Cisco PIX 506 Problem
Hi experts i have an problem, with an Cisco PIX 506 firewall.
here is the infrastructure:
internet <-- cisco pix <--wireless access point <-- clients
i want to natting all inside ips for internet, but when i try to come to an website, the page will not be showed!!!
here is my cisco pix configuration:
**************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password …
passwd …
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.154.13 255.255.255.240
ip address inside 192.168.110.51 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.110.53-192.168.110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.52-192.168.110
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
**************************
thanks in advance
mero
here is the infrastructure:
internet <-- cisco pix <--wireless access point <-- clients
i want to natting all inside ips for internet, but when i try to come to an website, the page will not be showed!!!
here is my cisco pix configuration:
**************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password …
passwd …
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.154.13 255.255.255.240
ip address inside 192.168.110.51 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.110.53-192.168.110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.52-192.168.110
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
**************************
thanks in advance
mero
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi experts,
1.do i need a proxy at my clients???
2.i have changed some entries...could you check this config, because no site gets opened!?
**************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dEhnSyBlDEn5wb1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.164.11 255.255.255.240
ip address inside 192.168.110.49 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.51-192.168.110
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bc0e38d74b2
: end
[OK]
**************************
mero
1.do i need a proxy at my clients???
2.i have changed some entries...could you check this config, because no site gets opened!?
**************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dEhnSyBlDEn5wb1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.164.11 255.255.255.240
ip address inside 192.168.110.49 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.51-192.168.110
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bc0e38d74b2
: end
[OK]
**************************
mero
Your config looks ok but why are you using such a restrictive subnet mask for the internal network. You have loads of private IP addresses to choose from so you might aswell use the standard mask :-
ip address inside 192.168.110.49 255.255.255.0
You don't need to configure a proxy.
ip address inside 192.168.110.49 255.255.255.0
You don't need to configure a proxy.
ASKER
hi,
i want such a subnet mask, but what can be the reason, that no website is shown???
mero
i want such a subnet mask, but what can be the reason, that no website is shown???
mero
Are your inside hosts receiving the proper DNS and default gateway information?
Do an "ipconfig /all" from a PC to verify.
Can you ping your ISP's router?
ping 194.88.164.14
Do an "ipconfig /all" from a PC to verify.
Can you ping your ISP's router?
ping 194.88.164.14
Ping wont work as the replies are not permitted back by the PIX. If you add the following configuration they will be permitted which will make testing easier.
access-list outside_in permit icmp any any
access-group outside_in in interface outside
access-list outside_in permit icmp any any
access-group outside_in in interface outside
Good point :)
Be sure to verify the local IP configuration of the PC as well.
Be sure to verify the local IP configuration of the PC as well.
ASKER
ill get this options:
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.110.62
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.110.49
DHCP Server . . . . . . . . . . . : 192.168.110.49
...but nothing with dns (but i think there is no dns option on the cisco pix!"!!)
mero
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.110.62
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.110.49
DHCP Server . . . . . . . . . . . : 192.168.110.49
...but nothing with dns (but i think there is no dns option on the cisco pix!"!!)
mero
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
it works.. i have isert the dns server entry form my isp!!!
How can i split the points and give more that 500???
mero
it works.. i have isert the dns server entry form my isp!!!
How can i split the points and give more that 500???
mero
500 is the maximum number of points in total for a question. At the bottom of the page there is a 'split' link where you can choose who to split the points between and how many you wish to allocate to each answer.
ASKER
no sorry there isnt a split link
mero
mero
There should be one just below this text.
If you need to more addresses large than 500, I suggest you to setup internal DHCP server instead of using PIX DHCP option.
It will be flexsible to manager than PIX.
regards,
Ray
It will be flexsible to manager than PIX.
regards,
Ray
route outside 0.0.0.0 0.0.0.0 194.88.154.14 1 (not 164 - 164 is a different subnet)
^^