                factory-default.  The configuration will be merged with the
                active configuration except for factory-default in which case
                the active configuration is cleared first.
copy            Copy image or PDM file from TFTP server into flash.
console         Set idle timeout for the serial console of the PIX
Crashinfo       Read, write and configure crash write to flash. Force a crash.
crypto          Configure IPsec, IKE, and CA
debug           Debug packets or ICMP tracings through the PIX Firewall.
dhcpd           Configure DHCP Server
dhcprelay       Configure DHCP Relay Agent
disable         Exit from privileged mode
domain-name     Change domain name
dynamic-map     Specify a dynamic crypto map template
eeprom          show or reprogram the 525 onboard i82559 devices
enable          Configure enable passwords
established     Allow inbound connections based on established connections
failover        Enable/disable PIX failover feature to a standby PIX
filter          Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filt
ering
fixup           Add or delete PIX service and feature defaults
flashfs         Show, destroy, or preserve filesystem information
fragment        Configure the IP fragment database
global          Specify, delete or view global address pools,
                or designate a PAT(Port Address Translated) address
help            Help list
hostname        Change host name
http            Configure HTTP server
icmp            Configure access for ICMP traffic that terminates at an interfac
e
interface       Set network interface paremeters and configure VLANs
ip              Set the ip address and mask for an interface
                Define a local address pool
                Configure Unicast RPF on an interface
                Configure the Intrusion Detection System
ipsec           Configure IPSEC policy
isakmp          Configure ISAKMP policy
kill            Terminate a telnet session
logout          Exit from current user profile, and to unprivileged mode
logging         Enable logging facility
mac-list        Add a list of mac addresses using first match search
map             Configure IPsec crypto map
memory          System memory utilization
mgcp            Configure the Media Gateway Control Protocol fixup
management-access       Enable access to internal management interface
mroute          Configure a multicast route
mtu             Specify MTU(Maximum Transmission Unit) for an interface
multicast       Configure multicast on an interface
name            Associate a name with an IP address
nameif          Assign a name to an interface
names           Enable, disable or display IP address to name conversion
nat             Associate a network with a pool of global IP addresses
ntp             Configure Network Time Protocol
object-group    Create an object group for use in 'access-list', 'conduit', etc
outbound        Create an outbound access list
pager           Control page length for pagination
passwd          Change Telnet console access password
pdm             Configure PIX Device Manager
ping            Test connectivity from specified interface to <ip>
prefix-list     Configure a prefix-list
privilege       Configure/Display privilege levels for commands
quit            Quit from the current mode, end configuration or logout
reload          Halt and reload system
rip             Broadcast default route or passive RIP
route           Enter a static route for an interface
route-map       Create a route-map.
router          Create/configure OSPF routing process
routing         Configure interface specific unicast routing parameters.
service         Enable system services
setup           Pre-configure PIX
shun            Manages the filtering of packets from undesired hosts
snmp-server     Provide SNMP and event information
ssh             Add SSH access to PIX console, set idle timeout, display
                list of active SSH sessions & terminate a SSH session
static          Configure one-to-one address translation rule
sysopt          Set system functional option
telnet          Add telnet access to PIX console and set idle timeout
terminal        Set terminal line parameters
tftp-server     Specify default TFTP server address and directory
timeout         Set the maximum idle times
url-cache       Enable URL caching
url-block       Enable URL pending block buffer and long URL support
url-server      Specify a URL filter server
username        Configure user authentication local database
virtual         Set address for authentication virtual servers
vpdn            Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient       Configure Easy VPN Remote
vpngroup        Configure group settings for Cisco VPN Clients and
                Cisco Easy VPN Remote products
who             Show active administration sessions on PIX
write           Write config to net, flash, floppy, or terminal, or erase flash
pix(config)#
0
 
LVL 36

Expert Comment

by:grblades
ID: 12706577
> pixfirewall(config)# nameif ethernet pc security0

You just have 'ethernet' and not 'ethernet0' which is incomplete. This missing command is causing the other problems.
0
 

Author Comment

by:imherson
ID: 12706671
0ops
0
 

Author Comment

by:imherson
ID: 12706967
ip address inside 207.2.0.6 255.255.255.0
Interface address is not on same subnet as DHCP pool

We don't use DHCP

0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12707033
opps sry about my slip ups glad there are those out there who spot these thangs hows it going
0
 
LVL 36

Expert Comment

by:grblades
ID: 12707114
It sounds as though there is some old configuration already present.
Make sure you are connected via the console (serial cable) and then erase and reload the router so you are starting with a blank configuration :-

enable
write erase
reload
0
 

Author Comment

by:imherson
ID: 12707301
OK I'm past that:

pix(config)# nat (pc) 1 0.0.0.0 0.0.0.0 0 0
WARNING:  Binding inside nat statement to outermost interface.
WARNING:  Keyword "outside" is probably missing.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12707444
OK. Dont bother trying to rename the interfaces. Just use the standard interface names as in this configuration. Erase the config as before and paste in this one.

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
0
 

Author Comment

by:imherson
ID: 12707753
I didn't set the password now [I'd rather do that later if its OK] and I didn't set the the speed to auto on ethernet1 [the reply was 100Full only option] I did set the ethernet 0 to auto.  Here's the rest:

pixfirewall> enable
Password:
pixfirewall# conft
Type help or '?' for a list of available commands.
pixfirewall# conf t
pixfirewall(config)# nameif ethernet0 outside security0
pixfirewall(config)# nameif ethernet1 inside security100
pixfirewall(config)# hostname pix
pix(config)# fixup protocol dns maximum-length 512
pix(config)# fixup protocol ftp 21
pix(config)# fixup protocol h323 h225 1720
pix(config)# fixup protocol h323 ras 1718-1719
pix(config)# fixup protocol http 80
pix(config)# fixup protocol ils 389
pix(config)# fixup protocol rsh 514
pix(config)# fixup protocol rtsp 554
pix(config)# fixup protocol sip 5060
pix(config)# fixup protocol sip udp 5060
pix(config)# fixup protocol skinny 2000
pix(config)# fixup protocol smtp 25
pix(config)# fixup protocol sqlnet 1521
pix(config)# fixup protocol tftp 69
pix(config)# pager lines 24
pix(config)# logging on
pix(config)# logging console errors
pix(config)# logging monitor debugging
pix(config)# logging buffered debugging
pix(config)# mtu outside 1500
pix(config)# mtu inside 1500
pix(config)# ip address outside 192.168.0.1
pix(config)# ip address inside 207.22.0.6 255.255.255.0
pix(config)# ip audit info action alarm
pix(config)# ip audit attack action alarm
pix(config)# pdm history enable
pix(config)# arp timeout 14400
pix(config)# global (inside) 1 interface
inside interface address added to PAT pool
pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING:  Binding inside nat statement to outermost interface.
WARNING:  Keyword "outside" is probably missing.
pix(config)# static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.25$
pix(config)# timeout xlate 3:00:00
pix(config)# timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 $
pix(config)# timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
pix(config)# timeout uauth 0:05:00 absolute
pix(config)# aaa-server TACACS+ protocol tacacs+
pix(config)# aaa-server RADIUS protocol radius
pix(config)# aaa-server LOCAL protocol local
pix(config)# no snmp-server location
pix(config)# no snmp-server contact
pix(config)# snmp-server community public
pix(config)# no snmp-server enable traps
pix(config)# floodguard enable
pix(config)# telnet timeout 60
pix(config)# ssh timeout 60
pix(config)# console timeout 0
pix(config)# terminal width 100
0
 

Author Comment

by:imherson
ID: 12708660
Is this a problem?

pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING:  Binding inside nat statement to outermost interface.
WARNING:  Keyword "outside" is probably missing.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12708908
Sorry. I changed the configuration and put the wrong keyword in.
The line should be:-

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 
LVL 36

Expert Comment

by:grblades
ID: 12708918
So you can just paste the following in :-

no nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 

Author Comment

by:imherson
ID: 12710195
The config took.  I wrote it to memory (write mem) and reloaded. Now I was going to hook it up to the PC & the network.  

I'm hooking a PC with IP 192.168.0.3 255.255.255.0 to the Ethernet0 (this only works with a crossover cable)  and

Ethernet1 I'm plugging into our network (normal cable)

I've tried pinging 207.22.0.7 207.22.0.6 from another PC on the network but the hosts areunreachable

From the PC connected to ethernet0. I can ping the pix (192.168.0.1, not 207.22.0.6) but I cannot telnet to the IP.   Also I cannot open the browser interface anymore.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12713841
There are no access-lists applied yet so the PC wont be able to be pinged as the replies will be blocked. You should be able to connect to the website running on it for example.

From the PC you wont be able to contact anything the other side of the PIX unless you specifically configure it. This is the point of the firewall to stop people who have connected to the server for administration from being able to them connect to the rest of your network.
If you tell me what services you need this PC to connect to and on what machines I will give you an access-list you can apply.

In the meantime if you apply the following two lines to the config you should be able to ping the PC from the rest of the network and the PC should be able to ping everything.
access-list outside_in permit icmp any any
access-group outside_in in interface outside
0
 

Author Comment

by:imherson
ID: 12715896

symantec virus definitions from a parent server:  207.22.0.10
windows updates from a windows updates server 207.22.0.10

I will apply the last 2 lines now
0
 
LVL 36

Accepted Solution

by:
grblades earned 2000 total points
ID: 12716062
Do you know what ports the symantec virus definitions update uses?
I assume the windows update just uses web downloads?
0
 

Author Comment

by:imherson
ID: 12716292
I applied the last 2 lines and entered the command "write me" and "reload" but I still cannot ping 207.22.0.6 or 207.22.0.7 from anywhere inside or outside.  I can only ping the pix (192.168.0.1) from the PC outside (Ethernet0, 192.168.0.3)

I'm not sure its relevant but I included the text I see when it boots up:

Cisco PIX Firewall Version 6.3(3)
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10
0
 
LVL 36

Expert Comment

by:grblades
ID: 12716332
On the PC can you bring up a DOS window and type "ipconfig /all" and paste the output here.
0
 

Author Comment

by:imherson
ID: 12717095
Grblades,

I'm oblized to conceal the actual IPs I'm using. but I can say that we are a class B network, (not a class C network as I originally indicated) and I have substitued only equivalent class B network ID and Domain names below.  Of course I have been substituting the IP in the config.

      MY PC'S Windows IP Configuration

        Host Name . . . . . . . . . . . . : beachIIIVII
        Primary Dns Suffix  . . . . . . . : beach.ch
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : beach.ch

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : beach.ch
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
        Physical Address. . . . . . . . . : 00-0D-56-C3-AF-7A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 138.187.32.7
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 138.187.1.1
        DNS Servers . . . . . . . . . . . : 138.187.1.2

PC outside on Ethernet0
Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : beachXXXIxcVII
        Primary DNS Suffix  . . . . . . . : beach.ch
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Outside:

        Connection-specific DNS Suffix  . : beach.ch
        Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Ad
LA8470B)
        Physical Address. . . . . . . . . : 00-90-27-B6-B8-3C
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :




                                                   
0
 
LVL 36

Expert Comment

by:grblades
ID: 12717182
>       Default Gateway . . . . . . . . . :
>        DNS Servers . . . . . . . . . . . :
The default gateway should be defined as 192.168.0.1.
The DNS server should also be configured with the standard DNS you use.

Add the following line to permit the PC to make DNS queries:-
access-list outside_in permit udp any any eq domain
0
 

Author Comment

by:imherson
ID: 12717685
I added the Gatewaythe last line but now its stuck.  Even after I powered it off and on:
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst
0
 
LVL 36

Expert Comment

by:grblades
ID: 12718909
Can you do a 'show run' and paste the complete config here so I check it again.
0
 

Author Comment

by:imherson
ID: 12719035
pix> enable
Password:
pix# show config
: Saved
: Written by enable_15 at 13:35:28.903 UTC Wed Dec 1 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list outside_in permit udp any any eq domain
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:1ce40a5fd2547ac5e578f3ab6e9f7491
0
 
LVL 36

Expert Comment

by:grblades
ID: 12719238
Sorry about this. I was trying to be clever by calling the interface the 'PC' was on the outside interface but just ended up confusing myself and causing complications.

Here is another PIX configuration with the interfaces renamed (no need to move cables) that should hopefully work.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security0
nameif ethernet1 outside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
0
 

Author Comment

by:imherson
ID: 12719296
I haven't tried this yet, but we've been at it for a while so I gave you points for this question and I posted the question again and pasted the show config there as well.   You can pickup there if you like.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month21 days, 7 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question