[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco PIX 506 Problem

Posted on 2004-12-01
15
Medium Priority
?
2,150 Views
Last Modified: 2010-04-10
Hi experts i have an problem, with an Cisco PIX 506 firewall.

here is the infrastructure:

internet <-- cisco pix <--wireless access point <-- clients

i want to natting all inside ips for internet, but when i try to come to an website, the page will not be showed!!!

here is my cisco pix configuration:

*********************************************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password …
passwd …
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.154.13 255.255.255.240
ip address inside 192.168.110.51 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.110.53-192.168.110.59 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.52-192.168.110.59 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
*********************************************************

thanks in advance

mero
0
Comment
Question by:merowinger
  • 5
  • 5
  • 4
  • +1
15 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 800 total points
ID: 12715351
Hi merowinger,

Your 'global' is incorrect. Add the following to fix it :-

no global (outside) 1 192.168.110.53-192.168.110.59 netmask 255.255.255.240
global (outside) 1 interface
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12715376
Your route outside command looks like it has a typo as well:

route outside 0.0.0.0 0.0.0.0 194.88.154.14 1  (not 164 - 164 is a different subnet)
                                                     ^^
0
 
LVL 31

Author Comment

by:merowinger
ID: 12715884
hi experts,
1.do i need a proxy at my clients???
2.i have changed some entries...could you check this config, because no site gets opened!?

*********************************************************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dEhnSyBlDEn5wb1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.164.11 255.255.255.240
ip address inside 192.168.110.49 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.51-192.168.110.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bc0e38d74b25746147c54401704eb142
: end
[OK]

*****************************************************************
mero

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 36

Expert Comment

by:grblades
ID: 12716041
Your config looks ok but why are you using such a restrictive subnet mask for the internal network. You have loads of private IP addresses to choose from so you might aswell use the standard mask :-

ip address inside 192.168.110.49 255.255.255.0

You don't need to configure a proxy.
0
 
LVL 31

Author Comment

by:merowinger
ID: 12716092
hi,
i want such a subnet mask, but what can be the reason, that no website is shown???

mero
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12716115
Are your inside hosts receiving the proper DNS and default gateway information?

Do an "ipconfig /all" from a PC to verify.

Can you ping your ISP's router?

ping 194.88.164.14
0
 
LVL 36

Expert Comment

by:grblades
ID: 12716151
Ping wont work as the replies are not permitted back by the PIX. If you add the following configuration they will be permitted which will make testing easier.

access-list outside_in permit icmp any any
access-group outside_in in interface outside
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12716169
Good point :)

Be sure to verify the local IP configuration of the PC as well.
0
 
LVL 31

Author Comment

by:merowinger
ID: 12716170
ill get this options:

Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.110.62
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.110.49
DHCP Server . . . . . . . . . . . : 192.168.110.49



...but nothing with dns (but i think there is no dns option on the cisco pix!"!!)

mero
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1200 total points
ID: 12716192
Use the following to specify the DNS servers from your ISP:

dhcpd dns x.x.x.x
0
 
LVL 31

Author Comment

by:merowinger
ID: 12716941
hi,
it works.. i have isert the dns server entry form my isp!!!

How can i split the points and give more that 500???

mero
0
 
LVL 36

Expert Comment

by:grblades
ID: 12717040
500 is the maximum number of points in total for a question. At the bottom of the page there is a 'split' link where you can choose who to split the points between and how many you wish to allocate to each answer.
0
 
LVL 31

Author Comment

by:merowinger
ID: 12717110
no sorry there isnt a split link

mero
0
 
LVL 36

Expert Comment

by:grblades
ID: 12717228
There should be one just below this text.
0
 
LVL 1

Expert Comment

by:raywk
ID: 12905240
If you need to more addresses large than 500, I suggest you to setup internal DHCP server instead of using PIX DHCP option.


It will be flexsible to manager than PIX.

regards,
Ray
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question