[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 210
  • Last Modified:

Pix 501 config Getting to the outside

I have to install a Cisco Pix 501 and have never worked with the product before.  I have gone throught the setup wizard and have tried to create access rules to allow the computers inside the network to access the internet but have had no luck.  At the moment I have reset the Pix to the factory default settings and have gone through the startup wizard.  Here are my settings Internet>Bridge Modem>Pix> Server.  The Pix is getting the Outside interface 216.36.97.195 via PPPoe.  The inside interface is 192.168.1.1.  I need for the clients inside the network to have access to the internet, and be able to send and recieve emails.  I know I need port 80, 25 and 110 open.  We host our own email on the server which is 192.168.1.10.  Any help or pointers would be appreciated.
0
buckets3516
Asked:
buckets3516
  • 5
  • 3
  • 2
1 Solution
 
nodiscoCommented:
By default, all traffic is allowed out the outside interface as it is at a different security level than the inside.  Your PIX should be routing the traffic sent to it from internal workstations through the outside interface.  Can you post the PIX config?  If you are unsure how - logon to the PIX and type sh run

Copy and paste the output to a post here and we can put in the necessary Access-lists for the ports you need open for email and web hosting



0
 
buckets3516Author Commented:
I will be on-site in about an hour and I will send you the config.
0
 
JEEGOCommented:
buckets3516,

I encountered a similar situation some time back.

Assuming that the PPPoE information is correct, verify that the external and internal intefaces are not shut down.
You can do this in the CLI or through the PDM. Enable the disabled interfaces (internal & external), and you should be fine.
[ofcourse, save your config]

G!
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
JEEGOCommented:
Also make sure that the defauly gateway on your clients is set to 192.168.1.1. If you have setup DHCP on the PIX501, then verify that the DNS, GATEWAY information reflects the DLS provider information.

Thanks

G!
0
 
buckets3516Author Commented:
Here is my config. I Still can't browse the internet from behind the firewall.  The IP's have changed since I am now at the clients site.  thanks for the help


Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixie
domain-name theneurosciencecenter.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.213.222.193 255.255.0.0 pppoe
ip address inside 192.168.16.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 69.213.223.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname angus1873@static.sbcglobal.net
vpdn group pppoe_group ppp authentication pap
vpdn username angus1873@static.sbcglobal.net password *********
dhcpd address 192.168.16.2-192.168.16.33 inside
dhcpd dns 206.141.193.55 206.141.192.60
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:920d6dcbf3032d97c830097d5cf111f0
: end
[OK]
0
 
nodiscoCommented:
If you change your outside address to :

ip address outside pppoe setroute

and remove the statement :

route outside 0.0.0.0 0.0.0.0 69.213.223.254 1


To verify connectivity - ping an external ip address like a public dns server e.g. 159.134.237.6.  You will need to add an access list to allow the icmp (ping) traffic back through :

access-list inbound permit icmp any any

access-group inbound in interface outside

Go to a dos prompt from a workstation and run ipconfig /all

You should be getting
ip address.............192.168.16.2-33
subnet mask..........255.255.255.0
default gateway.....192.168.16.1
dhcp server...........192.168.16.1
dns servers............206.141.193.55
                            206.141.192.60


Check the above and see how you go.
0
 
buckets3516Author Commented:
Last Night I Reloaded the PDM software and was able to get out on the internet.  I know this may sound dumb but I have to figure out the how open Port 25, 110, 80.  To access our Web Server and Email Server which are located on the same Computer.  Any help would be appreciated.

thanks

Mike
0
 
nodiscoCommented:
Use the following access lists:

access-list fromoutside permit tcp any host x.x.x.x eq smtp
access-list fromoutside permit tcp any host x.x.x.x eq www
access-list fromoutside permit tcp any host x.x.x.x eq 110

Where x.x.x.x is the public (internet) address of your server.

access-group fromoutside in interface outside            (This applies the access lists to your outside interface)

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255           (This creates a static translation for your server)

Where x.x.x.x is the public (internet) address of your server and y.y.y.y is the internal LAN ip address of the server.



If you need to browse the webserver by its www.domainname    you need to create an alias for it on the pix so that the PIX knows where to resolve its name :
alias (inside) x.x.x.x y.y.y.y 255.255.255.255                  

Where x.x.x.x and y.y.y.y are the same values as above

Post further comments.


0
 
nodiscoCommented:
Fix - that last comment  "If you need to browse the webserver by its www.domainname"

should read -
"If you need to browse the webserver by its www.domainname from the internal network"

0
 
nodiscoCommented:
Is this resolved or are you still experiencing problems?

Pls post further if this is still outstanding

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now