cisco 506e pix internet access

I have a cisco pix 506e that won't let any internal static ip address clients connect to the internet.  It's basicall a factory install of the pix.  I haven't changed much.  Any internal clients that the pix gives a dhcp ip to work fine.  I have 2 servers that are hardcoded ip's though.  Neither can get to the internet.

Any ideas why?

TIA
LVL 3
jrspanoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cnewgaardCommented:
If you can post your config it would help a lot in figuring out the issue.  Remember to blank out your public IP's for security.
0
grbladesCommented:
Hi jrspano,
I can't think of a reason why this would happen off hand. Defining static mappings does not normally cause this problem. Post your configuration and we will have a look.
0
jrspanoAuthor Commented:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JQckc4uPb5Dx0qJ8 encrypted
passwd /tR7kk3uSodFo7Pp encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.253 testsql
access-list outside_in permit tcp any host 66.1.1.1 eq 1433
access-list outside_in permit tcp any host 66.1.1.1 eq 85
access-list outside_in permit tcp any host 66.1.1.1 eq pptp
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside testsql
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.252 255.255.255.0
ip audit name attackoutside attack action alarm drop
ip audit name infooutside info action alarm
ip audit interface outside infooutside
ip audit interface outside attackoutside
ip audit info action alarm
ip audit attack action alarm
pdm location testsql 255.255.255.255 inside
pdm location 66.1.1.1 255.255.255.255 outside
pdm location 192.168.2.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.1.1.1 1433 testsql 1433 netmask 255.255.255.
255 0 0
static (inside,outside) tcp 66.1.1.1 85 192.168.2.1 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 66.1.1.1 pptp 192.168.2.1 pptp netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.136 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username bparker password rZWdZBoJTshvZyMZ encrypted privilege 15
username jspano password Ey8azSC..ExS0sL8 encrypted privilege 15
terminal width 80
Cryptochecksum:dcaa883f28089d2e6a46a6fe2f55e616
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

grbladesCommented:
You NAT configuration looks fine.

There is one strange thing though in that you have DHCP specified for your outside interface by you have a fixed IP address listed for the external IP address in your 'global' commands.
Do you use DHCP to get a single public IP address or do you have a fixed IP?
0
jrspanoAuthor Commented:
the outside interface gets an ip from a cable provider via dhcp.  It isn't fixed.
0
grbladesCommented:
In that case you need to change your 'static' lines and your access-list so you are not refering to 66.1.1.1 as this IP will oviously change. :-

no static (inside,outside) tcp 66.1.1.1 1433 testsql 1433 netmask 255.255.255.255 0 0
no static (inside,outside) tcp 66.1.1.1 85 192.168.2.1 www netmask 255.255.255.255 0 0
no static (inside,outside) tcp 66.1.1.1 pptp 192.168.2.1 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 testsql 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 85 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.2.1 pptp netmask 255.255.255.255 0 0
no access-list outside_in
access-list outside_in permit tcp any any eq 1433
access-list outside_in permit tcp any any eq 85
access-list outside_in permit tcp any any eq pptp
access-group outside_in in interface outside
0
jrspanoAuthor Commented:
well, I guess I didn't explain it all.  While the outside is dhcp, it won't ever change unless the mac address of the outside most box(the pix) changes.  I can guarantee that 66.1.1.1 will be it indefinately.  Will the changes that you posted help fix the internet browsing problems?  It looks like they are just changes to the static links that you helped me with in the other question.

Thanks for taking the time!  I'm a reall newbie with the cisco stuff.
0
grbladesCommented:
I would apply this config anyway just incase the IP does ever change.

To diagnose the fault can you try to access the internet from one of the affected PC's and then immediatly after do a 'show log' on the PIX and post the output here.
0
jrspanoAuthor Commented:
the show log produces this.  I don't think anything is relavent though.  They look to be all messages from the other day from a port scan I did to test the firewall.  I looked at the kiwi logs and there aren't any messages generated when trying to get to the internet from the hardcoded pc's.

pixfirewall# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level notifications, 110572 messages logged
        Logging to inside testsql
    History logging: disabled
    Device ID: disabled
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
pixfirewall#
0
grbladesCommented:
I can see it denying ping back in which is correct as you have not permitted it. Did you try just pinging or actually accessing a website?

On the client can you open a DOS window and type 'ipconfig /all'.
0
jrspanoAuthor Commented:
For the ip config here is the output.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : testsql
   Primary Dns Suffix  . . . . . . . : HOMENETWORK.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : HOMENETWORK.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
   Physical Address. . . . . . . . . : 00-D0-68-00-9B-12
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.253
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.252
   DNS Servers . . . . . . . . . . . : 192.168.2.1
                                       192.168.2.252


252 is the firewall.  1 is my ad controller


the pings are someone else trying to ping in to me.  I didn't do those.  I can ping internally fine, both the firewall or other machines.  Both the problem machines can ping the firewall also.  I tried opeing IE and going to google.com msn.com etc.  It seems like it wants to then fails and shows a Can't open search page or just a page not found.
0
grbladesCommented:
Just noticed 'Buffer logging: disabled'
Can yo enable it and do the 'show log' again.
The configuration commands to enable it is:-

logging on
logging console critical
logging monitor errors
logging buffered debugging

After applying this config can you try connecting to the Internet again and do another 'show log'.
0
jrspanoAuthor Commented:
Here is the show log now

pixfirewall(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: level critical, 0 messages logged
    Monitor logging: level errors, 0 messages logged
    Buffer logging: level debugging, 1192 messages logged
    Trap logging: level notifications, 110913 messages logged
        Logging to inside testsql
    History logging: disabled
    Device ID: disabled
bytes 258 TCP FINs
305012: Teardown dynamic UDP translation from inside:192.168.2.2/3462 to outside
:66.191.50.143/18387 duration 0:00:32
305012: Teardown dynamic UDP translation from inside:192.168.2.2/8533 to outside
:66.191.50.143/18388 duration 0:00:32
302013: Built inbound TCP connection 28252 for outside:62.167.107.108/46673 (62.
167.107.108/46673) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28251 for outside:62.167.107.108/46629 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28252 for outside:62.167.107.108/46673 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 252 TCP FINs
302013: Built inbound TCP connection 28253 for outside:62.167.107.108/46700 (62.
167.107.108/46700) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28254 for outside:62.167.107.108/46744 (62.
167.107.108/46744) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28253 for outside:62.167.107.108/46700 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302013: Built inbound TCP connection 28255 for outside:62.167.107.108/46768 (62.
167.107.108/46768) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28254 for outside:62.167.107.108/46744 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302014: Teardown TCP connection 28255 for outside:62.167.107.108/46768 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28256 for outside:62.167.107.108/46811 (62.
167.107.108/46811) to inside:192.168.2.253/1433 (66.191.50.143/1433)
3ide:62.167.107.108/47875 to inside:192.168.2.253/1433 duration 0:00:01 bytes 25
2 TCP FINs
302013: Built inbound TCP connection 28283 for outside:62.167.107.108/47918 (62.
167.107.108/47918) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28284 for outside:62.167.107.108/47961 (62.
167.107.108/47961) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28283 for outside:62.167.107.108/47918 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28284 for outside:62.167.107.108/47961 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
710005: UDP request discarded from 192.168.2.253/1480 to inside:192.168.2.252/do
main
302013: Built inbound TCP connection 28285 for outside:62.167.107.108/48026 (62.
167.107.108/48026) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28285 for outside:62.167.107.108/48026 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28286 for outside:62.167.107.108/48053 (62.
167.107.108/48053) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28286 for outside:62.167.107.108/48053 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28287 for outside:62.167.107.108/48096 (62.
167.107.108/48096) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28287 for outside:62.167.107.108/48096 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 264 TCP FINs
302013: Built inbound TCP connection 28288 for outside:62.167.107.108/48161 (62.
167.107.108/48161) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28289 for outside:62.167.107.108/48188 (62.
167.107.108/48188) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28288 for outside:62.167.107.108/48161 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28289 for outside:62.167.107.108/48188 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302013: Built inbound TCP connection 28290 for outside:62.167.107.108/48231 (62.
167.107.108/48231) to inside:192.168.2.253/1433 (66.191.50.143/1433)
3302014: Teardown TCP connection 28304 for outside:62.167.107.108/48782 to insid
0
grbladesCommented:
I can't tell anything from those logs as all the traffic is inbound to port 1433.
On your client PC you do appear to have the PIX listed in your DNS servers. I don't think this error will affect things though unless the other DNS server listed is not working?
0
grbladesCommented:
If you bring up a command prompt on the .253 server and type 'telnet www.google.com 80' what happens?
Does it fail immediatly, complain about not being able resolve the name, or sit there for 30 seconds or so and then come back with an error saying it is not responding?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jrspanoAuthor Commented:
it was the dns stuff.  I'm used to having a router as the front most item in the network.  It would do all dns resolution.  I checked one of the machines that worked and they have an external dns server for theirs.  I used it and it fixed it.

Thanks for all the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.