Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cisco 506e pix internet access

Posted on 2004-11-30
16
Medium Priority
?
514 Views
Last Modified: 2013-11-16
I have a cisco pix 506e that won't let any internal static ip address clients connect to the internet.  It's basicall a factory install of the pix.  I haven't changed much.  Any internal clients that the pix gives a dhcp ip to work fine.  I have 2 servers that are hardcoded ip's though.  Neither can get to the internet.

Any ideas why?

TIA
0
Comment
Question by:jrspano
  • 8
  • 7
16 Comments
 
LVL 3

Expert Comment

by:cnewgaard
ID: 12713186
If you can post your config it would help a lot in figuring out the issue.  Remember to blank out your public IP's for security.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12713920
Hi jrspano,
I can't think of a reason why this would happen off hand. Defining static mappings does not normally cause this problem. Post your configuration and we will have a look.
0
 
LVL 3

Author Comment

by:jrspano
ID: 12715854

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JQckc4uPb5Dx0qJ8 encrypted
passwd /tR7kk3uSodFo7Pp encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.253 testsql
access-list outside_in permit tcp any host 66.1.1.1 eq 1433
access-list outside_in permit tcp any host 66.1.1.1 eq 85
access-list outside_in permit tcp any host 66.1.1.1 eq pptp
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside testsql
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.252 255.255.255.0
ip audit name attackoutside attack action alarm drop
ip audit name infooutside info action alarm
ip audit interface outside infooutside
ip audit interface outside attackoutside
ip audit info action alarm
ip audit attack action alarm
pdm location testsql 255.255.255.255 inside
pdm location 66.1.1.1 255.255.255.255 outside
pdm location 192.168.2.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.1.1.1 1433 testsql 1433 netmask 255.255.255.
255 0 0
static (inside,outside) tcp 66.1.1.1 85 192.168.2.1 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 66.1.1.1 pptp 192.168.2.1 pptp netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.136 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username bparker password rZWdZBoJTshvZyMZ encrypted privilege 15
username jspano password Ey8azSC..ExS0sL8 encrypted privilege 15
terminal width 80
Cryptochecksum:dcaa883f28089d2e6a46a6fe2f55e616
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 36

Expert Comment

by:grblades
ID: 12716000
You NAT configuration looks fine.

There is one strange thing though in that you have DHCP specified for your outside interface by you have a fixed IP address listed for the external IP address in your 'global' commands.
Do you use DHCP to get a single public IP address or do you have a fixed IP?
0
 
LVL 3

Author Comment

by:jrspano
ID: 12718352
the outside interface gets an ip from a cable provider via dhcp.  It isn't fixed.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12718739
In that case you need to change your 'static' lines and your access-list so you are not refering to 66.1.1.1 as this IP will oviously change. :-

no static (inside,outside) tcp 66.1.1.1 1433 testsql 1433 netmask 255.255.255.255 0 0
no static (inside,outside) tcp 66.1.1.1 85 192.168.2.1 www netmask 255.255.255.255 0 0
no static (inside,outside) tcp 66.1.1.1 pptp 192.168.2.1 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 testsql 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 85 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.2.1 pptp netmask 255.255.255.255 0 0
no access-list outside_in
access-list outside_in permit tcp any any eq 1433
access-list outside_in permit tcp any any eq 85
access-list outside_in permit tcp any any eq pptp
access-group outside_in in interface outside
0
 
LVL 3

Author Comment

by:jrspano
ID: 12722487
well, I guess I didn't explain it all.  While the outside is dhcp, it won't ever change unless the mac address of the outside most box(the pix) changes.  I can guarantee that 66.1.1.1 will be it indefinately.  Will the changes that you posted help fix the internet browsing problems?  It looks like they are just changes to the static links that you helped me with in the other question.

Thanks for taking the time!  I'm a reall newbie with the cisco stuff.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12723977
I would apply this config anyway just incase the IP does ever change.

To diagnose the fault can you try to access the internet from one of the affected PC's and then immediatly after do a 'show log' on the PIX and post the output here.
0
 
LVL 3

Author Comment

by:jrspano
ID: 12726128
the show log produces this.  I don't think anything is relavent though.  They look to be all messages from the other day from a port scan I did to test the firewall.  I looked at the kiwi logs and there aren't any messages generated when trying to get to the internet from the hardcoded pc's.

pixfirewall# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level notifications, 110572 messages logged
        Logging to inside testsql
    History logging: disabled
    Device ID: disabled
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
313001: Denied ICMP type=8, code=0 from 207.33.111.35 on interface 0
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 66.191.50.143, src_add
r= 207.33.111.35, prot= tcp
pixfirewall#
0
 
LVL 36

Expert Comment

by:grblades
ID: 12726454
I can see it denying ping back in which is correct as you have not permitted it. Did you try just pinging or actually accessing a website?

On the client can you open a DOS window and type 'ipconfig /all'.
0
 
LVL 3

Author Comment

by:jrspano
ID: 12726575
For the ip config here is the output.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : testsql
   Primary Dns Suffix  . . . . . . . : HOMENETWORK.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : HOMENETWORK.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
   Physical Address. . . . . . . . . : 00-D0-68-00-9B-12
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.253
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.252
   DNS Servers . . . . . . . . . . . : 192.168.2.1
                                       192.168.2.252


252 is the firewall.  1 is my ad controller


the pings are someone else trying to ping in to me.  I didn't do those.  I can ping internally fine, both the firewall or other machines.  Both the problem machines can ping the firewall also.  I tried opeing IE and going to google.com msn.com etc.  It seems like it wants to then fails and shows a Can't open search page or just a page not found.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12726641
Just noticed 'Buffer logging: disabled'
Can yo enable it and do the 'show log' again.
The configuration commands to enable it is:-

logging on
logging console critical
logging monitor errors
logging buffered debugging

After applying this config can you try connecting to the Internet again and do another 'show log'.
0
 
LVL 3

Author Comment

by:jrspano
ID: 12726845
Here is the show log now

pixfirewall(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: level critical, 0 messages logged
    Monitor logging: level errors, 0 messages logged
    Buffer logging: level debugging, 1192 messages logged
    Trap logging: level notifications, 110913 messages logged
        Logging to inside testsql
    History logging: disabled
    Device ID: disabled
bytes 258 TCP FINs
305012: Teardown dynamic UDP translation from inside:192.168.2.2/3462 to outside
:66.191.50.143/18387 duration 0:00:32
305012: Teardown dynamic UDP translation from inside:192.168.2.2/8533 to outside
:66.191.50.143/18388 duration 0:00:32
302013: Built inbound TCP connection 28252 for outside:62.167.107.108/46673 (62.
167.107.108/46673) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28251 for outside:62.167.107.108/46629 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28252 for outside:62.167.107.108/46673 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 252 TCP FINs
302013: Built inbound TCP connection 28253 for outside:62.167.107.108/46700 (62.
167.107.108/46700) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28254 for outside:62.167.107.108/46744 (62.
167.107.108/46744) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28253 for outside:62.167.107.108/46700 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302013: Built inbound TCP connection 28255 for outside:62.167.107.108/46768 (62.
167.107.108/46768) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28254 for outside:62.167.107.108/46744 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302014: Teardown TCP connection 28255 for outside:62.167.107.108/46768 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28256 for outside:62.167.107.108/46811 (62.
167.107.108/46811) to inside:192.168.2.253/1433 (66.191.50.143/1433)
3ide:62.167.107.108/47875 to inside:192.168.2.253/1433 duration 0:00:01 bytes 25
2 TCP FINs
302013: Built inbound TCP connection 28283 for outside:62.167.107.108/47918 (62.
167.107.108/47918) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28284 for outside:62.167.107.108/47961 (62.
167.107.108/47961) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28283 for outside:62.167.107.108/47918 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28284 for outside:62.167.107.108/47961 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
710005: UDP request discarded from 192.168.2.253/1480 to inside:192.168.2.252/do
main
302013: Built inbound TCP connection 28285 for outside:62.167.107.108/48026 (62.
167.107.108/48026) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28285 for outside:62.167.107.108/48026 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28286 for outside:62.167.107.108/48053 (62.
167.107.108/48053) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28286 for outside:62.167.107.108/48053 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 254 TCP FINs
302013: Built inbound TCP connection 28287 for outside:62.167.107.108/48096 (62.
167.107.108/48096) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28287 for outside:62.167.107.108/48096 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 264 TCP FINs
302013: Built inbound TCP connection 28288 for outside:62.167.107.108/48161 (62.
167.107.108/48161) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302013: Built inbound TCP connection 28289 for outside:62.167.107.108/48188 (62.
167.107.108/48188) to inside:192.168.2.253/1433 (66.191.50.143/1433)
302014: Teardown TCP connection 28288 for outside:62.167.107.108/48161 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302014: Teardown TCP connection 28289 for outside:62.167.107.108/48188 to inside
:192.168.2.253/1433 duration 0:00:01 bytes 256 TCP FINs
302013: Built inbound TCP connection 28290 for outside:62.167.107.108/48231 (62.
167.107.108/48231) to inside:192.168.2.253/1433 (66.191.50.143/1433)
3302014: Teardown TCP connection 28304 for outside:62.167.107.108/48782 to insid
0
 
LVL 36

Expert Comment

by:grblades
ID: 12728847
I can't tell anything from those logs as all the traffic is inbound to port 1433.
On your client PC you do appear to have the PIX listed in your DNS servers. I don't think this error will affect things though unless the other DNS server listed is not working?
0
 
LVL 36

Accepted Solution

by:
grblades earned 1600 total points
ID: 12728892
If you bring up a command prompt on the .253 server and type 'telnet www.google.com 80' what happens?
Does it fail immediatly, complain about not being able resolve the name, or sit there for 30 seconds or so and then come back with an error saying it is not responding?
0
 
LVL 3

Author Comment

by:jrspano
ID: 12728972
it was the dns stuff.  I'm used to having a router as the front most item in the network.  It would do all dns resolution.  I checked one of the machines that worked and they have an external dns server for theirs.  I used it and it fixed it.

Thanks for all the help!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question