?
Solved

Can't get outbound through PIX 520

Posted on 2005-05-16
5
Medium Priority
?
333 Views
Last Modified: 2013-11-16
Hello, I can't get any traffic out through my PIX.  From the pix cli I can ping out to internet sites, I just can't get anything translated through.  The inside interface is working as well because I can pdm to it.   Below is my config.  Please help?  Thanks - Jim

:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password abcd encrypted
passwd abcd encrypted
hostname KIGHPix
domain-name KIGH.office
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 1.2.3.4 255.255.255.248
ip address inside 192.168.20.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm location 192.168.20.101 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.2.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.20.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ba2bdbd7822091328e0333169b01702b
: end
KIGHPix(config)# sh ver

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

KIGHPix up 44 mins 3 secs

Hardware:   SE440BX2, 256 MB RAM, CPU Pentium II 350 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b72c.5a5b, irq 11
1: ethernet1: address is 00b4.0080.d29c, irq 15
2: ethernet2: address is 00a0.c9e8.8cef, irq 10
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          12
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 18024909 (0x11309cd)
Running Activation Key: 0xb4faf800 0xe3dc95d5 0xc533e9ef 0x133da906
Configuration last modified by enable_15 at 16:34:16.300 UTC Mon May 16 2005
KIGHPix(config)#
0
Comment
Question by:JCDavis64
  • 2
  • 2
5 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 180 total points
ID: 14015433
With what you have, you can't ping anything outside the pix, but you should be able to browse the Internet.
Make sure you have your default gateway set to the PIX inside 192.168.20.1, and your DNS nameserver set to either your local DNS server with root hints, or a public dns server. Unlike many soho firewall/routers, the PIX will not proxy dns and you cannot use its IP address as your nameserver.

If you want to ping something, then you need to create an access-list and apply it
 access-list icmp permit icmp any any
 access-group icmp in interface outside

0
 

Author Comment

by:JCDavis64
ID: 14015705
Thanks for the reply.  I didn't try to ping through the pix.  I checked all these things before I posted:  I do have the dg as 192.168.20.1 and the dns is an external dns server.  I tried telnetting to a known telnet IP and also to an external mail server on port 25.  I also tried http://216.239.39.99 to get to google but still no luck. .  Immediately after I tried that I did a show xlate command and it returned 0.
  I was hoping I was just missing something obvious.  What do you think?  Thanks - Jim
0
 
LVL 6

Accepted Solution

by:
magicomminc earned 195 total points
ID: 14016334
your config is plain and simple. I had similar case before, my fix was reboot PC and reload PIX. I know this sound silly.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14017358
There is nothing missing in the PIX config. The 520 is old product and a reboot might just help. Be sure to save the config first...
0
 

Author Comment

by:JCDavis64
ID: 14018512
I split the points between lrmoore and magicomminc.  lrmoore had great advice.  I had already done that but I didn't articulate it in my initial post.  I had done a "reload" of the pix but no help.  When I came in this morning powered down the pix then restarted and it all worked as planned??? So I gave 65 points to magicomminc.  Thank you both for your help!! - Jim
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question