Cisco PIX 506 Problem

Hi experts i have an problem, with an Cisco PIX 506 firewall.

here is the infrastructure:

internet <-- cisco pix <--wireless access point <-- clients

i want to natting all inside ips for internet, but when i try to come to an website, the page will not be showed!!!

here is my cisco pix configuration:

*********************************************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password …
passwd …
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.154.13 255.255.255.240
ip address inside 192.168.110.51 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.110.53-192.168.110.59 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.52-192.168.110.59 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
*********************************************************

thanks in advance

mero
LVL 31
merowingerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi merowinger,

Your 'global' is incorrect. Add the following to fix it :-

no global (outside) 1 192.168.110.53-192.168.110.59 netmask 255.255.255.240
global (outside) 1 interface
0
JFrederick29Commented:
Your route outside command looks like it has a typo as well:

route outside 0.0.0.0 0.0.0.0 194.88.154.14 1  (not 164 - 164 is a different subnet)
                                                     ^^
0
merowingerAuthor Commented:
hi experts,
1.do i need a proxy at my clients???
2.i have changed some entries...could you check this config, because no site gets opened!?

*********************************************************************
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dEhnSyBlDEn5wb1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.88.164.11 255.255.255.240
ip address inside 192.168.110.49 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.88.164.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.110.48 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.110.51-192.168.110.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bc0e38d74b25746147c54401704eb142
: end
[OK]

*****************************************************************
mero

0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

grbladesCommented:
Your config looks ok but why are you using such a restrictive subnet mask for the internal network. You have loads of private IP addresses to choose from so you might aswell use the standard mask :-

ip address inside 192.168.110.49 255.255.255.0

You don't need to configure a proxy.
0
merowingerAuthor Commented:
hi,
i want such a subnet mask, but what can be the reason, that no website is shown???

mero
0
JFrederick29Commented:
Are your inside hosts receiving the proper DNS and default gateway information?

Do an "ipconfig /all" from a PC to verify.

Can you ping your ISP's router?

ping 194.88.164.14
0
grbladesCommented:
Ping wont work as the replies are not permitted back by the PIX. If you add the following configuration they will be permitted which will make testing easier.

access-list outside_in permit icmp any any
access-group outside_in in interface outside
0
JFrederick29Commented:
Good point :)

Be sure to verify the local IP configuration of the PC as well.
0
merowingerAuthor Commented:
ill get this options:

Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.110.62
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.110.49
DHCP Server . . . . . . . . . . . : 192.168.110.49



...but nothing with dns (but i think there is no dns option on the cisco pix!"!!)

mero
0
JFrederick29Commented:
Use the following to specify the DNS servers from your ISP:

dhcpd dns x.x.x.x
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
merowingerAuthor Commented:
hi,
it works.. i have isert the dns server entry form my isp!!!

How can i split the points and give more that 500???

mero
0
grbladesCommented:
500 is the maximum number of points in total for a question. At the bottom of the page there is a 'split' link where you can choose who to split the points between and how many you wish to allocate to each answer.
0
merowingerAuthor Commented:
no sorry there isnt a split link

mero
0
grbladesCommented:
There should be one just below this text.
0
raywkCommented:
If you need to more addresses large than 500, I suggest you to setup internal DHCP server instead of using PIX DHCP option.


It will be flexsible to manager than PIX.

regards,
Ray
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.